Triki: Cookie Collection and Analysis Tool

Juan Elosua Tomé    12 February, 2021

In July 2020, the Spanish Data Protection Agency, following the entry into force of the European General Data Protection Regulation and several consultations with the European Data Protection Committee (EDPC), updated its user guide, giving website owners until 31 October 2020 to comply with it.

As a result of this new regulation, from TEGRA, the cyber security innovation centre promoted by ElevenPaths and Gradiant in Galicia, we decided to launch an investigation to analyse the use of cookies of the most visited websites in Spain after the regulation came into force in order to contrast its adequacy.

A month ago, we published on this blog the results of a piece of research on the use of cookies and a full report on it as well. During the course of the research and with the aim of being able to systematise the analysis and collection of cookies, we began to generate the foundations of what ended up becoming the Triki tool, which we will go into in more detail in this post and which has been released to the community on Github.

Triki allows automated navigation to a configurable set of websites and performs extraction of the cookies used and generates high-level statistics on the main characteristics of the cookies. It is strongly based on Selenium’s web browser automation capabilities.

To further facilitate more comprehensive analysis, Triki also provides an auxiliary script that allows all the information collected to be loaded into an SQLite database.  

Following its release, we invite the readers of our research and of this post to check how their websites of interest manage cookies and whether or not they comply with the current legislation. 

All the information about its use is included in the README of the tool in Telefónica’s Github. Still not convinced? We have prepared this video summary of its functionalities to help you take the plunge and try it out.

TEGRA cybersecurity centre is part of the joint research unit in cyber security IRMAS (Information Rights Management Advanced Systems), which is co-financed by the European Union, within the framework of the Galicia ERDF Operational Programme 2014-2020, to promote technological development, innovation and quality research.

CNCF’s Harbor (cloud native registry) fixes an information disclosure bug discovered by ElevenPaths (CVE-2020-29662)

Javier Provecho    10 February, 2021

On December 2nd, ElevenPaths’ CTO SRE team discovered an unauthenticated API within Harbor, a cloud native registry part of the CNCF. It is commonly used as an agnostic Docker registry and Helm artifact server across cloud native deployments. In this article I’ll explain how to reproduce this vulnerability and what impact it has on the software and data stored within Harbor.

The affected API was the v2 catalog. This API lists all the resources available within the registry. It can only be accessed as an adminstrator.

If the request contains an extra trailing slash, it is still handled by the catalog API but bypassing the authorization.

A bug was detected at the auth middleware, responsible for identifying the intents of each request and authorizing them later. This middleware is executed prior to any other handler in beego, the router used by Harbor. This router executes the same handler for request’s patterns with and without trailing slash.

The auth middleware uses regex patterns to identify the intent of each request. In the case of the catalog API, the pattern didn’t match a request with a trailing slash, therefore not assigning any intent and authorizing the request by default.

Harbor Project has released patches for 2.0.* and 2.1.*. However if accesing them is not posible, redirecting the catalog API to an HTTP sink is recommended as an alternative.

Patching is encouraged to avoid unidentified actors to explore instances discovered by crawling services like Shodan.

Timeline:

  • 12/02/2020. Vulnerability discovered and reported to Harbor Security mailing list.
  • 12/03/2020. Vulnerability confirmed by Harbor Security Team.
  • 12/17/2020. Harbor releases patches 2.0.5. and 2.1.2., fixing the vulnerability.

Digital Zombies and Social Engineering

Gabriel Bergel    9 February, 2021

This post is about zombies and social engineering, the image in figure 1 is free and royalty free as long as you credit it, and I loved it. We all probably know how is the night before the delivery of a work, project, thesis or, the so much used “deadline” concept. An image that has a lot to do with this article, as we will see below.

Figure 1: Night of the Deadline (Design vector created by freepik)

Do You Know What a Zombie Is?

The term “zombie” comes from the Haitian Creole zonbi, sometimes spelled zombie, in English. It roughly refers to an entity capable of resurrecting or coming back to life (Wikipedia).

We currently live in a world consumed by technology, no one could imagine the world without a mobile phone in the hand, without the Internet or social networks and, worst of all, we are losing our sense of reality in the digital world.

Have we become digital zombies? I would honestly say yes, it seems incredible that most people do not realise how much privileged information social media has about us or how these technologies were designed and calibrated to manipulate human psychology. Nowadays, the Internet and social media addiction, or the spread of misinformation, is having a negative impact on our mental health and the mental health of our youngsters, even affecting democratic processes and institutions.

