This Week In Security: Print Nightmare Continues, Ransomware Goes Bigger, And ATM Jackpots!

For the second time, Microsoft has attempted and failed to patch the PrintNightmare vulnerability. Tracked initially as CVE-2021-1675, and the second RCE as CVE-2021-34527. We warned you about this last week, but a few more details are available now. The original reporter, [Yunhai Zhang] confirms our suspicions, stating on Twitter that “it seems that they just test with the test case in my report”.

Microsoft has now shipped an out-of-band patch to address the problem, with the caveat that it’s known not to be a perfect fix, but should eliminate the RCE element of the vulnerability. Except … if the server in question has the point and print feature installed, it’s probably still vulnerable. And to make it even more interesting, Microsoft says they have already seen this vulnerability getting exploited in the wild.

Ransomware, The Big One

Kaseya makes remote management, security, and network monitoring products for IT departments and companies. Their VSA product specifically does remote monitoring and management, and had an optional on-premises component. Put simpler, you put their server on your network, and then installed their client on every computer you manage. The clients report back to the server, and you can install updates or fix problems remotely. It sounds great, actually. The only problem is that there was a pair of vulnerabilities in those servers.

The Dutch Institute for Vulnerability Disclosure had been doing research work on Kaseya systems, and had disclosed a number of flaws, which were working through the normal process of patching. CVE-2021-30116 seems to be the primary vulnerability used, and Kaseya was painfully close to rolling out a fix. The timing weakly suggests inside knowledge of Kaseya’s vulnerability and patching process, but that is by no means certain. Either way, the attack was launched over the 4th of July weekend in the US, and many Kaseya VSA machines were targeted. Once these management endpoints were compromised, a REvil malware binary was pushed out to all connected clients as an update to install. REvil has boasted that they scored over a million infections as a result, and have offered a universal decryptor for a cool $70,000,000.

We’ve discussed here how ransomware groups have put some effort into not making too big of a splash, as getting too much publicity can lead to seized servers, bitcoins mysteriously recovered by the FBI, and actual arrests, depending on what country the group operates out of. It will be interesting to see if an event of this magnitude results in further action.

NFC ATM Jackpot

Near Field Communications (NFC) is the technology that powers non-contact smart cards. You may use one of these for access control to get into your workplace. You probably have NFC tech built into your credit cards, and maybe your passport, too. Most cell phones can do NFC communications, and here’s the important bit, they can mimic a smart card. What do you suppose a security researcher would do with such an ability? Naturally, use this ability to send malformed smart card data to a reader and see what happens.

That’s just what [Josep Rodriguez] did, to a bunch of ATM machines. He is part of IOActive, a security research company, and they have a consulting contract with one of the ATM vendors. It seems that his work on the one device inspired security testing of multiple brands. Quite a few can be crashed via unexpected NFC input, and if we know anything from the last few years of security research, that often means that things are vulnerable to full exploit. And, as expected, on the machine he could legally attempt a full exploit against, [Rodriguez] hit the jackpot. Literally.

Jackpotting an ATM is when an attacker can convince it to dispense all its cash at once. There have been a few ways to do this in the past, from stealing manufacturer’s tools, to attacking the machine physically. This is the first time such an attack has been found over NFC, or at least that has been publicly talked about. More information about the attacks are coming. It seems this initial story is intended to be a warning shot to vendors, that it’s time to get serious about patching their equipment.

Vulnerable Training App

Interested in Android App security? There’s a training tool you might be interested in, the Damn Vulnerable Bank. It’s an Android app that looks and works just like a real app might, but without the legal problems that go with hacking into a real bank’s infrastructure. And there’s a getting-started guide that walks you through the process of getting the app running in an emulator, including defeating the built-in protections against such research.

Password Stealing Gets Tricky

Android apps that try to harvest data from users is nothing new, right? I almost passed this story by, until I noticed that these apps were doing something clever. The set of apps found by analysts at Doctor Web are working apps, and show ads just as we’ve come to expect. These apps have a unique option to get rid of the ads showing, just log into your Facebook account. Hit that button, and the Facebook login page shows up right in the app, making for an easy experience.

Does that trigger your security spider sense? It should. That app has complete control over what happens in its own browser implementation. In this case, it loads the real Facebook page, and then loads some additional JavaScript to steal the password as it’s typed in. Thanks to this research, Google has kicked the apps off the play store, but not before they racked up a combined 5.8 million installs.

All Your Database Are Belong To Us

One of the ways private data leaks out to the world is through an unsecured database. There are quite a few of the non-traditional databases that either complete lack built-in security, or default to an insecure installation. That isn’t a problem, so long as the people using the database take the appropriate steps to keep the data secure. How many such databases do you think are exposed to the internet right now?

