For the second time, Microsoft has attempted and failed to patch the PrintNightmare vulnerability. Tracked initially as CVE-2021-1675, and the second RCE as CVE-2021-34527. We warned you about this last week, but a few more details are available now. The original reporter, [Yunhai Zhang] confirms our suspicions, stating on Twitter that “it seems that they just test with the test case in my report”.
CVE-2021-1675 is meant to fix PrintNightmare, but it seems that they just test with the test case in my report, which is more elegant and also more restricted. So, the patch is incomplete. : (
— Yunhai Zhang (@_f0rgetting_) July 1, 2021
Microsoft has now shipped an out-of-band patch to address the problem, with the caveat that it’s known not to be a perfect fix, but should eliminate the RCE element of the vulnerability. Except … if the server in question has the point and print feature installed, it’s probably still vulnerable. And to make it even more interesting, Microsoft says they have already seen this vulnerability getting exploited in the wild.
Ransomware, The Big One
Kaseya makes remote management, security, and network monitoring products for IT departments and companies. Their VSA product specifically does remote monitoring and management, and had an optional on-premises component. Put simpler, you put their server on your network, and then installed their client on every computer you manage. The clients report back to the server, and you can install updates or fix problems remotely. It sounds great, actually. The only problem is that there was a pair of vulnerabilities in those servers.
The Dutch Institute for Vulnerability Disclosure had been doing research work on Kaseya systems, and had disclosed a number of flaws, which were working through the normal process of patching. CVE-2021-30116 seems to be the primary vulnerability used, and Kaseya was painfully close to rolling out a fix. The timing weakly suggests inside knowledge of Kaseya’s vulnerability and patching process, but that is by no means certain. Either way, the attack was launched over the 4th of July weekend in the US, and many Kaseya VSA machines were targeted. Once these management endpoints were compromised, a REvil malware binary was pushed out to all connected clients as an update to install. REvil has boasted that they scored over a million infections as a result, and have offered a universal decryptor for a cool $70,000,000.
We’ve discussed here how ransomware groups have put some effort into not making too big of a splash, as getting too much publicity can lead to seized servers, bitcoins mysteriously recovered by the FBI, and actual arrests, depending on what country the group operates out of. It will be interesting to see if an event of this magnitude results in further action.
NFC ATM Jackpot
Near Field Communications (NFC) is the technology that powers non-contact smart cards. You may use one of these for access control to get into your workplace. You probably have NFC tech built into your credit cards, and maybe your passport, too. Most cell phones can do NFC communications, and here’s the important bit, they can mimic a smart card. What do you suppose a security researcher would do with such an ability? Naturally, use this ability to send malformed smart card data to a reader and see what happens.
That’s just what [Josep Rodriguez] did, to a bunch of ATM machines. He is part of IOActive, a security research company, and they have a consulting contract with one of the ATM vendors. It seems that his work on the one device inspired security testing of multiple brands. Quite a few can be crashed via unexpected NFC input, and if we know anything from the last few years of security research, that often means that things are vulnerable to full exploit. And, as expected, on the machine he could legally attempt a full exploit against, [Rodriguez] hit the jackpot. Literally.
Jackpotting an ATM is when an attacker can convince it to dispense all its cash at once. There have been a few ways to do this in the past, from stealing manufacturer’s tools, to attacking the machine physically. This is the first time such an attack has been found over NFC, or at least that has been publicly talked about. More information about the attacks are coming. It seems this initial story is intended to be a warning shot to vendors, that it’s time to get serious about patching their equipment.
Vulnerable Training App
Interested in Android App security? There’s a training tool you might be interested in, the Damn Vulnerable Bank. It’s an Android app that looks and works just like a real app might, but without the legal problems that go with hacking into a real bank’s infrastructure. And there’s a getting-started guide that walks you through the process of getting the app running in an emulator, including defeating the built-in protections against such research.
Password Stealing Gets Tricky
Android apps that try to harvest data from users is nothing new, right? I almost passed this story by, until I noticed that these apps were doing something clever. The set of apps found by analysts at Doctor Web are working apps, and show ads just as we’ve come to expect. These apps have a unique option to get rid of the ads showing, just log into your Facebook account. Hit that button, and the Facebook login page shows up right in the app, making for an easy experience.
All Your Database Are Belong To Us
One of the ways private data leaks out to the world is through an unsecured database. There are quite a few of the non-traditional databases that either complete lack built-in security, or default to an insecure installation. That isn’t a problem, so long as the people using the database take the appropriate steps to keep the data secure. How many such databases do you think are exposed to the internet right now?