For those who still don’t believe in this, I recommend the following documentaries, “The Social Dilemma” or “Coded Bias”. Also, the Internet is full of ridiculous and dangerous challenges, as well as the “zombies” that follow them, that is the empirical proof that we have become Digital Zombies or are in the process of doing so, and as in every Zombie apocalypse, there is still no cure or vaccine

Internet Addiction

It is very difficult, and almost impossible, to conceive of our world without the Internet. It is a tool that has revolutionised many areas of our lives, and while the positive aspects are undeniable, there are many negative aspects that arise when people become hooked on it as a primary way of satisfying their needs. Internet addiction is the oldest of the new digital pathologies. Introduced in 1996 by the WHO, between 6 and 10% of the population suffers from it: more than 2 hours a day during the week and 4 hours a day at weekends, it is a risky use, with significant consequences for people’s mental health.

Social Media

According to Wikipedia, a social network is a social structure composed of a set of users who are related according to some criteria (professional relationship, friendship, kinship, among others).

In general, people are very concerned about their social media profiles, keeping them appealing, active, entertaining and so on. It has become the main communication channel for many, especially in pandemics. We cannot deny the benefits of social networks, however, many do not know that everything is monitored, recorded, measured, every time we write something, see an image, how long we look at it, at what times, they know when we feel lonely or depressed, what we do in the mornings, evenings, the places we usually go and who we do it with, etc. They have more information about us than in any other social network. They have more information about us than in the whole of human history. With all that information they create predictive models based on algorithms that to this day are not known and cannot be audited (and that could suffer from biases). This way they predict our actions, the model that best predicts wins. They are doing voodoo and we the users are the victims.

Today we are talking about a new capitalism based on the continuous surveillance of our actions that we voluntarily publish or give in exchange for participating in dynamics, games or surveys (Cambridge Analityca). These companies have become billionaires thanks to the business they do with the advertiser brands and the effectiveness they offer so that users consume their products, thus creating future markets for humans, just like the future markets for animals

I always hear that people like social networks a lot and that they feel welcome and cool because they are free and not for profit, but this is a lie! They have 3 main objectives:

  1. Increase our atenttion
  2. Increase growth, they have even experimented with human hacking for accelerated growth, this is a topic for another post 😉
  3. Increase advertising (earn more money)

This is where persuasive technology comes in, exploiting the vulnerabilities of human psychology.

If we add social engineering to this situation, you know what happens… It is time to wake up, disconnect, create digital habits, increase digital immunity, we must be more digitally aware, talk about these issues, especially with the youngest and the elderly and also, why not say it, we must be a little more distrustful

How will AI change the labour market for the better?

Patrick Buckley    8 February, 2021

From the way we shop, to the way we learn, the digital world in which we live is unrecognisable from the reality of a decade ago. One area which generates much discussion within the context of Artificial Intelligence (AI) is the topic of the labour market. In today’s post, we explain to you the likely impact that it will have on world of work and what this means for our society going forward.  

So what are we supposed to believe?

On the one hand, AI sceptics may argue that continued innovation in technology will result in unemployment. As machines become proficient in roles previously occupied by human beings, unemployment will subsequently arise in certain sectors. On the other hand, we consider the argument of job creation, innovation and an improved work-life balance. So which is true?

It is true that many positions are becoming digitally managed as industries undergo a digital transformation.  It is also argued that  machines are becoming increasingly emotionally intelligent. The threat of unemployment within lower-skilled sectors may therefore extend in due course to include customer-facing roles such as hotel receptionists, retail workers and secretaries.

This argument is by no means the end of the story. Automation doesn’t have to be a negative thing for our society. In fact, the opposite is true. Whilst many jobs are indeed being lost to AI, even more positions are being created thanks to this booming industry. 

In 2018 The World Economic Forum’s Future Jobs Report estimated that AI will widen the job market by 58 million jobs by 2022. This is expected to be achieved through the creation of 133 million new skilled jobs globally. This is to be accompanied by the simultaneous elimination of 78 million lower-skilled positions.

In short, AI isn’t taking our jobs, it’s just converting them from lower-skilled to higher-skilled positions. Whilst we may no longer require humans to work as cleaners and rubbish pickers in the future, we increasingly will need more jobs to service a booming AI industry. Here we consider not just the software developers and the engineers, but also the salespeople, the marketers, the maintenance teams and logistics companies. These positions, whether they arise indirectly or directly from the AI industry, all depend on servicing machines that didn’t exist just a few years ago.

What does this mean for our Society?

The socio-economic impact of this transition is hard to predict. It considerably depends on the level of social mobility experienced in our future global society. Its benefit will be felt increasingly as more young people around the world access quality higher level education that permits them to follow this transition towards a higher skilled role.

These higher skilled positions require a more qualified workforce. Those who may previously have filled  lower-skilled roles with low earning potential will instead find themselves working in higher-paid, more rewarding jobs. Thanks to AI, more people will experience enhanced career progression opportunity.

