Category: blog

Many organizations are shocked to learn their systems have been breached, with attackers having exposed vulnerabilities. However, you can defend your organization against these threats by taking some proactive measures.

Minimizing your security risk begins with risk management – ensuring proper asset management, implementing policies and procedures around protecting assets, and effective risk mitigation. Yet these fundamentals are frequently lacking in organizations, according to Quentin Rhoads-Herrera, Director of Professional Services for TEAMARES, during CRITICALSTART’s webinar, “Uncovering Your Security Blind Spots.”

“One of the most important things that I see quite often when we discuss risk management is asset management. This is a key fundamental to IT infrastructure and software risk management,” said Herrera. “If we don’t understand as a company what is out there in our infrastructure or what software we’re leveraging, then we’re not going to have insight into whether a company is following best practices for software development lifecycle.”

According to Herrera, here are some basics in which organizations can shore up their vulnerabilities:

• Ensure that asset management is elevated within your organization. For many, asset management is an afterthought, with processes and procedures developed later in the development of the company.
• Develop policies and procedures including implementing standards and detailed descriptions on how to comply with policies.
• Create a risk register and operationalize risk management. In some cases, the risk register has not been created because the company doesn’t understand their risk tolerance or what their threat actors may look like.
• Assess and manage vulnerabilities by implementing pentesting. An effective pen testing program helps you discover vulnerabilities while modeling the tactics of real-world threat actors.
• Conduct IR tabletop exercises to develop a high-level understanding of current cybersecurity processes.
• Increase efficiency through automation and technology, including leveraging of open-source tools.

It’s entirely possible to understand your security risk. The key is to identify and understand those risks. TEAMARES stands ready to help you improve your security posture. If you need assistance establishing an effective risk management program, contact us today.

Flexible, Open-Source Tool to Manage Post-Exploitation Issues – Without the Extra Spend

PLANO, TX – July 23, 2020  – TEAMARES, the offensive security and incident response arm of CyberOne, today announced the launch of DeimosC2, addressing the market need for a cross-compatible, open-source Command and Control (C2) tool for managing compromised machines that includes mobile support.

Offensive security teams often need access to a cost-effective, easy-to-use tool that can manage compromised machines after exploitation. However, many of the options currently available in the market can be difficult to use, expensive, or lack the flexibility to expand features. With this in mind, TEAMARES developed DeimosC2, a cross-platform and collaborative tool designed with robust functionality that can be extended in any language. Teams can conduct post-exploitation on any major operating system (OS), including Android devices, addressing the lack of defensive capabilities that are available on enterprise devices.

DeimosC2 features include:

• A UI that offers ease of use and supports multiple users for collaboration.
• Multiple listener and agent communication methods such as TCP, HTTPS, DNS over HTTPS (DoH), and QUIC.
• Pivot capabilities over TCP.
• Extendable functionality that can be written in multiple languages.
• API over WebSockets allowing for scriptable functionality.
• Written in Golang for cross-compatibility on all major operating systems.
• Archive and replay functionality post-testing so users can restore listeners, loot, and other critical information to the database.

“Red teams usually have to choose between expensive C2 tools in the market or training for their teams on the current tools,” said Quentin Rhoads-Herrera, director of professional services for TEAMARES and co-author of DeimosC2. “Deimos is an open-source, community-contributed tool that is designed for ease of use and cross-OS compatibility without a large spend of budget or time.”

Visit us at deimosc2.com to learn more.

Versions Tested:

• GlobalProtect App < 5.1.4 on Windows
• GlobalProtect App < 5.0.10 on Windows

Product:
https://www.paloaltonetworks.com/products/globalprotect

Security Advisories:
https://security.paloaltonetworks.com/CVE-2020-2032

CVE Numbers:
CVE-2020-2032

CVSS Score:
7.0

CWE:
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

NIST:
N/A

OWASP:
N/A

Summary:

A race condition vulnerability in the Palo Alto Networks GlobalProtect app on Windows allowed a local limited Windows user to execute programs with SYSTEM privileges. This issue can be exploited only while performing a GlobalProtect app upgrade.

