Gab Has Been Breached

I’ve investigated hundreds of data breaches over the years (there are 514 of them in Have I Been Pwned as I write this), and for the most part, the situation with Gab is just another day on the internet. But Gab is also different, having grown dramatically in recent months as an alternative to mainstream incumbent platforms such as Twitter and Facebook and drawing a crowd primarily focused on right wing American politics.

A couple of days ago, I posted a thread about their alleged breach. I want to go back through that thread here, explain the thinking further and then provide some commentary on the actual data that was exposed. It all began here:

Much of the problem with objectively discussing this breach is that it’s impossible to escape the transphobic slurs and religious rhetoric being dished out from the guy at the top. I don’t care which god (or demon) you’ve picked, nor what gender you were born with (or if you decided to change it at some time), nor do I care whose politics you like and whose you don’t, I only care about the data. More specifically, I care about the data that’s been exposed in the breach, especially when that data may include my own (I’m very serious).

It’s pretty standard practice for an organisation to post a public statement following a breach or even, as the opening sentence of that page suggest, an “alleged” breach. Most organisation begin with “we take the security of your data seriously”, layer on lawyer speak, talk about credit cards not being exposed and then promise to provide further updates as they come to hand. Gab’s approach… differs:

Because Gab “searched high and low for chatter on the breach on the Internet and found nothing”, they’ve drawn the conclusion that reporters are maliciously working with hackers. I’ve had dozens of occasions where I’ve known about a breach, there’s been no public discussion on it, and I’ve worked with reporters to help get to the bottom of what’s happened. This is normal. It’s so normal that the last time I did this was earlier this week with Lawrence Abrams from Bleeping Computer on the Dutch Ticketcounter breach.

If you’re not familiar with hashing, how it’s not the same as encryption and how it can still leave passwords vulnerable, read this primer from September first. As it relates to passwords being revealed, you can’t “unhash” a hash in the same way as you can decrypt an encrypted piece of text, however, you can always guess passwords, hash them with the same algorithm (and salt if present) and see if the output matches what was stored. For example, when I wrote about the Dropbox hack in 2016, I was able to verify my own record simply by hashing the password I had stored in 1Password and comparing the output to the one in the breach. It matched, therefore verifying the legitimacy of the breach. The following year I showed how even though CloudPets had chosen the very robust bcrypt algorithm for password storage, I was still able to crack a bunch of them courtesy of their extremely weak password rules:

I do actually agree with the quoted sentence insofar as someone could create an email address completely disassociated with them, register for Gab and then login with that account. But that almost never happens because Gab is used by normal humans just wanting to interact with other normal humans and it’s not a platform where people are likely to take extra precautions to conceal their true identity. When faced with a registration form that requests an email address, the vast majority of people will simply provide the same email address they use everywhere else, hence my “almost always” comment.

This isn’t an unusual response to a data breach; many companies try to downplay the significance in order to reduce the perceived impact of it. I wrote about this in 2015, specifically as it relates to organisations focusing on the security of credit cards which are one of the most easily replaceable and low-impact classes of data to have exposed. All of the classes of data Gab mentions pale in comparison to the impact of having extremist messaging exposed in connection to a personally identifiable data attribute such as someone’s email address. And regardless of your political persuasion, it’s clear that a platform designed to have a bare minimum of controls on content (although they do define content standards) is going to attract and retain more extreme views; that’s part of the attraction for many people.

This is also fairly common to see in a post-breach announcement, either in generic terms (“as you know, data breaches are very common”) or in Gab’s case, directly pointing the finger at competing services. The comment is intended to normalise the data breach and downplay its significance, the exact opposite of what we want to encourage in this industry. A few years ago I wrote about how to construct a breach disclosure notice and paid particular attention to how well the Red Cross Blood Service handled theirs. It’s little things like apologising; rather than downplaying the incident and directing attention elsewhere, we need to see organisations standing up, copping it on the chin and acknowledging their faults.