Researchers at RedHunt Labs wanted to know, so they started scanning the IPv4 space for unsecured databases. They picked eight databases, and started looking, and found a total of 95,321 insecure or totally unsecured databases exposed to the internet. It’s hard to know how many of those have proprietary data, but there’s also the possibility that each of those represents a foothold into a network. Keep your databases off the internet!

How Broken Can You Make A Password Manager

And finally, in the facepalm category, Kaspersky’s Password Manager was generating extremely insecure passwords. There were several odd issues at play, but by far the worst was that the only source of randomness the generator used was the current time … in seconds. To quote the article, “every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second.” To put it another way, if you know the day a password was generated by this system, you can immediately narrow it down to a list of 86,400 passwords. That’s just a little bit more than 16 bits, or the equivalent of a three-character password. Oof.

29 thoughts on “This Week In Security: Print Nightmare Continues, Ransomware Goes Bigger, And ATM Jackpots!

  1. JUST GOES TO SHOW, THE MORE COMPLICATED YOU MAKE SOMETHING SO THAT IT WILL WORK, THE MORE COMPLICATED YOU MAKE SOMETHING TO MAKE SO THAT IT WILL WORK !!!!!! Then you have to make it more complicated to make work and keep working. Life was so much simpler when things were simpler.

    1. I find that life is simpler when I don’t try to pretend that the past was better. Many people, including myself, find the past to be filled with violence and hate, and look forward to a better future.

    2. Are you kidding me?! The past was an unmittigated security nightmare. The only thing that stopped everything from being hijacked was little of it was connected to the internet for long periods of time. Seriously, Windows 95/98/ME had no security measures in place, telnet was popular, and network hubs were used instead of switches. I would slap you if you were here.

      1. Thats the point, not everything was connected to the Internet. My microwave oven works just fine without wifi and its, i presume, 8051 microcontroller. So does most other stuff.
        All these security layers made something that needed a single core at 80 MHz nowadays need four cores running at 2.4 GHz. Without much added benefit for the user i might add. I can write a document or doodle in my spreadsheet on Office 95 just fine, still works great and would do more than 95% of what all users ever need.

        And by the way Windows 98 was and is fine if you keep it behind a hardware firewall, your internet router for example. When that whole flatrate internet stuff came up i first used a decommissioned notebook running Coyote Linux, the trick was connecting the good old Telekom foot warmer to the uplink port of the hub. With just 768 KBit/sec for the first DSL lines you couldn’t saturate the network anyway.

  2. Renenber shopping at a store without them asking for your phone number?
    They already need your banking information from your debit/credit card to pay.
    Life was harder, but simple in the 70’s. You paid cash, got your stuff and
    that was that. No phone numbers, no debit/credit cards needed.
    Using cash is quite easy, yet a lot of kids today can’t even make change.

    1. Sounds more like your debit/credit card providers or the chain the store is part of is using that data to fingerprint your shopping behavior so it can be sold to “data vendors”.

      You don’t need to return to cold, hard cash, you need vindictive, aggressive and fast acting user rights protections instead.

    2. Yes, it’s so much easier to drive to Seattle to hand cash to Amazon than it is to use a credit card. It’s so much better to pay your mortgage with cash, you should always carry several thousand dollars in cash with you at all times so you can pay your bills with it. There is no theft, no pickpockets, and people are always 100 percent perfect at counting money, especially when there are 20 people in line behind you at the grocery store and the kids are screaming at you.

      1. Fun fact: I don’t actually know anyone who was attacked for their cash. Definitely it happens, but I don’t personally know anyone it happened to.

        By contrast, I’ve lost count of the number of people I know who’ve lost money to electronic fraud of some kind – myself included when my card details were skimmed, I believe by a dodgy payment card machine at a petrol station.

      2. That is what a Giroaccount/checking account is for. You get your monthly income on it, rent and utilities get deducted from it and you grab the cash you need from an ATM or even when you buy at some stores, just tell the cashier that you want for example 100€ and it gets deducted from your account with the cost of the merchandise you just bought. They hand you hard cash and you can buy whatever you want with it. Not that hard.

    1. Yeah the best outcome here is for Amazon and Facebook to be perceived as victims, so that more laws will be enacted to protect their interests. Yup, that’s the ticket.

  3. Risk of potentially starting another world war with that method unfortunately. I think fighting digital warfare with digital warfare would be a better idea overall.

    1. Oh how soon we forget a certain Democratic party presidential candidate that threatened to nuke Russia over some alleged hacking that appears to not have happened, none-the-less open digital warfare.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.