Details:

­The Global Protect App Windows MSI installer executes as SYSTEM and uses a predictable path to create and execute a batch file from a location writable by all users. Prior to the update, a low privileged user could create a file named C:WindowsTemppostupdt.bat which is called by PanVcrediChecker.exe during the install/update.  The application overwrites the contents of the batch file. However, the ownership by the low privileged user was retained. A TOCTOU race condition exists, allowing a low privileged user to overwrite the file prior to the execution.

All users have permission to create new files in C:WindowsTemp and some applications store transient files here. The folder is like how /tmp is used on Linux systems, but the permissions are different. On Linux, file listing is allowed by low privileged users while, on Windows, a low privileged user cannot list the files.

Using a command shell, the low privilege user attempts to list the files under C:windowstemp and “File Not Found” is returned. This message is deceiving because files exist, but the user does not have the proper permission to list them.

Though a low privileged user cannot view the listing of files, it does have permission to create a new file. Using an administrator command shell and executing cacls to view the access control list shows that BUILTINusers have a few specific permissions. FILE_WRITE_DATA allows all users to create new files.

Windows has many file permissions and the names can be misleading. Fortunately, the permissions are documented on Microsoft.com. Included below are descriptions of the relevant permission descriptions for BUILTINUsers. Visit Standard Access Rights, and File Access Rights Constants for additional details.

Constant/ValueDescriptionSYNCHRONIZEThe right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.FILE_WRITE_DATAFor a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (FILE_ADD_FILE).FILE_APPEND_DATAFor a file object, the right to append data to the file. For a directory object, the right to create a subdirectory (FILE_ADD_SUBDIRECTORY).FILE_EXECUTEFor a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.

With a basic understanding of how C:WindowsTemp is used, we can look for potential vulnerabilities. Some installers still use C:WindowsTemp for temporary files. My favorite utility for discovering file-based vulnerabilities is Sysinternals Process Monitor. Start the process monitor as an administrator and set the filter to the following. As an example, this filter will limit output to system users accessing files under C:WindowsTemp.

During the install/update, PanVcrediChecker.exe creates C:WindowsTemppostupdt.bat and then executes it. Note that some operations were excluded for brevity purposes.

An alternate view of the same data uses a process tree. This view can be accessed by using the Tools | Process Tree menu.

Drilling down on the event shows the following properties.

Armed with the knowledge learned through dynamic testing, a proof of concept can be developed. The goal is to create the postupdt.bat file, initiate the upgrade, and then continuously overwrite the file and attempt to win the race.

Steps to Reproduce:

Assumptions:

• All steps are executed as a low privileged user
• GlobalProtect client is a lower version than the VPN server
• The C:WindowsTemppostupdt.bat file does not exist which is should not if an update has not been run recently.

1.  Create C:WindowsTemppostupdt.bat with the following contents. The first line should be the arbitrary command to execute. The PanGPS.exe -benice is the command normally executed and is included to ensure the installation process does not fail.

whoami &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; c:windowssystem32woot.txt&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/pre&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
“C:Program FilesPalo Alto NetworksGlobalProtectPanGPS.exe” -benice

2.  Create loop.cmd with the following contents and execute it. This will overwrite the target file using an infinite loop.

:loop&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/pre&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
@echo f | xcopy postupdt.bat c:WindowsTemppostupdt.bat /y /f

goto loop

3.  Connect to the Global Protect server with a higher-level version. This should automatically prompt to update the client. Click the “Yes” button. If there is no prompt, right-click the system tray application and click About.

4.  Click the “Check for Updates” button on the About window.

5.  Click the “Yes” button when the update message is displayed.

6.  After the update process has completed, c:windowssystem32woot.txt will exist with the contents set to “nt authoritysystem“.

A quick dive into static analysis. I originally found the vulnerability using Process Monitor, but I wanted to understand what was happening behind the scenes using IDA.

Build the path using GetTempPathA() which returns c:Windowstemp. Concatenate postupdt.bat and store it in the File variable.

Append PanGPS.exe -benice to the GlobalProtect App installation path.

Write the batch script contents, close the file, and execute it via ShellExecuteA() passing c:windowstemppostupdt.bat for the lpFile parameter.

