CategoriesPostsSecurity SkimsTechnology

Security Skim: August 2nd

Posted on August 3, 2023by jwallace

“Even the bravest cyber defense will experience defeat when weaknesses are neglected.”

Stephane Nappo

A lot has happened in the week since I last posted. There were so many different attacks going on that I cherry-picked the most interesting ones. I am also wrapping up a post in defense of Microsoft and its recent lapses in security. This week, we have a Salesforce zero-day, a Citrix remote-code-execution vulnerability that is still being targeted, Cannon printer issues, and multiple Chinese APT making a beachhead in sensitive systems.

Salesforce Zero-Day

A sophisticated phishing campaign has been discovered, exploiting a zero-day vulnerability in Salesforce’s email services. This allows attackers to create targeted phishing emails using Salesforce’s domain and infrastructure. The phishing emails appear to come from Meta, but are sent from an “@salesforce.com” domain email address. The messages claim that the recipients’ Facebook accounts are under investigation for impersonation, prompting them to click a link that leads to a fraudulent landing page. The attack is notable because the phishing kit is hosted as a game under the Facebook apps platform using the domain apps.facebook[.]com.

I’ve seen this kind of attack via Sendgrid several years back. Despite all the news software bugs and zero-days get, email is still, by and large, the easiest way to steal data or get access to a system. I was part of a group at an old job that had to investigate a client’s Sendgrid account that had been taken over. The attacker then used the client’s account to send more phishing emails that looked legit. The attacker mostly targeted utility companies and even accessed one European power provider. In this case, attackers figured out a way to abuse automation in Salesforce’s software, which allowed them to impersonate it. Tie those emails into Facebook to spread the net wider, and you get more and more accounts. If I ever write about security, chapter one will probably begin with email.

Old Citrix Remote Execution Flaw Still Being Abused

I wrote about this RCE back in July, so why am I bringing it up again? Well, a report from, The Shadow-Server Foundation states that over 640 Citrix servers are showing as being compromised. The report, which I can’t link here as you need to either be on their mailing list, states that they saw over 15,000 servers as vulnerable when the zero-day was reported. That number has dropped significantly but is still being actively attacked. The report states that the flaw was immediately attacked by both China and Russia. The USA has given affected parts of the government till August 8th to patch their systems.

This whole mess shows how quickly attackers move and how slow some businesses can be to remediate the issues. As a cybersecurity engineer, you not only have to stay on top of every threat, but once you have found a flaw, you must get your business to move fast enough to fix the issue. I must say it’s a lot easier for attackers than for defenders.

Cannon Wifi Security Issues

Giving printers access to the interest was probably one of the dumber things mankind has ever done. Canon has issued a warning to users of various inkjet printer models, including home, office, and large format devices. It has been discovered that when these printers are initialized, their Wi-Fi connection settings are not properly wiped from the device’s memory as they should be. This oversight could potentially allow unauthorized access to sensitive data.

The issue affects a wide range of Canon printer models, spanning various ser

ies. Canon has published a document to help users determine if their specific printer model is impacted. To mitigate the risk, Canon advises users to wipe their Wi-Fi settings before allowing third party access to the printer, such as during repairs or when transferring ownership.

Basically, some programmers thought initialization was different than a reset and wipe. Frankly, that’s an easy mistake to make. For those that remember, I wrote a post in my old blog about users not resetting their devices when they return them. When I ran my reseller business, I would buy returns from Target, Amazon, or Best Buy. Many of the tech I would get would still have Apple, and Google Accounts signed in. I had full access to their lives. Wipe your stuff, people!

China Strike Again!

TOPSHOT – US President Joe Biden (R) and China’s President Xi Jinping (L) shake hands as they meet on the sidelines of the G20 Summit in Nusa Dua on the Indonesian resort island of Bali on November 14, 2022. (Photo by SAUL LOEB / AFP) (Photo by SAUL LOEB/AFP via Getty Images)

I have written about China a lot in the Cyber Security space. Being a US citizen, they often come up regarding breaches and attacks. I was going to mention these reports last week, but more information has come out over the following weeks, and I have decided to combine it all here. The reports in question come from Kaspersky and the New York Times:

  • Zirconium’s Data Exfiltration: A hacking group known as Zirconium, believed to be working for the Chinese government, has used a set of advanced spying tools over two years to establish a “permanent channel for data exfiltration” within the industrial infrastructure. This group aims to steal data from its targets, primarily focusing on industrial and information entities across various sectors. The tools they employ include advanced implants that allow for remote access, data gathering, and exfiltration.
  • Volt Typhoon’s Disruption Potential: Another Chinese hacking group referred to as Volt Typhoon has been targeting critical infrastructure, possibly linked to the People’s Liberation Army. This group’s objective is to establish long-term abilities to cause disruptions within US military bases, potentially for use during conflicts. These attacks involve planting malicious code deep within networks controlling power grids, communications systems, and water facilities serving military bases.
  • Microsoft Cloud Breach: A Chinese APT, tracked as Storm-0558, targeted Microsoft’s Azure and Exchange cloud services. They acquired an inactive signing key that allowed them to forge tokens for authenticating enterprise accounts on Azure Active Directory. This breach allowed the hackers to track email accounts of about 25 organizations, including the US Departments of State and Commerce.

I’ll be writing a whole article about the Microsoft Cloud Breach this week, so I’ll avoid that one for now. The other two come as no surprise to me. Whether we like it or not, future warfare with peer nation-states won’t be with missiles and bullets but drones and cyber warfare. Think of these breaches into power control units, utilities, and government networks as tunnels under the United States. The more of these tunnels you have, the more troops you can funnel into the country and take it over. These tunnels aren’t static. Eventually, the USA finds one and destroys it. China has to keep building more so that if war finally comes, they will have many tunnels to choose from. Don’t get me wrong, the US is doing the same to China; we aren’t angels. That being said, I hope we never go to war with China. As the world gets more digital, we become more reliant on these digital systems. If there ever is a war, I can guarantee you the first strike isn’t going to be from a missile but from an attacker who can cause chaos at the click of a button.

Conclusion

On that bleak note, I hope you have a great rest of your week! I should have the Microsoft article out sometime this week. I hope you enjoyed the skim, and I will see you all next week. Good luck to all the engineers out there, and until next time, stay safe!

You might also like

I am done with Windows – Is Linux the Answer?
May 2, 2023
Security Skim: November 9th
November 9, 2023
AI and our Future Part 1a: The Reports of My Death are Greatly Exaggerated
May 1, 2023

Leave a Reply

Your email address will not be published. Required fields are marked *