Due to the diminishing need for humans to service medial jobs, we will all experience a better quality of life. AI even has the potential to redefine the way we live and work. Professionals may choose to work less as their salaries afford them more leisure time. People may devote more time to fulfilling personal goals. In the not too distant future we may not need to be enslaved to the 9-5. Machines can do all of those medial, administrative and frankly boring tasks which occupy most of our time. 

Final Thoughts

As I see it, AI can only have a positive impact on the labour market. It is the tool that enables us to progress our society forward, to elevate the quality of the jobs which exist today. The extent to which society will benefit from this depends on the ability of the workforce to adjust to these more qualified positions. If society continues to go down this path of digitalisation, the very nature of how we work will be redefined for the better.

To keep up to date with LUCA visit our website, subscribe to LUCA Data Speaks or follow us on TwitterLinkedIn or YouTube 

Cyber Security Weekly Briefing 30 January – 5 February

ElevenPaths    5 February, 2021

Chrome will reject Camerfirma’s certificates

Google plans to ban and remove Chrome’s support for digital certificates issued by the certification authority (CA) Camerfirma, a Spanish company that is widely deployed in different public administrations of all kinds, including the Tax Agency. The restriction will come into force with the launch of Chrome 90, scheduled for mid-April this year. With the new version of the browser, all websites that use TLS certificates issued by Camerfirma to secure their HTTPS traffic will display an error and will not load in Chrome. The decision to ban Camerfirma’s certificates was announced after the company took more than six weeks to explain a series of 26 incidents related to its certificate issuing process. So far, the other major browser suppliers (Apple, Microsoft and Mozilla) have not indicated taking similar action but are expected to do so in the coming weeks.

More details: https://www.zdnet.com/article/google-bans-another-misbehaving-ca-from-chrome/

Google and Qualcomm patch critical Android vulnerabilities

The February security newsletter issued by Google fixes, among others, two vulnerabilities considered to be of critical severity. Both bugs, CVE-2021-0325 and CVE-2021-0326, allow remote execution of arbitrary code (RCE) within the context of a privileged process by sending a specially crafted packet or broadcast. The same newsletter also includes references to several vulnerabilities in Qualcomm components, reported by Qualcomm in its own security newsletter. Three of them are of critical severity: CVE-2020-11272, affecting the WLAN component with a CVSS score of 9.8 out of 10; CVE-2020-11163 and CVE-2020-11170 affecting proprietary software components present in the operating system. All of them have been fixed and no evidence of active exploitation is available.

More information: https://source.android.com/security/bulletin/2021-02-01

Google fixes a 0-day in Chrome

Yesterday, 4 February, Google released the 88.0.4324.150 version of Chrome for Windows, Mac and Linux, which will be progressively implemented in the user base over the next few days. This new update follows the recent release of version 88.0.4324.146, which fixed six other vulnerabilities in the same browser (CVE-2021-21142/21147). This time the new version is released to fix a 0-day, identified as CVE-2021-21148, reported on 24 January by researcher Mattias Buelens. The bug involves a stack overflow in the v8 JavaScript engine, and can be exploited by attackers to execute arbitrary code on systems running previous versions of Chrome. In its publication, Google confirms the existence of functional exploits for this vulnerability. Zdnet points out the coincidence between the report of the vulnerability on 24 January and the publication, days after the findings by Google on 25 January and by Microsoft on 28 January of a campaign of attacks against security researchers. Within the two articles, the firms mention the exploitation of 0-day vulnerabilities in browsers to execute malware on the researchers’ systems. Google has not confirmed this speculation, as it has not confirmed that the vulnerability fixed in this new version (CVE-2021-21148) is the one used in the attacks.

All the information: https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html

SonicWall fixes an actively exploited 0-day vulnerability

SonicWall has released an update that fixes a 0-day vulnerability in the SMA 100 series firmware. On 22 January, the company reported that it was the victim of a coordinated attack against its internal systems through the possible exploitation of 0-day vulnerabilities. The internal investigation identified the flaw in the Secure Mobile Access (SMA) product, version 10x, and recommended that clients should enable multi-factor authentication on affected devices as a mitigation measure. On 31 January, NCC Group informed SonicWall of details of the identified vulnerability, listed as CVE-2021-20016, which could allow an unauthenticated attacker to remotely exploit the vulnerability via an SQL query that would provide the username password and other session-related data. At this time, no detail about the actor behind the attacks against SonicWall has yet been identified.