Timeline:
04/22/2020  – Vulnerability reported
05/22/2020  – Vendor confirmed the vulnerability
06/10/2020  – Vendor advisory published

Credit:
Discovered by Rich Mirch, Senior Adversarial Engineer at TEAMARES

Missing HttpOnly flags on cookies are a common finding in Web Application penetration testing. Many times, there is confusion surrounding whether it is necessary to enable this flag though. However, cookies can contain session tokens and other values that can be useful to a malicious actor and should be protected. If the cookies do not need to interact with JavaScript or other scripting languages it is best to set this flag to “true”, so a malicious actor is not able to steal the values present in the cookie.

According to OWASP (Open Web Application Security Project ), “The HttpOnly cookie attribute instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) the ability to access the cookies via the DOM document.cookie object.”[1] Even though the HttpOnly cookie flag is not new, many times it is found to be absent during penetration tests.

A cookie is used by developers to hold data, one very important piece of data is a session cookie. Session cookies represent the user and need to be protected in order to assure that a malicious actor cannot use the cookie to impersonate the user. In this situation, the HttpOnly flag should be set. Some cookies do need to interact with JavaScript based on their function, setting the HttpOnly flag, in this case, would render the cookie useless to the application.

In order to demonstrate how the HttpOnly flag works two files were created. An HTML file, welcome.html consisting of a form and a PHP file, cookieWelcome.php that echoes user input from the form and contains two cookies.

The code for welcome.html can be found below:

<html>
<body>
<form action=”cookieWelcome.php” method=”post”>
Name: <input type=”text” name=”name” size=”50″ ><br>
E-mail: <input type=”text” name=”email” size=”50″ ><br>
<input type=”submit”>
</form>
</body>
</html>

Below is the code for cookieWelcome.php:

<html>
<body><?php
setcookie(“sessionId”,”261957163849573″, time() + (86400 * 30), “/”, null, null, true);
setcookie(“Missing_HttpOnly”,”482749185763514″, time() + (86400 * 30), “/”, null, null, false);
?>Welcome <?php echo $_POST[“name”]; ?><br>
Your email address is: <?php echo $_POST[“email”];?>
</body>
</html>

In PHP, a cookie is set with the following values:

setcookie($name, $value, $expirationTime, $path, $domain, $secure, $HttpOnly);

Cookie “sessionId” has the HttpOnly flag set.

setcookie(“sessionId”,”261957163849573″, time() + (86400 * 30), “/”, null, null, true);

XSS (Cross-Site Scripting) can be used to access cookie information. There are three types of XSS, reflected, stored and DOM-based. In this example, reflected XSS where the result is returned to the user and the payload is not stored is used to demonstrate the values returned with and without the HttpOnly flag. First, test if the application is vulnerable to XSS. We need the application to run our JavaScript code in order to access the cookies associated with the application.

Use the following values as input in the form:

Name:

<script>alert(“XSS Vulnerable”)</script>

The script was successfully run in the application.

Next, we will attempt to determine which cookies are available using JavaScript. Document.cookie is used to retrieve the value of cookies.

Use the following input:

Name: Daisy
Email:

<script>alert(document.cookie)</script>

An alert box exposing the value of Missing_HttpOnly is returned. An attacker could use this cookie to impersonate a user.

<$XSS_RISK>

XSS enables an attacker to steal sensitive information like cookie values. While this example uses reflected XSS if the XSS was stored any visitor to the application could potentially have cookies, session tokens, or other private information compromised.

The browser’s developer tools can also be used to examine cookies. A checkmark is present in the HttpOnly column for sessionId, validating the use of HttpOnly. Since HttpOnly was used sessionId was not returned by the JavaScript code.

In conclusion, HttpOnly is necessary when the values contained in a sensitive cookie need to remain confidential.

References:

[1] https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

Versions Tested:
VMware Fusion 11.5.3

Products:

• https://www.vmware.com/products/fusion.html
• https://docs.vmware.com/en/VMware-Remote-Console/index.html
• https://docs.vmware.com/en/VMware-Horizon-Client/index.html

Security Advisories:

• https://www.vmware.com/security/advisories/VMSA-2020-0011.html

CVE Number(s):
CVE-2020-3957

CVSS Score:
7.3

CWE:

• CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
• CWE-424: Improper Protection of Alternate Path

NIST:
N/A

OWASP:
N/A

Summary:

VMware Fusion, VMRC and Horizon Client contain a local privilege escalation vulnerability due to a Time-of-check Time-of-use (TOCTOU) issue in the service opener.