The WIRED piece is well worth a read and sheds more light on the events leading up to the breach. I’ve always found Andy Greenberg to be not just a very switched on infosec journalist, but also a genuinely nice guy I’ve enjoyed speaking with in the past. I can’t imagine Andy being anything but professional in his interactions with Gab and it was only whilst writing this very paragraph that I saw a tweet which might explain why he was treated with such disdain – he may have picked the wrong religion:

As much as I didn’t want this post to touch on religion, it’s hard to ignore a comment like that which literally excludes the vast majority of the earth’s population (and I’m guessing a fair chunk of Christians would be appalled by this statement as well).

Following this tweet, I did indeed get in touch with someone and obtain a copy of the data. But before I delve into that, there’s just one more tweet in that thread I want to embed:

I’m amused by this, more than anything. For the most part I thought my analysis was pretty objective and Gab (whose account seems to simply be the mouthpiece of their CEO, Andrew Torba) hasn’t really made it clear which bit they disagreed with, so let’s solider on and objectively look at the data just like with any other data breach.

In a 2.99GB file called accounts.sql, there are just over 4M rows of data largely consisting of user records. Because I myself have a Gab account which I created when started making commentary on them and Parler in Jan, naturally the first thing I did was to pull out my own record:

Per the tweet, there’s no hash against my record so I can’t verify the password matched the long random one I created in 1Password, but it’s obviously pretty clear the data is legit based on the alignment of the dates. In total, the file has 43,015 unique email addresses (including mine) which is a far cry less than the total row count. Why? At a guess it would come down to how the data was dumped. There are actually bcrypt password hashes against many records, but they also only represent a subset of the total with 7,097 of them in all. Having access to these hashes gives us an opportunity to debunk Gab’s earlier claim that “your passwords have not been revealed”, an exercise that’s made particularly easy due to their password criteria which can be seen on the registration page:

Requiring 8 characters isn’t unusual (it’s possibly even on the high side), but that’s the only criteria. What that means is that it’s easy to take a list of the most common passwords of 8 characters or more, pass them into hashcat and bingo, “your password has been revealed”:

Yes, apparently Gab will let you have a password that is literally “password”.

Andy mentioned the presence of a chatlog.txt file in his story and the data is pretty limited here at only 9.53MB in size. The content ranges from an extensive amount of religious scripture to very intimate messaging between 2 members to someone sharing a radio show which they close with “We hope you enjoy the show and share it with white families”. To be clear, these are intended to be private messages and not something Gab should be responsible for moderating (for obviously privacy reasons), but they do give an insight into the interests of their members. It also speaks to my earlier point about this breach being significant as it ties identities to their messaging. Some of the private messages are by most standards, recalcitrant, and they sit alongside the Gab username which then exists in the accounts.sql file which then points to their online profile and may also include their email address. Plus, there are multiple messages in which people have shared their personal phone number, often to take the conversation onto WhatsApp. You can immediately see the risk to individuals.

The groups.sql file Andy also mentioned is much more benign. It’s 31.8MB worth of Gab group information spread over nearly 32k lines. I suspect there’s little risk posed by the exposure of the data other than that it simplifies the exercise of analysing the nature of the groups people have created. One thing that seeing this file helped me understand is that as much as Gab has gained notoriety for housing certain types of content, there’s a heap of run of the mill stuff that’d barely raise an eyebrow. For example, there’s the German Shepherds group, the brewing group or even the Dads of Gab group which is all about “A group by fathers, for fathers. Topics should be about how to properly parent your sons…”, ok, good, this is sounding good “…and how to police your wives”. Aw crap. I honestly tried to focus on the positive but it’s very hard to go far without running into content which, well, let’s just say “doesn’t sit well with most people”. Micah Lee from The Intercept did a quick analysis on the largest groups:

And then there’s the big file – statuses.sql with 62.4GB of data in it. This appears to be precisely what the file name suggests – statuses posted to Gab. For example, the first row appears as follows:

105295113355799222 3146 {"id": "105295113355799222", "url": "https://gab.com/mwill/posts/105295113355799222", "card": null, "poll": null, "tags": [], "group": null, "quote": null, "emojis": [], "reblog": null, "content": "@TImW381 There's a reason I blocked you.", "language": "en", "mentions": [{"id": "979864", "url": "https://gab.com/TImW381", "acct": "TImW381", "username": "TImW381"}], "pinnable": false, "has_quote": false, "reblogged": false, "sensitive": false, "created_at": "2020-11-29T18:52:04.042Z", "expires_at": null, "favourited": false, "revised_at": null, "visibility": "public", "quote_of_id": null, "rich_content": "", "spoiler_text": "", "reblogs_count": 0, "replies_count": 0, "in_reply_to_id": "105294344326089419", "plain_markdown": null, "favourites_count": 0, "media_attachments": [], "pinnable_by_group": false, "bookmark_collection_id": null, "in_reply_to_account_id": "979864"} 2020-11-29 13:52:04.042 \N

Veracode Named a Leader for AST on IT Central Station

To keep up with the pace of the modern world, organizations are constantly looking for ways to release software faster than their competitors. This ???need for speed??? has led many organizations to adopt DevSecOps. With DevSecOps, security is moved earlier in the software lifecycle, into the realm of developers. As a result of the changing development landscape, application security testing has also been evolving. Yesterday???s application security testing tools and processes will no longer do.

Microsoft Exchange Server Zero-Days – Automatically Discover, Prioritize and Remediate Using Qualys VMDR

On March 2nd, Microsoft released a set of out-of-band security updates to address critical remote code execution vulnerabilities in Microsoft Exchange Server. According to Microsoft these vulnerabilities are actively being exploited in the wild, and hence it is recommended to patch them immediately.

To detect vulnerable instances, Qualys released QID 50107 which detects all vulnerable instances of Exchange server. This QID is included in VULNSIGS-2.5.121-4 version and above.

CVEs addressed as part of this QID are: CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

Among the above CVEs, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 are being actively targeted in the wild using zero-day exploits. Microsoft attributes these attacks with high confidence to the HAFNIUM (Chinese cyber spy) threat actor group. These vulnerabilities are related to the following versions of Exchange Server:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

At the time of the security update release the vulnerabilities affect only on-premises Microsoft Exchange Server installations. Exchange online is not affected.

CVE Technical Details

CVE-2021-26855 is a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and authenticate to on-premise Exchange server. Attackers can also trick the Exchange server to execute arbitrary commands by exploiting this vulnerability.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Attackers who successfully exploit this vulnerability can run their code as SYSTEM on the Exchange server.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. Exploiting this vulnerability could allow an attacker to write a file to any part of the target Exchange server. Attackers exploiting this vulnerability could write a file to any path on the target Exchange server.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. Similar to CVE-2021-26858, exploiting this vulnerability could allow an attacker to write a file to any path of the target Exchange server.

Attack Chain

Microsoft has provided details regarding how the HAFNIUM (threat actor) group is exploiting the above-mentioned critical CVEs. Following sequence of steps summarizes Microsoft’s findings.

  1. The initial step in the attack chain includes the threat actor group making an untrusted connection to the target Exchange server (on port 443) using CVE-2021-26855.
  2. After successfully establishing the connection, the threat actor group exploits CVE-2021-26857 that gives them ability to run code as SYSTEM on the target Exchange server. This requires administrator permission or another vulnerability to exploit.
  3. As part of their post-authentication actions, the threat actor group exploits CVE-2021-26858 and CVE-2021-27065 and proceeds to writing files to any path of the target server.

It has been observed that after gaining the initial access, the threat actor group deployed web shells on the target compromised server.

Discover and Remediate the Zero-Day Vulnerabilities Using Qualys VMDR

Identification of Assets Using Qualys VMDR

The first step in managing these critical vulnerabilities and reducing risk is identification of assets. Qualys VMDR makes it easy to identify Windows Exchange server systems.

Query: operatingSystem.category:Server and operatingSystem.category1:`Windows` and software:(name:Microsoft Exchange Server)

Once the hosts are identified, they can be grouped together with a ‘dynamic tag’, let’s say – “Exchange Server 0-day”. This helps in automatically grouping existing hosts with the 0-days as well as any new Windows Exchange server that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the Qualys Cloud Platform.

Discover Exchange Server Zero-Day Vulnerabilities

Now that hosts with the 0-days are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like these based on the always updated Knowledge Base (KB).