More details: https://www.sonicwall.com/support/product-notification/urgent-patch-available-for-sma-100-series-10-x-firmware-zero-day-vulnerability-updated-feb-3-2-p-m-cst/210122173415410/

CacheFlow – Malicious Chrome and Edge extensions steal and manipulate user data

Security researchers at Avast have published a new blog post with more details on the threat known as CacheFlow, which was unveiled last December 2020 by researchers at CZ.NIC and which has been active since at least October 2017. In the new article, Avast describes a campaign involving a wide network of malicious extensions for Chrome and Edge browsers, with more than three million installations in total. The CacheFlow attack is carried out in several steps, starting when a user downloads one of the extensions. A few days after installation, a new payload is downloaded from a covert channel, which eventually downloads the CacheFlow payload. At this point, every time the browser is launched, CacheFlow tries to steal information from the user’s Google account, injects malicious code into all new tabs opened and hijacks users’ clicks to modify search results. According to Avast’s research, the  most affected countries by the attack are Brazil, Ukraine and France, although downloads of these extensions from Spain have also been detected.

More information: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Snitch Cryptography: How to Crack Tamper-Proof Devices

Gonzalo Álvarez Marañón    4 February, 2021

Google’s Titan Security Key or YubiKey from Yubico are the ultimate trend in multi-factor authentication security. According to Google’s own website:

«The keys have a hardware chip with firmware designed by Google to verify that no one has tampered with them. These chips are designed to resist physical attacks that seek to extract the key’s firmware and secret material».

In other words, a Titan or YubiKey key stores your private key and it should be impossible to extract it from the device. It should be. Because to be honest, you can, as several NinjaLab researchers proved it in January in a titanic work (ok, yes, that was a bad joke). How did they achieve it? Using a side-channel attack.

How Do Side Channel Attacks Work

What happens when mathematical algorithms leave the blackboards of cryptographers and are programmed into Real World™ chips? In the crude physical world, far away from ideal platonic bodies, a bit has no choice but to be represented as an electric current passing (“1”) or not passing (“0”) through a transistor. And, however subtly it flows, an electric current inevitably produces effects around it: a small electromagnetic radiation, a small variation in temperature, a small rise in energy consumption, a small displacement of air, an imperceptible sound, …

If you are able to measure these effects, you are able to read keys, intermediate states, memory…. In short, to extract enough information to circumvent the mathematical algorithm. No matter how secure your cryptography is, if the hardware implementation allows a side-channel attack, it will come to nothing.

Figure 1. Traditional (ideal) cryptographic model versus (real) side-channel cryptographic model.

Cryptanalysts have discovered since the birth of mechanical cryptography that every cryptographic device “snitch” on what is going on inside it. Instead of attacking the algorithms, side-channel attacks attack the implementation of the algorithms. In short: if hardware is involved, there will be a side-channel leaking information. It is pure physics. Let’s look at it with an example.

Power Analysis Attack On RSA

In a previous article, I explained mathematical attacks against the popular RSA public key encryption algorithm, although I only briefly mentioned the possibility of side-channel attacks. As you know, to encrypt with RSA, the following operation is performed on the public key, e and n:

c = me mod n

while the private d key is used for decryption:

m = cd mod n

The attacker’s goal is to extract this private key, d, from the device. As you can see, the way RSA works is based on the exponentiation operation. Since RSA uses very, very large integers, mathematicians looked for shortcuts to make the calculation of these operations fast. More precisely, the exponentiation by squaring algorithm, also known as square and multiply, is often used. It is very simple to understand. To calculate 34 = 11100 you can do the following operations:

  • 32 = 9 (square)
  • 92 = 81 (square)

To calculate this result, it was enough to square it twice in a row. Let’s see what happens with another exponent. For 35 = 11101 the algorithm works like this:

  • 32 = 9 (square)
  • 92 = 81 (square)
  • 81 × 3 = 243 (multiply)

In this case, two squares and one multiplication have been performed. Finally, consider 312 = 111100:

  • 32 = 9 (square)
  • 9 × 3 = 27 (multiply)
  • 272 = 729 (square)
  • 2792 = 531.441 (square)

By now, you will have realised how the algorithm works: after ignoring the first “1” in the exponent, if you encounter a “1”, do a square and a multiplication; if you encounter a “0”, do just a square. No matter how big the base and exponent are, you can always exponentiate by these two operations in a remarkably efficient way. In short, always square and only multiply if the exponent bit to be processed is 1.

Now, as you can imagine, square and multiplication are two operations that will take much longer than just square. If you could see how long a circuit is taking to operate, you would figure out what operation it is performing, and therefore what the private exponent, d, is. And the reality is that it is as simple as looking at the power consumption of the device, as shown in the figure below:

Figure 2. Consumption analysis of a chip operating with RSA (source: Understanding Cryptography: A textbook for students).