A second local privilege escalation was discovered that is not a race condition. The application blindly executes files from an untrusted location. Both vulnerabilities result in arbitrary code execution as root. The following disclosure provides details of the second vulnerability using dynamic testing. A proof of concept exploit will be provided for both vulnerabilities.

Details:

VMware introduced a signature check in an attempt to resolve CVE-2020-3950, a local privilege escalation vulnerability in VMware Fusion prior to version 11.5.2. Jeff Ball discovered the fix was incomplete and introduced a race condition with code signature verification logic.

To illustrate the behavior when the code signature check fails, I created a hard link to the Open VMware Fusion Services binary, setting the trailing path to Contents/Library/services to mimic the expected path. A hard link is necessary to preserve the setuid bit. However, executing the binary results in a code signing error. The check verifies the signature of VMware Fusion Services prior to execution. To bypass this restriction, I created another hard link to VMware Fusion Services and executed it again. There is no longer a code signing error. This created several other opportunities for code injection because no additional signature checks were performed.

For the remainder of this blog, assume that the TOCTOU vulnerability does not exist. The goal is to elevate privileges to root. When dynamically testing a privileged binary, start by analyzing file interactions. For macOS Mojave systems, use dtruss(1m) and the Monitor utility from FireEye. For newer versions of macOS, use Crescendo to determine how the application uses files and look for interesting behavior such as the locations of files being read, written, or executed.

To initiate a simple test, create a copy or hard link of a binary and execute it from a location under your control. A hard link is necessary to preserve the setuid/setgid bits if set. macOS uses a single file system, which makes this attack practical. Important to note is that Apple has not implemented kernel restrictions on symbolic and hard links like Linux did many years ago. Some applications implicitly trust parts of the path. When the application is privileged this scenario could lead to code execution.

To begin, I usually copy and run the entire application to a location I control, and review how it interacts with files, sockets, pipes, etc. Below is an example using the Monitor utility, root executed a file named services.sh under the home directory of the low privileged test99 user. We achieved this by copying the entire /Applications/VMware Fusion.app directory and then executing the VMware Fusion from that location via the command line.

With the leading path under the control of the test99 user, I injected a single line at the top of the script to create a file in /tmp. If the update is successful, /tmp/test.123 will exist and be owned by root.

After updating services.sh, I manually executed VMware Fusion from the command line and the file was created as expected.

In some instances, privileges could be dropped by the application or bash before accessing a file. When reviewing a list of files accessed in the Monitor application, I always verify the value of Euid field. Below is an example where further investigation was needed. At first glance it appears the low privileged test99 user is executing the vmware-id binary. If a file is created when only the Euid is set to zero, the file will be owned by the low privileged user unless the application explicitly sets the ownership.

For further details, select the record to display a window with additional properties about the process. It shows the vmware-id binary was executed as the test99, under a location the test99 user controls, and the EUID is set to zero, which is the root user. This could be an opportunity to escalate privileges to root.

By default, bash will automatically drop privileges if uid != euid (effective uid). This behavior can be disabled by enabling privileged mode using the -p option. VMware uses privileged mode with several bash scripts, which is not common.  It is possible to successfully exploit a vulnerability only to have bash drop the privileges. Not all shells have this feature. For example, the Korn shell (ksh) retains the euid value.

It is important to showcase the behavior using a setuid root bash shell. As root, make a copy of /bin/bash and change the permissions to 4755. The 4000 octal number adds the setuid bit. As a low privileged user, execute the setuid root copy of bash. Notice that even though the shell is setuid root, no root privileges are gained due to the default behavior. Executing the shell with the -p option overrides the security feature and root privileges are retained(euid=0).

At this point, code execution as root has been confirmed by creating the root owned file in /tmp. The next step is to spawn an interactive root shell. For a proof of concept, creating a setuid root shell or a local netcat reverse shell is usually sufficient. Netcat was chosen for this blog to show the parent processes.

The proof of concept can be download at CVE-2020-3957.sh. The PoC will create a copy of /Applications/VMware Fusion.app using hard links, inject a netcat command into services.sh, and directly execute the application.

A local reverse shell running as root is received.

It is important to show the process tree in reverse from the netcat shell. Each ps command below displays the parent process. This shows services.sh executing as root under the test99 users home directory which contains the netcat command.

