CategoriesPostsSecurity SkimsTechnology

Security Skim: July 19th

Posted on July 20, 2023by jwallace

Give a man a zero-day and he’ll have access for a day, teach a man to phish and he’ll have access for life.

Unknown

My last post on recent security breaches and other security news drove a lot of traffic to the site. I also got a couple of comments stating how you all like quick and simple explanations of each threat. I mainly wrote because it keeps me updated and aware of the security threats around me in my career field. So I’ve decided to make this a weekly review of all the fun security threats engineers get to deal with. My goal is to release it every Wednesday, as that gives me time to cherry-pick the threats I want to write about. So without further ado, here is this week’s Security Skim:

Google Employee Pilot Program Disables Internet

This first one is not a security issue but rather a security engineer’s wet dream. First reported by CNBC’s Jennfier Elias, Google is running a pilot program that disables internet access to a lucky 2,500 employees. In the leaked memo, Google stated that its employees are constantly targets of cyber-attacks. In order to limit the attack surface they have decided to disable access to the internet and only allow internal tools like Gmail and Google Drive. I can’t imagine how the security team managed to pull that one off but kudos to them. For the employee, I am sure there was a lot of “feedback” that may end up reversing that policy. Also, even without the internet, email via Gmail is still a very good method of getting access to an employee. I am sure Google’s email security infrastructure is good, but nothing is perfect.

Cloudflare Releases Quarterly DDos Report

For those of you who don’t know, Cloudflare usually releases a quarterly DDos report. I am not going to spend a lot of time going over it because it is worth taking the time to read. That being said, the interesting bit for me was the mention of, “an alarming uptick in highly-randomized and sophisticated HTTP DDoS attacks over the past few months.” Threat actors deliberately engineer attacks to bypass mitigation systems by closely mimicking browser behavior, using advanced techniques like high randomization on user agents and JA3 fingerprints. At my current job, I am seeing a lot of this, and boy, is it like playing wack a mole. The report goes on to take about the overall rise in DNS-based attacks, and the move from Lot device-based attacks to VPS-based attacks (I have seen a lot of this as well). As I said, go read it when you have time because it’s worth your time.

Adobe ColdFusion 0-Day

Adobe seems to be in hot water again. Over the last week not one, not two, but three CVE’s were reported for their ColdFusion software. When first reported by Rapid7 and Crowdstrike (Love you guys) the exploits weren’t being exploited. Within a couple of days, Rapid7 reported that their customers were seeing them being exploited. Without realizing it Rapid7 and Crowdstrike had released a 0-day without Adobe having the chance to fix the issue. The CVE’s are:

  • CVE-2023-29298, Improper Access Control vulnerability that could result in a Security feature bypass (Score of 7.5)
  • CVE-2023-29300, affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution (Score of 9.8)
  • CVE-2023-29301,  affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a Security feature bypass (Score of 7.5)

All told the vulnerabilities allow an attacker to drop a web shell on the affected devices easily. To make matters worse, Adobe’s patch of CVE-2023-29298 was incomplete per Rapid7. There are already POCs floating around on GitHub and the attack is very trivial.

Citrix ADC and Citrix Gateway Security N-day

Yesterday Citrix released a security bulletin about three CVE’s affecting their ADC and Gateway products. The three are as follows:

  • CVE-2023-3466, Cross-site scripting attack requiring the victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NSIP (Score of 8.3)
  • CVE-2023-3467, A privilege escalation vulnerability requiring authenticated access to NSIP or SNIP with management interface access (Score of 8)
  • CVE-2023-3519,  Unauthenticated remote code execution requiring ADC or Gateway to be configured as a Gateway or AAA Server (Score of 9.8)

While the first two aren’t great, CVE-2023-3519 is a real doozy. Most Citrix ADC’s and Citrix gateways are configured as gateways so this affects a lot of devices. The attack itself is not complicated and I have already seen multiple POCs floating around.

Hacked Hikvision Cameras Used to Sell Child Porn

This one hits close to home as I have a child on the way. As reported by IPVM, hacked Hikvision Camera access is being sold on Telegram channels specifically for child porn. Their investigation found, “…widespread sales offers for nude videos, including “cp” (child porn), “kids room”, “family room”, “bedroom of a young girl”, “gynecological office”, and many others.” All of the footage came from Hikvision Cameras that either had not had their firmware updated or used weak passwords. The hackers used the Hik-Connect app to generate QR codes to easily shares these feeds with their customers. Before the Telegram channels were shut down, they had over 7,000 users. While the report didn’t mention any specific CVE, this is a good reminder to always change the default passwords of your devices and be careful buying smart devices. You never know what they could be leaking out to the internet.

Conclusion

It’s been a rough week for security teams and I hope that all of you take some time out for yourselves. Until next time, stay safe!

You might also like

Security Skim: September 12th
September 12, 2023
June 18th – Security Threats in Review
June 19, 2023
AI and our Future Part 1: The Good, The Bad, The Ugly
March 9, 2023

Leave a Reply

Your email address will not be published. Required fields are marked *