Category: Cybersecurity Attacks

A Windows zero-day vulnerability has been discovered that lets hackers erase application dlls and cause a system to crash and possibly hijack systems. The vulnerability lets an attacker elevate rights and erase files that must only be accessible by management and takes benefit of a Windows facility that fails to verify approvals.

That facility, the Windows Data Sharing Facility – dssvc.dll, was launched in Windows 10, hence earlier Windows types are unaffected, even though the vulnerability is also existing in Windows Server 2016 and Server 2019.

In order to abuse the Windows Data Sharing Service vulnerability, the attacker would already require access to the system, so for the fault to be distantly exploitable it would need to be merged with one more exploit. This would restrict the possibility for it to be used in an attack.

Although it’s possible to abuse the vulnerability to run commands on a system, the most likely use is disruption, because it permits files to be erased which would render applications or systems unworkable.

The Windows Data Sharing Facility vulnerability was detected by safety scientist SandboxEscaper. SandboxEscaper also recently issued a proof-of-concept for a zero-day vulnerability in Windows Task Scheduler, which was later adopted by a variety of threat actors and utilized in real-world attacks.

Although the vulnerability is similar to the earlier discovered vulnerability, in the sense that it lets non-admins erase files as a consequence of a Windows facility failing to verify permissions, this vulnerability is much more difficult to abuse. SandboxEscaper clarified in an October 23 Tweet that it’s “a low-quality bug that is a pain to exploit.”

SandboxEscaper wrote, “Not the same bug I posted a while ago, this does not write garbage to files but really erases them… meaning you can erase application dll’s and hope they go look for them in user write-able places. Or erase stuff used by system services c:\windows\temp and hijack them.”

Mijja Kolsek, a co-founder of 0Patch, has verified the PoC works and 0Patch team has already issued a micropatch to rectify the “Deletebug” fault. The micropatch was developed within 7 hours of publication of the PoC. The repair will be automatically applied for users of the 0Patch Agent and is obtainable for others through 0Patch.

Microsoft is expected to deliver a solution to the vulnerability.

A lately discovered LibSSH vulnerability, that has been called as ‘comically bad’ by the safety scientist who found it, has been repaired. The vulnerability is extremely easy to abuse. Obviously, different scripts and tools have been published that permit vulnerable apparatuses to be found and the flaw to be abused.

If the LibSSH vulnerability is abused, which needs little expertise even without one of the published scripts, it would let an attacker start an attack and distantly execute code on a vulnerable system.

The LibSSH vulnerability, which would allow anybody to log in to a weak Linux/Unix server without having to provide a password, is as bad as it gets. The vulnerability was found by Peter Winter-Smith of NCC Group, who found that verification can be avoided by sending an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message. The server is expecting an SSH2_MSG_USERAUTH_REQUEST message but will suppose that verification has successfully taken place if the SSH2_MSG_USERAUTH_SUCCESS message is sent in its place.

As per the latest safety advisory published by LibSSH, “The SSH2_MSG_USERAUTH_SUCCESS handler is planned only for communication from the server to the customer.”

The vulnerability is being followed as CVE-2018-10933 and is present in LibSSH types 0.6 and later. The fault has been patched in types 0.8.4 and 0.7.6.

Even though the mistake is trivial to abuse, it is even easier using the scripts that have been issued. Leap Security has issued a script that searches for vulnerable appliances, and there are quite a lot of available that will abuse the vulnerability and permit any code to be run with absolutely no skill needed.

Although the mistake is of high-severity, luckily only a small number of appliances are vulnerable. Anybody running a vulnerable version must repair instantly. Failure to repair will almost certainly see the appliance compromised.

Almost 50 weaknesses have been repaired by Microsoft on October Patch Tuesday including one zero-day weakness that is being actively abused in the wild by the FruityArmor APT group.

The zero-day (CVE-2018-8453) is connected to the Win32k part of Windows and is an elevation-of-privilege weakness found by Kaspersky Lab. If abused, a threat actor might run random code in kernel mode and might create new accounts, install programs, or access, modify or erase data. The fault is present in all supported types of Windows and Windows Server 2008, 2012, 2016 and 2019.

