At a glance.
- Public exploits released for Zerologon, a severe Windows flaw patched in August.
- Magecart campaign compromises nearly 2,000 stores over the weekend.
- Phishing attack targets Active Directory Credentials.
- Access keys exposed in public repositories.
- A surge in website defacements.
Public exploits released for Zerologon, a severe Windows flaw patched in August.
ZDNet reports that Microsoft's August Patch Tuesday included a fix for a severe elevation-of-privilege vulnerability that could allow an attacker on a network to impersonate any computer account within the domain, including the domain controller (the server responsible for handling security authentication requests), and reset the password for that account. The vulnerability, dubbed "Zerologon" (CVE-2020-1472), was assigned a CVSS score of 10, but technical details of the flaw weren't made public at the time of the patch's release.
Researchers at Secura have now published an analysis of the vulnerability, and observers quickly realized the flaw is extremely serious. The vulnerability is trivial to exploit, and several public exploits are already available (Secura itself refrained from publishing its proof-of-concept). Secura explains, "Leaving a DC unpatched will allow attackers to compromise it and give themselves domain admin privileges. The only thing an attacker needs for that is the ability to set up TCP connections with a vulnerable DC; i.e. they need to have a foothold on the network, but don’t require any domain credentials." The researchers add that "it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain."
The vulnerability is due to flaws in the custom AES cryptographic authentication scheme used by the Netlogon protocol. Netlogon is responsible for a number of features involving user account authentication, including updating passwords within the domain. Secura's Tom Tervoort found that the cryptographic scheme used a fixed Initialization Vector (IV), against the security requirements for AES. This fixed IV consisted of sixteen zero bytes, leading Tervoort to discover that "for 1 in 256 keys, applying AES-CFB8 encryption to an all-zero plaintext will result in all-zero ciphertext." As a result, an attacker can repeatedly try to authenticate using an all-zero client challenge until the authentication succeeds, which Secura says will take about three seconds. If the attacker sets a few other message parameters to zero, they can set an empty password for the domain controller (at which point, since they know the password, they can change the password to whatever they wish).
Microsoft's August patch addresses this issue, and organizations are urged to apply the fix as soon as possible. Microsoft also plans to release a more comprehensive patch in February 2021.
Magecart campaign compromises nearly 2,000 stores over the weekend.
Sansec warns that nearly two-thousand online stores running the Magento 1 e-commerce platform were hacked in a massive automated Magecart campaign over this past weekend. The firm estimates that "tens of thousands of customers had their private information stolen over the weekend via one of the compromised stores."
The researchers aren't sure exactly how the stores were infected, but they suspect the involvement of a Magento 1 exploit put up for sale on a hacker forum several weeks ago. The seller of the exploit claimed it used a zero-day vulnerability to achieve remote code execution without administrative privileges. The seller also correctly pointed out that Magento 1 reached its end-of-life last June, so no patches are forthcoming. Sansec says at least 95,000 stores are still running the outdated software; these stores should prioritize migrating to Magento 2.
Phishing attack targets Active Directory Credentials.
Researchers at Armorblox came across a phishing page that automatically tests harvested credentials against the targeted organization's Active Directory via Office 365 APIs. The researchers explain, "This immediate feedback allows the attacker to respond intelligently during the attack. The attacker is also immediately aware of a live compromised credential and allows him to potentially ingratiate himself into the compromised account before any remediation."
The case observed by Armorblox appears to have been targeted. Due to a recent rebranding, the organization in question used different domain names for public email addresses and Active Directory logins (the researchers use the examples "acmecorp[.]com" for email addresses and "acmecompany[.]com" for Active Directory). The attacker was somehow aware of this; the phishing site, which spoofs the Office 365 login page, displays the target's Active Directory username above the password field, rather than the email address that received the phishing message.
Access keys exposed in public repositories.
Digital Shadows identified more than 800,000 company access keys exposed on GitHub, GitLab, and Pastebin. The firm states that "more than 40% of these were for database stores, with 38% for cloud providers such as Google, Microsoft Azure and Amazon Web Services. Some 11% were for online services including collaboration platforms such as Slack and payment systems including Stripe....Credentials for Redis (37.2%), MySQL (23.8%), and MongoDB (19.3%) were the most common."
A surge in website defacements.
Researchers at Comparitech, while investigating a recent surge in website defacements, discovered eighty-nine zero-day vulnerabilities in popular CMS platforms and their plugins. Additionally, the researchers looked at five popular website hacking tools and found that 154 of the 280 vulnerabilities they exploited had no CVE assigned. Comparitech identified more than 100,000 sites running vulnerable plugins, most of which were using WordPress and Joomla.
Comparitech also offers a look into the global "defacement community," amateur hackers who congregate online and vandalize websites to gain notoriety and respect among their peers. Many of these individuals don't seem particularly concerned about operational security, and the researchers found it easy to locate their social media profiles.
The hackers use commodity or open-source tools to scan for and infiltrate vulnerable websites, usually by uploading a shell script to the site's server. They then deface the site to their heart's content and create a mirror of the vandalized site to preserve the evidence of their success. These mirrors are posted on aggregator sites, where they're ranked based on the importance of the hacked website. Popular websites and sites belonging to governments and universities tend to rank the highest.
The researchers note that while this behavior certainly isn't good, it could be worse: "Many of the exploits could also be used to distribute malware, set up phishing pages, redirect users to other malicious pages, install card skimming malware, add the server to a botnet, install a cryptominer, encrypt site data with ransomware, or launch a number of other attacks on the site and its visitors."