From the observation of the trace, it is clear that the secret key is:

operations: S SM SM S SM S S SM SM SM S SM …

primate key: 0 1 1 0 1 0 0 1 1 1 0 1 …

Of course, this attack works for keys of any length. Similarly, other encryption algorithms leak information in other ways, but unfortunately, they all leak something. And when the power analysis does not leak the information needed, there are many other attacks.

Types of Side-Channel Attacks

In addition to the side-channel attack based on power consumption, researchers have been discovering many other ways to obtain information from an operating hardware device:

  • Attack on the cache: The cache is an almost instantaneous direct access memory, used to store heavily used data and instructions. When data is loaded into cache for the first time (cache miss) there is a delay, as opposed to when data is already in cache (cache hit), where access is instantaneous. This difference in access times leaks valuable information that can be used by an attacker to obtain sensitive data from memory. The devastating Meltdown and Spectre attacks are examples of this type of attack.
  • Time attack: this is carried out by measuring the time it takes for different instructions of a cryptographic algorithm to execute according to various parameters. Time variations allow information to be extracted from the key.
  • Consumption monitoring attack: not all operations performed by an algorithm are equally complex. In general, the greater the complexity, the greater the consumption. By measuring these variations in consumption, information can be extracted on the algorithm’s arguments, as in the example seen for RSA.
  • Electromagnetic attack: any electronic device leaks electromagnetic radiation, which can directly provide the content of sensitive information. These measurements can be used to infer cryptographic keys using techniques equivalent to power analysis or can be used in non-cryptographic attacks, e.g. TEMPEST, which allows the information on a monitor to be replayed from another room.
  • Sound attack: it is possible to figure out the operation of a device’s processor and break its cryptography by listening with a conventional smartphone to the sound of its capacitors and coils as they operate. There are also non-cryptographic attacks that exploit the sound emitted by the keys on a keyboard when entering a password or the noise of the heads of an ink-jet printer when printing.
  • Differential failure analysis: when hardware is intentionally induced to fail, unexpected responses from the execution of an algorithm can be used to obtain information about its data. The padding oracle attacks against RSA or the length extension attack, based on this technique, are very famous.

Cryptography Does Not Run On Paper, But On Hardware

However, secure an algorithm may be on paper, when executed on hardware it opens the door to side-channel attacks. Although they have been known since the early 20th century, they have gone relatively unnoticed because they require physical proximity to the attacker to carry them out. But thanks to smartphones and drones, it is now easy to implant microphones and sensors anywhere to launch side-channel attacks against victims. Over time, such attacks will become easier and cheaper. Even quantum key distribution is not immune to side-channel attacks.

In addition to those mentioned above, new attacks are continually being discovered: cold boot, software-based, error message-based, optical, etc. There are many countermeasures that can be added to hardware designs to counter these attacks: injecting randomness, adding noise, deleting data, etc. It is a race in which the attackers are always one step ahead of the engineers and which, sadly has apparently no end.

The Future of the Construction Industry is Upon Us

Patrick Buckley    4 February, 2021

Cost overruns, delays, work-related accidents and expensive misunderstandings are everyday challenges which continue to plague the construction industry worldwide. In today’s post, we explore how the construction industry can too benefit from undergoing a digital transformation, as we take a look at how technology can lead to efficiency gains in many daily procedures and protocols. 

Counting the Cost

Everybody knows that cost overruns in construction projects are a painfully common occurrence. According to a 2015 survey published by the leading financial consultancy group KPMG, only 31% of all projects surveyed came within 10% of their original costing plan. Spiralling costs can happen for a variety of reasons, but as this report points out, poor project management tends to stand out as the main one.

So how can solutions of the Internet of Things ( IoT) help keep a lid on costs? Firstly, Asset Tracking technology can help Project Managers keep track of the various components that make up a project, from the materials to the workforce. 

IoT devices can be used to help managers monitor deliveries. Managers can know the status of each material and can therefore act dynamically to organise the workforce accordingly. This maximises productivity and minimises delays.

Say, for example, a project manager in London gets to know that a supply of bespoke doors produced in France has been delayed in transit at the border. With this information he may decide to instruct the workforce to install another component that day. This allows for the dynamic mobilisation of the workforce. Overtime this eliminates the deadweight loss associated with a stationary workforce.

In the same way, IoT connected devices planted on the uniforms of construction workers can be used to measure their productivity throughout the day. Through movement monitoring data, managers can ensure that the correct amount of time off is exploited by each employee. This, if used correctly, could lead to a fairer and more productive career progression system. Managers could use this data to promote only the most productive workers to more senior roles. Subsequently, this would facilitate the development of only the most competent of teams.