On a final note I want to thank my colleague Charles Dardaman for testing and verifying the proof of concept.

Credit:
Discovered by Rich Mirch, Senior Adversarial Engineer at TEAMARES
Signature check bypass (TOCTOU) discovered by Jeff Ball

Breaches are a fact of life for every business. However, it is possible to stop breaches and improve your security posture by taking a proactive approach to your incident response (IR) strategy.

---

The Risk of a Cyber Security Breach Continues to Increase

Consider: A joint study by Ponemon Institute and IBM Security revealed the percentage chance of an organization to experience a data breach within two years was 29.6 percent in 2019, an increase from 27.9 percent in 2018.

Cost of a Data Breach

As the risk of a breach increases, so does the financial impact. The same study states the average cost of a breach in the U.S. is $8.19 million, more than double the worldwide average. The largest cost of a data breach is due to lost business resulting from customer attrition.

Average Time to Identify and Contain a Breach

According to the Ponemon Institute, the average time to identify and contain a breach is 279 days, representing a 4.9 percent increase over the 2018 breach lifecycle of 266 days.

Fast Incident Response Saves Money

Breaches with a lifecycle less than 200 days were on average $1.22 million less costly than breaches with a lifecycle of more than 200 days ($3.34 million vs. $4.56 million respectively), a difference of 37 percent.

In other words, your likelihood of getting hit with a breach is high and increasing steadily. The faster you identify and contain that breach, the lower your costs.

Most Businesses Aren’t Prepared for a Breach

Despite these realities, most companies – about 77% – don’t have a breach response plan.

It can be difficult to navigate a market saturated with a variety of security tools and services. Building a breach prevention and mitigation plan is daunting. Many businesses don’t know who to contact when a breach occurs, increasing the breach lifecycle and associated costs.

Improve Your Business’s Incident Response Preparedness

Accordingly, it’s more important than ever to implement proactive incident response strategies into your operation to reduce the overall impact of an incident.

What can you do to take a proactive approach to incident response?

Plan for the Inevitable

Assume that you will be breached and put plans in motion to prepare for that inevitable cyber incident. The CRITICALSTART team has found that 40% of all managed detection and response (MDR) customers in the deployment phase had already experienced a breach.

Add an IR Retainer to Your Incident Response Program

With an IR retainer, you’ll gain the benefit of partnering with a team of experts who can help perform tabletop exercises and simulations to evaluate and shorten response time.

The dwell time between finding out you’ve been breached and selecting and onboarding an IR team can cost your organization time, money, and brand reputation.

Get Proactive with CRITICALSTART’s IR Retainer

CRITICALSTART offers incident response (IR) retainers, meaning you’re always covered.

You’ll get immediate access to our TEAMARES IR cybersecurity professionals who stand ready to investigate, contain, eradicate, and remediate your breach.

Find the IR Retainer Package That’s Right for Your Business

We offer several prepaid retainer packages to meet your unique business needs. And our IR retainers are flexible – you may repurpose unused hours and apply them to other IR and cybersecurity consulting service engagements.

An IR retainer can help you:

• Respond immediately to a breach within minutes, not hours or days.
• Improve your security posture, securing funds for immediate incident response remediation.
• Save money by securing IR services now, at a lower cost, than if purchased at the time of an incident.
• Protect your assets 24/7/365 by stopping an attacker’s deep dive into your critical data.

Don’t wait for a breach – be proactive and add an IR retainer to your IR program. For details, contact us today.

Discussions about contact tracing have been ongoing since February 2020, when some experts began looking ahead at how to move through the global COVID-10 pandemic.

What Is Contact Tracing?

Contact tracing essentially comprises identifying those who have been infected with COVID-19 and notifying as many people as possible who have been in close contact with them within a 14-day window.

The goal of contact tracing is to slow the spread of the novel coronavirus to reduce its overall impact both nationally and globally. Both manual (in-person) and software-based (smartphone app) methods have been implemented.

The problem? These approaches fly in the face of the various privacy acts in the U.S., essentially putting these privacy initiatives on hold.

Inconsistency of Contact-Tracing Methods

The challenge with COVID-19 contact tracing is rather than a singular, unified approach, multiple different approaches have been developed.