You can see all your impacted hosts for this vulnerability tagged with the ‘Exchange Server 0-day’ asset tag in the vulnerabilities view by using this QQL query:

VMDR query: vulnerabilities.vulnerability.qid:50107

QID 50107 is available in signature version VULNSIGS-2.5.121-4 and above and can be detected using authenticated scanning or the Qualys Cloud Agent manifest version 2.5.121.4-3 and above.

With VMDR Dashboard, you can track ‘Exchange 0-day’, impacted hosts, their status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment using the Exchange Server 0-Day Dashboard.

Dashboard: Exchange Server 0-Day Dashboard | Critical Global View

Response by Patching and Remediation

VMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select “qid: 50107” in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag – Exchange Server 0-day.

Security updates are available for the following specific versions of Exchange:

  • Exchange Server 2010 (RU 31 for Service Pack 3 – this is a defense-in-depth update)
  • Exchange Server 2013 (CU 23)
  • Exchange Server 2016 (CU 19, CU 18)
  • Exchange Server 2019 (CU 8, CU 7)

Users are encouraged to apply patches as soon as possible.

Post Compromise Detection Details

Discover Confirmed Compromise Using Qualys EDR

Post exploitation, an adversary can perform the following activity:

Use legitimate utilities such as procdump or the rundll32 comsvcs.dll method to dump the LSASS process memory. Presumably, this follows exploitation via CVE-2021-26857 as these methods do need administrative privileges.

Use 7-Zip or WinRar to compress files for exfiltration.

Use PowerShell based remote administration tools such as Nishang & PowerCat to exfiltrate this data.

To maintain persistent access on compromised systems, adversaries may also create a domain user account and install ASPX and PHP based web shells for command and control. Information about their probable location and their related hashes are mentioned below.

Web shell hashes:

b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

7 Lessons Learned From SMB Cybersecurity Leaders

While I might not be in the IT trenches, over my years in sales I have had the benefit of working alongside IT leaders across multiple industries. I’ve learned first-hand about the problems IT leaders face in their everyday cybersecurity operations.

CISA to Federal Agencies: Immediately Patch or ‘Disconnect’ Microsoft Exchange Servers

Enterprise VulnerabilitiesFrom DHS/US-CERT’s National Vulnerability Database CVE-2021-21312PUBLISHED: 2021-03-03

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/documen…

Navajo Nation Hospital Targeted By Large-Scale Ransomware Hack

An anonymous reader shares a report: When Rehoboth McKinley Christian Health Care Services in Gallup, New Mexico, was hit with a cyberattack earlier this year, the hospital’s staff had to revert to pen and paper to keep things running. Publicly available details about the hack are scarce, and the hospital has declined to comment beyond confirming that the security breach briefly forced its staff off its computers. But sensitive employee files posted online by a hacker group known for ransomware attacks and seen by NBC News indicated just how deep an attack the hospital had suffered: files on everything from job applications and background checks to staff injury reports.

Ransomware attacks, in which hackers gain access to a private system to hold it hostage for payment, have been a problem for businesses for more than three years. Some hospitals have poor cybersecurity, and unscrupulous gangs see them as potentially flush with cash and easily coerced with the threat of leaked patient data. Last year, at least 560 health care facilities were infected with ransomware, according to a survey from the cybersecurity company Emsisoft. In October, amid a particularly brutal wave of attacks, several federal agencies issued warnings of “an increased and imminent cybercrime threat” to hospitals. An advisory from the American Hospital Association laid out how the Covid-19 pandemic had encouraged cybercriminals “to exploit, victimize and profit” from ransomware attacks.

XLM + AMSI: New runtime defense against Excel 4.0 macro malware

We have recently expanded the integration of Antimalware Scan Interface (AMSI) with Office 365 to include the runtime scanning of Excel 4.0 (XLM) macros, to help antivirus solutions tackle the increase in attacks that use malicious XLM macros. This integration, an example of the many security features released for Microsoft 365 Apps on a regular basis, reflects our commitment to continuously increase protection for Microsoft 365 customers against the latest threats.

This Year’s Big Ten Has Big Potential

The best men’s basketball team in the Big Ten Conference over the past quarter century is in the throes of its worst year since the first season of its esteemed coach, so you could be forgiven for assuming that the rest of the conference might also struggle. Instead, the Big Ten hasn’t missed a beat.