Keeping Workers Safe on Site

In all sites, but especially on large scale projects, the location of those onsite must be known at all times. This can be achieved Through the utilisation of IoT connected devices on uniforms. As described above, the location of each employee can be easily identified in the event of an emergency such as an accident or dangerous event happening on site. 

In many countries around the world, construction firms have a legal obligation to safeguard the wellbeing of their employees. An employee tracking system would be a simple and effective way to manage this liability.

The Future of AI in Construction – BIM 

Building Information Modelling (BIM) is a tool powered by Artificial Intelligence (AI) which allows all agents to monitor project progress. Whether they be the architect, project manager or chief engineer, the status of the project can be visually explored through a digitally enhanced computer-generated model.

This solution gives real-time progress insights by allowing agents to input data and virtually simulate the building process.

In this way, design flaws can be automatically picked up by algorithms which are programmed to understand potential hazards or impacts. These could come from changes in design, construction method or materials. Expensive and timely mistakes can therefore be prevented from occurring in real life.

Final Thoughts

As we enter a new era of digitalisation, construction companies around the world have the new-found ability to overcome some of the challenges associated with previous management practices. Principally, the centralised digital management of both materials and the workforce will lead to great efficiency gains, enhancing on site productivity and safety.

To keep up to date with LUCA visit our website, subscribe to LUCA Data Speaks or follow us on TwitterLinkedIn or YouTube .

CVE 2020-35710 or How Your RAS Gateway Secure Reveals Your Organisation’s Intranet

Amador Aparicio    2 February, 2021

Parallels RAS (Remote Application Server) is a virtual desktop infrastructure (VDI) and application delivery solution that enables an organisation’s employees and clients to access and use applications, desktops and data from any device, thanks to the virtualisation capabilities that it offers.

A few weeks ago I published my discovery of this vulnerability, classified as CVE-2020-35710, associated with this architecture. In this article I explain exactly what it is.

RAS Architecture

The following figure shows a scenario where the RAS Secure Gateways HTML5 Portal is deployed in the DMZ. The RAS Secure Gateway will forward requests via HTTP to a remote desktop session host, RAS RD, which will have the Remote Desktop Services (RDS) functionality installed. As can be seen, the RDP host is located within the organisation’s LAN, although it could also possibly be located within a DMZ, thus reducing the exposure surface of the organisation’s internal network assets.

Figure 1. Network Architecture for a Parallels RAS Secure Gateway and RAS RD Infrastructure

Parallels Remote Application Server Search

Finding Internet-accessible HTML5 Gateway RAS devices is relatively easy. Simply consult a device administration guide to be able to extract patterns from URLs.

Figure 2. Device Administration Guide with access URL information

As can be seen in the image, the access URLs to these devices have the  “/RASHTML5Gateway/” and “/RASHTML5Gateway/#/login” singularities, which makes it much easier to locate the access form of these connected devices on the Internet by doing a little bit of Search Engine Hacking.

Figure 3. Search results with singularities in the URL

It can be seen that, without much effort in performing a dorking, Google offers a good number of results related to the HTML5 form of access to the web portal of the devices.

Analysis of HTTP Traffic Generated by Parallels RAS

One of the most important aspects of any pentest or audit related to web systems of any kind is to analyse HTTP requests and responses to see if the device reveals interesting information that, at first glance, and without the help of an HTTP proxy, might go unnoticed. To do this, select one of the results returned by Google and observe that the RAS form requests in the login field a centralised Active Directory user (user@domain) and a password.

Figure 4. Parallels RAS Access Form

Using ZAProxy, it can be seen that by clicking directly on the login button, without the need to enter a user@domain with password, the RAS Secure Gateway generates an HTTP request by POST to the RAS RD where it displays its IPv4 address.

Figure 5. IPv4 address of the RAS RD receiving the requests for virtualisation resources

If the RAS RD is located in the organisation’s internal network, the organisation’s IPv4 addressing space would be exposed. Ideally, if the RAS RD is located in a demilitarised zone (DMZ), its IPv4 addressing space would be exposed.

How to Minimise Information Leakage

Based on the information provided by the manufacturer, it is possible that the RAS Secure Gateway could perform the functions of the RAS RD within the same machine. As the machine is the same, all HTTP requests to the virtualised resources could be made on localhost. The result for this scenario would be as follows:

Figure 6. HTTP request from the RAS Secure Gateway service to the RAS RD service on the very own machine

The IPv4 address of the RAS RD would not be disclosed, but the TCP ports related to the RAS Secure Gateway service (8080/TCP) and the RAS RD (8081/TCP) are being disclosed.

In the case that the RAS Secure Gateway and the RAS RD are in different networks, it seems very complicated to eliminate the information leakage presented in this article, because the RAS Secure Gateway has to make an HTTP request via POST to communicate with the RAS RD.