Along with manual contact tracing, current technology-based solutions include (but are not limited to):

• Exposure Notifications API (co-developed by Google and Apple)
• TrackCOVID (QR code-based)
• VirusSafe

Each technological solution adopts a different approach to contact tracing. For example, some methods rely on GPS, which gathers longitude and latitude as data points, while others leverage a QR system that only tracks where you scanned. Bluetooth technologies vary depending on who implemented them.

Limitations of Manual Contact Tracing

Many states have decided to implement a manual method of hiring, or asking for volunteers, to become contact tracers. Some may argue that the manual method has worked in the past, so why argue against it now? Let’s review some of the limitations of manual contact tracing.

Minimal Educational and Training Requirements for Contact Tracers

The requirement to become a contact tracer? Surprisingly, only a high school diploma. No medical training or advanced education is required.

In addition to this, the contact tracing class is free and hosted on the site Coursera.

Too Few Contact Tracers in Major Cities

Volume is another factor limiting the effectiveness of manual contact tracers, especially in large cities.

For example, in New York City, MIT Technology Review found that a population exceeding 21 million people with more than 16,000 deaths has had fewer than 1,000 tracers in action.

How do they plan to increase those numbers to handle the potential of another surge? The answer is to spend money, which brings us to our second problem: budget.

High Cost of Hiring Contact Tracers at Scale

States such as Massachusetts have budgeted $44 million to hire contact tracers. And health leaders have asked Congress to provide $3.5 billion to help fund contact tracing. This is at a time where our economy is struggling and the lack of funding for testing is still being fought.

Limited Smart Phone Access Can Hamper Contact-Tracing Effectiveness

So why are people arguing against technology for the manual method? A common argument is that the people most affected do not have access to smartphones which would be required to make this technology work. So, I decided to do a bit of math using New York as my example.

• According to New York health officials, 1 in 5 people may have had COVID-19, which would be roughly 376,080 people using 2020 data.
• To purchase a very cheap Android or Apple smartphone under a prepaid plan that could support app-based contact tracing would cost roughly $3,760,800 using the lowest price I could find on Boost Mobile before adding money to the prepaid plan.

Additionally, the government has a program called LifeLine that offers phones to those in need. So even that can be used to outfit the high-risk individuals with a phone.

Limitations of Contact Tracing Technology

What about the technologies that have been developed around COVID-19 contact-tracing applications? So many have been developed and no one is following the exact same model.

Centralized Data Storage Poses Major Data Breach Risk

Some contact-tracing methods use centralized storage, which is the act of storing ALL data collected by users’ phones to one location.

The risks? A single point of failure and single target for malicious actors to access the data, and government discretion on how long to retain data and how they would use data.

In fact, in the U.K., officials have stated they would hold post-COVID-19 data for “research” purposes.

By contrast, a decentralized model (as adopted by Google and Apple) stores the data on each person’s phone separately. If you test positive for COVID-19, you have the ability to upload your data to a health authority’s server so others can be notified via a random identifier.

Contact Tracing App Privacy and Security Concerns

Outside of storage, what about privacy or security concerns around the use of these apps? We have already seen privacy AND security issues arise just over the last month.

One recent implementation was in South Korea, which is effectively a practice of mass surveillance under the guise of a pandemic app. Other security vulnerabilities were recently discovered in India’s contact-tracing app, Aarogya Setu.

These are not the only security and privacy breaches we will see. Each breach erodes the trust of the people, thereby reducing the effectiveness of each app.

How Google and Apple’s Exposure Notifications API Works

What about tech giants Google and Apple’s implementation of contact tracing? Each has been very upfront on their design of the Exposure Notifications API.

This API is designed to leverage Bluetooth Low Energy (BLE) wireless personal area network (WPAN) technology to randomize a unique Bluetooth identifier and exchange that number with others they may be near for a minimum of 5 minutes.

Participation Is Voluntary

In addition, this entire program is opt-in, allowing users to decide if they wish to participate. And it goes a step further. If you test positive, YOU have the ability to opt into sending your positive test proof to your health authority.

The process involves Google and Apple’s security and privacy reviews that allow the person who tested positive to enter some sort of key or scan a code, which then informs health authorities of your positive test result.