The FruityArmor threat group is based in the Middle East, which is where the attacks have so far been aimed. The group is famous for utilizing zero-day faults for its attacks and has been aiming older type of Windows, even though Microsoft has alerted that the weakness might let attacks on the latest Windows types.

Kaspersky Lab notices that two years before, on October Patch Tuesday 2016, Microsoft also repaired a fault that was being actively abused by the FruityArmor group – CVE-2016-3393. Kaspersky Lab will announce more details of the fault this week.

Altogether 49 weaknesses have been repaired, 12 of which have been ranked critical. One of those critical weaknesses, CVE-2010-3190 is eight years old and has been repaired several times over the past eight years. The latest repair tackles the weakness in Exchange Server 2016. If abused, it would let an attacker take complete control of a weak system. The other critical repairs affect the Internet Explorer and Edge browsers, Hyper-V, and XML Core Facilities.

The latest repairs also tackle three weaknesses that were publicly revealed before repairs being released: A fault in the JET Database engine, Azure IOT, and Windows kernel. The patch for the JET Database Engine fault is specifically important, as last month sample exploit code was also circulated together with details of the weakness. As a consequence, companies were exposed for numerous weeks. It was a similar tale in August when a weakness and proof of concept code was circulated online for a weakness in Windows task scheduler which also left Windows users defenseless.

Most of the other patches in this round of updates were for Windows 10, the Edge browser, and connected Server types.

Adobe has also publicized patches this week, which tackle 16 weaknesses including four critical faults in Adobe Digital Edition. The critical faults allow distant code implementation, three of which are heap-overflow faults and one is a use-after-free weakness.

The FBI’s Internet Crime Complaint Center (IC3) has issued a warning to companies concerning the misuse of distant administration tools such as Remote Desktop Procedure. The warning was prompted by a substantial increase in attacks and darknet marketplaces vending RDP access.

Remote Desktop Protocol was first launched into Windows in 1996 and has proven to be a valuable tool. It allows workers to connect to their office computer distantly and IT divisions to access computers to install software or provide help.  When connected through RDP, it’s possible to gain access to the Desktop, convey mouse and keyboard commands, and distantly take complete control of a computer.

Obviously, RDP has been an attractive aim for hackers who use it to steal data, download malevolent software, fit backdoors, or even damage computers.

Every now and then, vulnerabilities are identified in RDP which can be abused by hackers, therefore it is important to make sure systems are completely patched and modern. Nevertheless, attacks happen by getting login identifications. This is typically achieved through brute force attacks to predict vulnerable passwords. Several possible password and username blends are tried until the right one is predicted.

Passwords can also be obtained via man-in-the-middle attacks, such as when workers login to their work computers through RDP on public WiFi hotspots. Several businesses leave RDP ports open and accessible over the Internet (port 3839 particularly) which makes it much easier for RDP to be hacked.

Latest attacks have seen cybercriminals gain access through RDP and steal data or install ransomware, with the latter particularly common. The threat actors behind SamSam ransomware mainly use RDP to gain access to business computers to install ransomware.  This method has also been used to disperse ransomware variations such as CrySiS, ACCDFISA, CryptON, Rapid, Globelmposter, Brrr, Gamma, Monro and a lot more.

IC3 has advised all companies to carry out an audit to decide which appliances have RDP enabled, including cloud-based virtual machines, and to disable RDP if it’s not needed. If RDP is essential, strong passwords should be set, 2FA used, and rate limiting must be applied to obstruct IPs that have made too many failed attempts to log in. Patches must be applied quickly to make sure vulnerabilities cannot be abused.

Companies must make sure that the RDP connection is not open to the Internet and is only accessible through an internal network or using a VPN to contact it through the firewall. Obviously, strong passwords must also be used for the VPN and the latest type of VPN software used.

Since RDP is frequently used to install ransomware, it is vital to regularly back up data and to test standbys to make sure files can be recovered in the event of a tragedy.