The big story this week is Solarwinds. This IT management company supplies network monitoring and other security equipment, and it seems that malicious code was included in a product update as early as last spring. Their equipment is present in a multitude of high-profile networks, like Fireeye, many branches of the US government, and pretty much any other large company you can think of. To say that this supply chain attack is a big deal is an understatement. The blame has initially been placed on APT42, AKA, the Russian hacking pros.
The attack hasn’t been without some positive effects, as Fireeye has released some of their internal tooling as open source as a result. Microsoft has led the official response to the attack, managing to win control of the C&C domain in court, and black-holing it.
The last wrinkle to this story is the interesting timing of the sale of some Solarwinds stock by a pair of investment firms. If those firms were aware of the breech, and sold their shares before the news was made public, this would be a classic case of illegal insider trading.
WordPress Pingback DDoS
It never ceases to amaze me, the clever ways attackers find to misuse features. In this case, the WordPress pingback function can be used to facilitate a DDoS attack.
So a bit of history, what is a WordPress pingback? It’s simple. Say you have a wordpress blog where you write a new article. Someone else likes your article enough to link to it on their own WordPress site. If both sites have pingbacks enabled, the wordpress instances will automatically talk to each other, and generate a pingback comment on the original article. It’s clever, but of limited use, so many sites have the feature disabled.
The problem is that an attacker can connect directly to the pingback API of many WordPress sites, and announce a new pingback originating from the target site. Each of those sites will then attempt to open a new connection to verify the pingback announcement, effectively amplifying a DDoS attack.
You might think that your content distribution service will take care of you. Cloudflare and the like can be thought of as a distributed cache. You request a protected site, and the DNS name resolves to one of Cloudflare’s IP addresses. Cloudflare uses some magic routing tricks (anycast) to automatically route your connection to their nearest datacenter. Cloudflare can then proxy your connection, or serve cached content during a traffic spike. An important element to this protection is that the public doesn’t connect directly to your server’s IP address, which protects you from the DDoS.
Unless a WordPress site is set up particularly carefully, the pingback response gives away the true IP address, allowing for a trivial bypass. Ouch.
The Worst Security Problem
Cisco got hit by the oldest security bug in the book, back in 2018. This unpatchable vulnerability led to the deletion of 456 VMs and over 16,000 Webex accounts. The price tag on the cleanup came to over two million dollars. What vulnerability was this? An employee with admin privileges and a grudge. Five months after leaving Cisco, [Sudish Ramesh] still had valid credentials, which doesn’t reflect well on Cisco’s security practices around HR. Ramesh will serve two years in prison, as well as paying a small fine.
Enhance! — er, Depixelate?
It’s the classic movie trope, present everywhere from Blade Runner to MacGyver — “Zoom in on that section and enhance the image.” (Warning, tvtropes.) We love to make fun of this one, but it turns out, there are a few limited instances where it’s possible. [Sipke Mellema] put the work in, and brings us the Depix tool. Designed to make a best-guess at the original text behind a pixelated image, assuming that you know the font that it’s written in and some other details, Depix could be a useful tool for extracting passwords and other data from poorly redacted images. For more details, check his write-up.
Thanks to [Sevron Kitsune] for sending this one in in the tips line!
OAuth Can Go Wrong
OAuth seems to be one of the better security protocols to be developed in the last few years. You have a Google or Facebook account, and you can use that single sign on to authenticate everywhere. OAuth can even be used to run your own identity service. As good as the protocol is, there are ways for it to go wrong. The good folks at Portswigger bring us a good overview of OAuth 2.0, as well as the common pitfalls.
>this would be a classic case of illegal insider >trading.
Just to clarify; that would depend on how, not when, they figured it out. In this case the two companies investing had a pretty big presence on the board. So it’s suspicious.
The font depixelation idea is great! By adding font and background color detection (for unpixelated parts) and allowing for varying center of pixelation then you could almost certainly read most pixelated texts. Adding dictionary lookup to resolve possible collisions would help for text and bad passwords. Very cool.
Just a slight correction, FireEye didn’t release it’s tools, it released a set of countermeasures to detect their tools. The repo listed clearly says, “FireEye Red Team Tool Countermeasures”
OAuth is horrible. One thing that I’ve learned from years spent on 4chan, then eris/vi/tap/karachan is that it’s good to have no identity or multiple unrelated ones.
Single sign-on is horrible.
On that topic, does anyone know if (e.g. Google) can see which websites you’re using their OAuth2 server to sign in to? They must be able to attach it to your account? Are they keeping record of this?
Afik yes. You can find a list of what sites you’ve logged into with you’re Google account within you’re Google account management portal somewhere (don’t remember where, but I’ve seen it before)
I don’t like Google’s business model, and the damage it is doing to the fundamental human right to privacy.
OAuth travels over http so they can just look at their web server logs for the OAuth requests and see where are they are going.
OAuth1 or OAuth2? They are very different! And why do you confuse “identity” with “username”?
How does an imaging machine get hacked? Were they browsing the web with it?
Creating a “sinkhole” sounds like a great cover if you were somehow involved in the exploit. No accusations — just a little outside-the-box thinking.