Notifications Are Anonymous

The health authorities then leverage the Exposure Notifications API to distribute your unique key to all other participants. If a match is found, that individual is notified that they may have come into contact with someone who has tested positive for COVID-19. No names, locations, or other personal information are shared.

If you decide to opt-out, Google and Apple both state in their white papers they will delete all keys from your phone.

Exposure Notifications API Phase 2 Rollout

Google and Apple have also indicated a phase 2 rollout where the contact tracing API will be on everyone’s phone, with opt-in capabilities still present. This means you can leverage their APIs without ever using a government application.

The problem with this approach is you would not be able to upload a positive test to a health authority without the health authority’s app. However, if you met someone who did, you would be notified nonetheless.

This May Be The Best (If Imperfect) Current Contact-Tracing Approach

Are these approaches perfect? Probably not. However, they are the best we have seen that take security and privacy into consideration from the start of development all the way through implementation.

In addition, both have already turned away countries such as France who have requested a centralized approach, which reveals an unwillingness to accommodate government requests.

We have seen numerous times how Apple deals with the federal government, with refusals to allow access to their customers’ phones or data.

These companies have a lot at stake when it comes to their reputation, so it would be unwise for them to abuse public trust with an application like this.

Will I Participate In Contact Tracing? Yes…With Conditions

I am often asked if I would participate in contact tracing. If the method was one I investigated and reviewed the security and privacy controls put in place, absolutely.

A technological approach is the only one that can withstand the volume while also keeping people safe. However, the weakness of this approach is that it relies on the number of people that participate AND the number of people who submit their positive statuses.

Widespread Mistrust of Contact Tracing Apps Stems from Misunderstanding

A recent poll by Axios states that most in the U.S. are against using this technology. In my opinion, this is due to the lack of understanding of what these apps do AND the wide variety of contact-tracing methods being leveraged across the country.

The government needs to be decisive about which implementation to leverage across the United States. This would allow better oversight into the security and privacy of the data. Data leaks or security breaches will erode the trust of the people, making this technology obsolete.

Do Your Homework

Investigate the contact-tracing application or method being implemented in your state to ensure privacy and security have been considered and part of the development from the beginning.

Ask for transparency from your local politicians. If using an application from developers, inquire about their privacy policies.

Finally, question who has access to the data, regardless of the method being used locally or nationally. All these questions should help you decide whether to participate.

One thing is clear: no one is safe from ransomware attacks. What is changing, however, are attack modes as threat actors adjust their methods based on evolving mitigation methods being employed.

For several years, ransomware has been viewed as a type of malware that locks or encrypts the system or data and demands a ransom payment to restore access to systems and data.  Ransomware takes an organization’s dependence on technology and tries to use it to force them into paying the ransom.  With the rise in ransomware attacks, which saw a 229% increase in reported attacks from 2017 to 2018, a number of effective mitigation strategies have emerged, thus making it less profitable for threat actors to use.

As a result, new forms of ransomware have started to emerge. Looking at them from the traditional CIA Triad, these attacks hit:

• Confidentiality of data, which includes loss of personal information like credit card details, usernames and passwords, or loss of corporate intellectual property
• Availability of data, in which hackers demand money to restore access to systems and data targets
• Integrity of data, in which hackers access and change data such as patient health records.

In the more common of these new attacks, instead of targeting availability, victims are threatened with loss of confidentiality, unless the ransom is paid.  The most high profile current example is Maze ransomware, which not only encrypts a victim’s data — as happens with all Windows ransomware — but also exfiltrates it before the encryption process begins, so that they can use it to pressure the victim to pay whatever ransom has been demanded. Another example of this that is currently being seen is Clops where the data is posted to the CL0PS site.

What does this mean? That security professionals cannot afford to neglect Integrity Ransomware attacks as they appear to be trending upwards.

In assessing threat risks, security analysts generally try to determine whether they are vulnerable to the threat, a likely target of the threat, and what damage could occur if the threat resulted in a successful attack. All three legs of the CIA Triad should be examined when performing this analysis.

Executives typically focus on preventing loss of confidentiality since these breaches typically result in fines, brand damage, loss of customer confidence due to identity theft, high remediation and credit card replacement costs, and public embarrassment.