Figure 7. RAS Secure Gateway settings for referencing the RAS RD

Detecting the Indicators of An Attack

Diego Samuel Espitia    1 February, 2021

We always choose to implement prevention and deterrence rather than containment mechanisms in security. However, the implementation of these mechanisms is not always effective or simple to set up or maintain. In the physical world we can see many examples of this, such as photovoltaic cells, trap doors or video cameras. All of these measures prevent or deter criminals from entering a property, but to do their job they require prior configuration and constant maintenance or monitoring.

Additionally, these mechanisms cannot detect by themselves whether a criminal is studying possible weaknesses that he can exploit for his criminal objective. Therefore, in order to be truly preventive, they need to be under constant monitoring and investigation of anomalies or suspicious behaviour stored in the videos or events of the installed mechanisms.

Setting Up Systems for Prevention and Deterrence

The same happens with information security systems, where all the technical resources that are set up seek to prevent or deter, for which they take as a basis for configuration the characteristics that make it possible to detect attacks that are known and that, depending on each protection mechanism, are set up within the detection and alert engines, so that the monitoring systems can be warned of the presence of a threat.

Therefore, as with physical security, these are mechanisms that, if not monitored and kept up-to-date in their detection settings, become systems that can be analysed by criminals to detect flaws that can be exploited.

Each technology has automatic or manual ways of updating detection sensors to maintain these updates. For example, traditional antivirus systems receive constant updates to detection methods, and updated systems that use Machine Learning learn to detect threats using samples of different types of malware, such as those we have in our CARMA tool for Android threats.

Indicators of Compromise (Iocs) As an Updating Mechanism

However, one of the most popular mechanisms for keeping configurations constantly updated is Indicators of Compromise (IoC), which are pieces of forensic evidence that have been collected after an incident to identify common patterns such as IP addresses, domains or hashes that have been previously used and update detection sensors to qualify any action within the network that contains one of these pieces of evidence as a threat.

One of the prevention techniques is to conduct research on alerts from monitoring systems to determine whether the actions collected can be related to previously reported incidents in the world. This method in information security is known as Threat Hunting, being the most complete and complex methodology for the detection of possible intrusions that have bypassed the established controls, using IoCs as a basis for comparison.

From Reactive to Proactive Detectors

What if the offender uses totally unknown mechanisms? What if the malware does not touch the disk and the antivirus cannot compare with its signatures? What if the IPS does not have this data frame within its alert comparisons? What happens is that nothing is alerted, the monitoring, no matter how persistent it is, will not receive any anomaly alarm and the criminal, after a rigorous analysis of our security systems, would have found the breach or the technique to hide and achieve his objective.

In many cases, this is what it has been happening in the cyber incidents that have been reported this year, so it is necessary that the information security areas begin to change the focus from reactive detectors, such as IoC, to proactive detectors, which allow them to detect threats or incidents at the same time they happen and do not depend on prior knowledge of other incidents

Indicators of Attack (IoA)

This is what has been called Indicators of Attack (IoA), which allows detection teams (Blue Team) to identify events by behavioural patterns, for example a network scan, a communication to a C&C or any behaviour that gives signals that something has bypassed the network’s defences.

Because of this particularity, it is complicated to have a common list or database of IoA’s, as they are tied to the tactics shown in Mitre’s ATT&CK matrix and to the security characteristics of each company, using context to determine when an action is or is not an indicator of attack.

For this reason, implementation is not easy and requires in-depth knowledge of the normal IT activities of all departments in an organisation, implementation of Zero Trust Network Access systems and implementation of network traffic controls in all systems that manage information, in order to have the following basic activities in place for IoA detection:

  • Analysis of all connections with a destination outside the corporate network, giving priority to destinations marked as malicious or to places where communications should not be made from the company.
  • Any attempt to traffic the network through unconventional ports or services that have been enabled within the network or during off-hours.
  • Any equipment that has multiple active connections or attempts to connect to equipment within the network that they do not have permission to connect to or do not have in their connection history.
  • Reporting of repeated events, such as malware or malicious traffic, on one or more computers by detection systems.
  • User authentication processes, involving any simultaneous connection or failed attempts.

These constant investigations initiate the generation of the IoA knowledge base and improve incident response processes. In this way the system is based not on data that has happened and can be evaded by attackers, but on activities and techniques associated with both attack tactics and the organisation’s own network characteristics.

