Cato Research Decrypts the News Behind February Security Events

Listen to post:

Witnessing the first SHA-1 collision was pretty heady stuff, but it’s not the only security event of note last month. Cato Research Labs identified a number of attacks, threats, and bugs introduced in February that you need to defend against. Here they are with insights and recommended steps from our research team.

Windows SMBv3 Denial of Service Zero-Day

One issue that was not covered widely in the news is a zero-day attack discovered in Microsoft Windows SMBv3, the popular enterprise protocol for file and printer sharing. The Tweet about the attack pointed to a proof of concept (POC) published on GitHub.

The POC was able to generate the so called “ Blue Screen of Death” on Windows clients that connects into a compromised SMB server. It was unclear if this may also lead to remote code execution (RCE).
Vulnerabilities in SMB servers should be treated very seriously. If attackers compromise an SMB server in the organization, they can exploit SMB vulnerabilities as part of wider lateral movement. For instance, they could launch a denial of service (DOS) attack on the entire organization or remotely execute code on endpoints in the organization. Organizations can best protect themselves by inspecting interbranch SMB traffic with an IPS. See SANS for more information.

F5’s Big-IP leaks little chunks of memory

As we reported earlier in the month, F5’s Big-IP leak underscored the risks of relying heavily on security appliances. The bug in F5 Big IP virtual server allows a remote attacker to leak a small piece of uninitialized memory by sending a short TLS session ticket. As mitigation, organizations were encouraged to disable the feature that caused this bug. See our post for more information.

Hacked RSA rogue access points not a serious threat

News that multiple access points were hacked at last month’s RSA security show grabbed headlines. But Cato researchers found the attack poses little risk to most corporate users. The attack showed how attackers could impersonate a known wireless network by intercepting the SSID a user’s device discloses when searching for a WLAN. With a spoofed WLAN, the attackers can see the traffic traversing their sites as well as modify the HTML and the JavaScript contained in HTTP requests 

Most Internet traffic from small to medium enterprises (SMEs) mobile users is encrypted either by the company’s VPN or by HTTPS. As such, the most critical information – usernames and passwords, are secured. 

Don’t fall for “font wasn’t found” Google Chrome malware scam

Last month researchers at Neosmart identified a social engineering attack against WordPress sites. The attackers compromised many WordPress sites, exploiting the latest WordPress “content injection” vulnerability. The vulnerability allowed the attackers to inject malicious Javascript that scrambled the web page text, making the end-user think they have a font problem. At the same time, they ask users to download a font package (an executable) that turns out to be malware.

WordPress owners should check they do not use WordPress version 4.7.0 or 4.7.1 and, if so, they should update to WordPress version 4.7.2. They should also consider turning on WordPress auto-updates to help prevent future problems. They can know if their sites has been compromised by looking in the web access logs for attack patterns, such as “/wp-json/wp/v2/posts/1234?id=”

Organizations may already be able to protect themselves and their users with their secure web gateway (SWG). URL filters using reputation services who detected compromised WordPress sites may already detect this kind attack. Organizations should also deploy anti-malware that inspects downloaded executables. See this post for more information about the social engineering scam. 

SHA-1 collision is only made worse by Google’s countdown clock

Google researcher’s set the industry on fire with the first publication of a Secure Hash Algorithm 1 (SHA-1) cryptographic hash collision. SHA-1 plays a critical role in much of today’s IT infrastructure. The algorithm allows, among other things, unique identification of datasets, which is used by file reputation and whitelisting services, browser security, and more. Having datasets hash to the same SHA-1 digest (what’s called a “collision”), undermines the safety of the algorithm. Attackers could potentially create a malicious file with the same hash as a benign file, bypassing current security measures.

We wrote extensively about the collision in a recent Dark Reading article, expressing concern over how Google researchers were handling the news. As we explain, we felt that too much code was being released too early into the public domain given the scale of the problem.  

See the article for further details and how enterprise can best protect themselves.

Cloudbleed: The bug that showed the power of the cloud

The industry was reminded last month about how fast cloud security providers can fix problems. Project Zero research, Tavis Ormandy, identified a security problem in the edge servers of Cloudflare, a CDN provider that hosts many major services, including bitcoin exchanges.  He was seeing corrupted web pages being returned by some HTTP requests.

The so called “Cloudbleed” problem (named because of its similarity to the Heartbleed bug that affected many web servers in 2014) was triggered by a HTML parser Cloudflare rolled out in their service. The new piece of code triggered a latent bug, which leaked uninitialized pieces of memory containing private information, such as HTTP cookies and authentication tokens.

Cloudflare addressed the problem in less than an hour by disabling the features that was using the new parser. By contrast, HeartBleed , which although patched relatively quickly, still lingers because customers fail to upgrade their servers. Three years after Heartbleed was first introduced,  200,00 servers remain vulnerable.

Cloudflare customers aren’t completely off the hook, though. Since the new parser was activated in Sep 2016, private data is still cached in search engines and cache services. Cloudflare has been working with search engines to remove the cached memory. Services using Cloudflare, such as Bitcoin, have turn issued a security warning to their users encouraging them to change their passwords and update or move to two-factor authentication (2FA). Organizations using Cloudflare should do the same. See this post for more information.