Accordingly, some basic precautionary measures to take include:

• Make backups on a regular basis and for more than a single day. Newer ransomware groups have dwell times on your network of day and weeks before they encrypt your data. Keep the backup on a separate device and, if possible, also store it offline.
• Have a business continuity plan and test it. This plan should include who you will call on for assistance in remediation and incident response.
• Proactively decide what data to collect if you choose to remediate instead of pay the ransom. Evaluate the pros and cons of paying the ransom now that it also affects confidentiality with both legal and technical personnel. The implications for the user, organization or security professional are numerous. With this in mind, recognize that attacks are not static – they change in reaction to our mitigation strategies so that they can remain profitable to the attacker.  If this means that the attack shifts to affect a different part of the triad or adds additional legs of the triad, it will. Defense, mitigation, and recovery strategies for every type of attack need to consider how that attack could affect each leg of the triad.

As ransomware attacks continue to increase, the best defense is to plan ahead, leveraging strategies to help keep your organization ahead of hackers as they refine their attack modes.

In times like these, we all could use some good news and CyberOne‘s TEAMARES is excited to share some: we just reached top contributor status in our participation in Folding@Home’s fight against COVID-19!

As of this week, we are now in the top 0.3% of all team contributors. It would not be possible without the help of several people both within the team and outside. This is a great example of how the Information Security and Tech community can band together for a great cause.

The backstory: TEAMARES‘s in-house research team has found that our hash cracker Cthulhu can be used to run computer simulations that mimic the same complex protein folding that occurs in diseases. We’re sharing the results of our own in-house research with Folding@Home to simulate how the virus behaves – data that we hope can be used by doctors and healthcare professionals to develop potential vaccines.

Folding@Home is sending our team jobs to process on our CPU and GPU processing power, of which Cthulhu is helping. Folding@Home then takes that data to help in researching viruses.

You too can join the fight against COVID-19 – here are some ways to take action:

• Retweet for awareness and to help spread the news!
• Consider competing against CyberOne’s TEAMARES.

Or, participate in the Folding@Home project:

1. Download the Folding@Home Client at https://foldingathome.org/start-folding/
2. Use our team ID number when you first start the client (239575)
3. Have fun!

Our Team:
CyberOne’s TEAMARES is comprised of professionals with more than a decade of experience conducting offensive and defensive security services. Our team has expertise in a wide array of industries, including oil and gas, healthcare, app development firms, hospitality, technology, and more.

Follow us on Twitter @TeamAresSec to stay up to date on our progress, or via our LinkedIn and Facebook channels.

Version Tested:
3.0.0

Product:
https://www.opsramp.com/

CVE Numbers:
CVE-2020-11543

CVSS Score:
10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE:
CWE-798: Use of Hard-coded Credentials

OWASP:
https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password

Summary:
During a recent penetration test, CyberOne‘s TEAMARES researchers discovered that OpsRamp Gateway has an administrative account named vadmin that allows root SSH access to the server. This account was unknown to clients unless requested through a support process. At that time the vendor states they would provide the account to the client and request that they change the password.

Prior to the patch, this password was not unique to all clients, only to those who requested access to the account and changed the password. Cyber One is unaware of the number of clients that may have requested access and changed the password.

Technical Details:
After installing the OpsRamp Gateway server, a script called “kick-start.sh” runs, which sets up multiple user accounts and hardcodes their passwords by setting the pre-hashed passwords.

Our team was able to crack the hash for the vadmin, which can be used to SSH into the server with the password 9vt@f3Vt. Additionally, the account has the sudo permissions ALL, allowing us to easily escalate to root with sudo -i.

We then proceeded to log into client servers in production as root proving that the hashes are not unique to the install.

Timeline:
10/24/2019 – Vulnerability found
01/20/2020 – CyberOne was informed that the Vendor patched the finding
03/26/2020 – Ensured that clients were patched
03/26/2020 – CVE Requested
04/07/2020 – Released vulnerability disclosure

Credit:
Discovered by Charles Dardaman, Senior Adversarial Engineer for TEAMARES at CyberOne

Our Team:
CyberOne’s TEAMARES is comprised of professionals with more than a decade of experience conducting offensive and defensive security services. Our team has expertise in a wide array of industries, including oil and gas, healthcare, app development firms, hospitality, technology, and more.

Follow us on Twitter @TeamAresSec to stay up to date on vulnerability discoveries and cybersecurity news.