Cyber Security Weekly Briefing January 23-29

ElevenPaths    29 January, 2021

Attack against SonicWall by exploiting a possible 0-day in its VPN appliances

Firewall manufacturer SonicWall has issued a security alert warning that it has detected a sophisticated attack against its systems that could have been carried out through the exploitation of a 0-day in some of its remote access products. The products affected are versions 10.x of its VPN client NetExtender and versions 10.x of its Secure Mobile Access (SMA) devices. The firm recommends enabling multi-factor authentication (MFA) on potentially affected devices and restricting SSL-VPN connections to SMA devices to known IP addresses only via whitelist. The manufacturer has not provided details on the vulnerabilities, but according to Bleeping Computer, they appear to be preauthentication vulnerabilities that could be exploited remotely on publicly accessible devices. They also claim that on Wednesday 20 January, they were contacted by a threat actor claiming to have information about a 0-day vulnerability in a well-known firewall manufacturer.

More information: https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability-updated-jan-23-2021/210122173415410/

Campaign against security researchers

Google’s Threat Analysis Group has identified a campaign, initiated a few months ago, targeting security and vulnerability researchers, and possibly carried out by a malicious group supported by the North Korean government. This group created a network of interactions to build credibility, creating a vulnerability research blog and several Twitter profiles that allowed them to share their own posts and communicate with victims. After initial communications via social networks (Twitter, Telegram, LinkedIn, email, Keybase and Discord), industry experts were asked if they wanted to collaborate with them on vulnerability research, providing them with a Visual Studio project that supposedly contained the source code to exploit the vulnerability and an additional DLL, this last one being a personalized malware that, when executed, communicates with the Command & Control domains that the cybercriminal group controls. The compromise of systems with backdoors has also been detected after accessing a link posted on Twitter that would lead to an alleged article that would be in the research blog.

Just a few days after the announcement made by Google, Microsoft published a new update, reporting that the campaign continues to be active. Microsoft, which has named the malicious actor ZINC, associated with North Korea, has also added new technical details. Targets include pentesters, offensive security researchers, and security and technology employees. ZINC uses a number of techniques including gaining credibility on social networks by sharing specialised content, the use of malicious websites to launch watering hole attacks that exploit browser vulnerabilities, and the submission of malicious Visual Studio projects. In this last case, the submitted projects include pre-built binaries, including “Browse.vc.db” which includes a malicious DLL detected by Microsoft as the Comebacker malware.

More details: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/

Extraordinary Apple newsletter fixes several actively exploited 0-days

Apple has published an extraordinary security newsletter in which it fixes three 0-day vulnerabilities, one in Kernel (CVE-2021-1782) and two in WebKit (CVE-2021-1871 and CVE-2021-1870), which are being exploited on a massive scale.  At this stage, the company has not disclosed whether the exploits are indiscriminate or targeted, but they require user interaction in order to be exploited. The exploitation chain is complete, as the exploit is first deployed in the victim’s browser (WebKit), and then the kernel is exploited. These vulnerabilities are affecting both iOS and iPadOS, so it is recommended to update devices to version 14.4.

All the information: https://support.apple.com/en-us/HT212146

Vulnerability in sudo allows root permissions

Security researchers at Qualys have discovered and published details of a heap overflow vulnerability in Sudo, which would allow local users to gain root permissions on a vulnerable system. According to the researchers, this flaw (CVE-2021-3156) has existed since 2011. Likewise, Qualys has developed exploits to test this vulnerability, managing to obtain root permissions on Linux distributions: Ubuntu 20.04, Debian 10 and Fedora 33, although they believe that still other operating systems and distributions could also be vulnerable. The vulnerability has been fixed in Sudo version 1.9.5p2.

More information: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt

Emotet: dismantled after global police operation

A joint operation between authorities in the United States, United Kingdom, France, Lithuania, Canada, the Netherlands, Germany and Ukraine, coordinated by Europol and Eurojust, has resulted in the dismantling of the Emotet malware. Since its appearance as a banking Trojan in 2014, this malware has evolved into one of the most important botnets, being used by cybercriminals as a gateway into affected systems to spread other infections. In fact, as we reported in this newsletter, its activity has intensified in several campaigns in the last month, with the latest campaign reported just a week ago. According to the information provided, this week law enforcement and judicial authorities gained access to control the infrastructure and dismantled it from the inside; it is known that this infrastructure involved hundreds of servers around the world. In addition, information available for mitigation has been distributed to all CERTs to notify and clean up affected systems.

So far it is known that the German police forces (BKA) have replaced the C2 servers with their own servers in order to distribute a mitigation file to the affected systems, which will prevent Emotet administrators from communicating with the affected systems again, and will distribute a module created for its uninstallation, which seems to be scheduled for 25 April. It has also been reported that two operators of the malware have been arrested in Ukraine and that police in the Netherlands have recovered data stolen from Emotet victims. Despite all these actions, there is still a high risk that Emotet will be back in operation (not in a short term, but after several months), since not all the perpetrators have been arrested, as stated by Cofense researchers.

More details: https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action