Researchers at RedHunt Labs wanted to know, so they started scanning the IPv4 space for unsecured databases. They picked eight databases, and started looking, and found a total of 95,321 insecure or totally unsecured databases exposed to the internet. It’s hard to know how many of those have proprietary data, but there’s also the possibility that each of those represents a foothold into a network. Keep your databases off the internet!
How Broken Can You Make A Password Manager
And finally, in the facepalm category, Kaspersky’s Password Manager was generating extremely insecure passwords. There were several odd issues at play, but by far the worst was that the only source of randomness the generator used was the current time … in seconds. To quote the article, “every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second.” To put it another way, if you know the day a password was generated by this system, you can immediately narrow it down to a list of 86,400 passwords. That’s just a little bit more than 16 bits, or the equivalent of a three-character password. Oof.
29 thoughts on “This Week In Security: Print Nightmare Continues, Ransomware Goes Bigger, And ATM Jackpots!”
JUST GOES TO SHOW, THE MORE COMPLICATED YOU MAKE SOMETHING SO THAT IT WILL WORK, THE MORE COMPLICATED YOU MAKE SOMETHING TO MAKE SO THAT IT WILL WORK !!!!!! Then you have to make it more complicated to make work and keep working. Life was so much simpler when things were simpler.
Like how Apple makes things simpler?
Until you need to use them, anyway.
Have fun with your Mac VPN app and trying to access network shares!
I find that life is simpler when I don’t try to pretend that the past was better. Many people, including myself, find the past to be filled with violence and hate, and look forward to a better future.
100%, rose tinted glasses have a peculiar way of making one only remember the best parts of the past and ignore all the unsavory bits.
You should probably stay off Twitter then…
Socialism sucks, and Communism is worst. Only Capitalism is compatible with freedom and Individual Rights to actions.
You guys get into the weirdest discussions in these articles. :P
Skip topic drift and go straight into avalanche.
Are you kidding me?! The past was an unmittigated security nightmare. The only thing that stopped everything from being hijacked was little of it was connected to the internet for long periods of time. Seriously, Windows 95/98/ME had no security measures in place, telnet was popular, and network hubs were used instead of switches. I would slap you if you were here.
Thats the point, not everything was connected to the Internet. My microwave oven works just fine without wifi and its, i presume, 8051 microcontroller. So does most other stuff.
All these security layers made something that needed a single core at 80 MHz nowadays need four cores running at 2.4 GHz. Without much added benefit for the user i might add. I can write a document or doodle in my spreadsheet on Office 95 just fine, still works great and would do more than 95% of what all users ever need.
And by the way Windows 98 was and is fine if you keep it behind a hardware firewall, your internet router for example. When that whole flatrate internet stuff came up i first used a decommissioned notebook running Coyote Linux, the trick was connecting the good old Telekom foot warmer to the uplink port of the hub. With just 768 KBit/sec for the first DSL lines you couldn’t saturate the network anyway.
The internet 1.0 was a very broken place back then, of course it had its perks as well as most folks couldn’t afford a desktop so there was that.
Renenber shopping at a store without them asking for your phone number?
They already need your banking information from your debit/credit card to pay.
Life was harder, but simple in the 70’s. You paid cash, got your stuff and
that was that. No phone numbers, no debit/credit cards needed.
Using cash is quite easy, yet a lot of kids today can’t even make change.
Sounds more like your debit/credit card providers or the chain the store is part of is using that data to fingerprint your shopping behavior so it can be sold to “data vendors”.
You don’t need to return to cold, hard cash, you need vindictive, aggressive and fast acting user rights protections instead.
Yes, it’s so much easier to drive to Seattle to hand cash to Amazon than it is to use a credit card. It’s so much better to pay your mortgage with cash, you should always carry several thousand dollars in cash with you at all times so you can pay your bills with it. There is no theft, no pickpockets, and people are always 100 percent perfect at counting money, especially when there are 20 people in line behind you at the grocery store and the kids are screaming at you.
Fun fact: I don’t actually know anyone who was attacked for their cash. Definitely it happens, but I don’t personally know anyone it happened to.
By contrast, I’ve lost count of the number of people I know who’ve lost money to electronic fraud of some kind – myself included when my card details were skimmed, I believe by a dodgy payment card machine at a petrol station.
Avoid petrol stations entirely, buy an EV.
That is what a Giroaccount/checking account is for. You get your monthly income on it, rent and utilities get deducted from it and you grab the cash you need from an ATM or even when you buy at some stores, just tell the cashier that you want for example 100€ and it gets deducted from your account with the cost of the merchandise you just bought. They hand you hard cash and you can buy whatever you want with it. Not that hard.
Apparently the next ransomware attack will be hosted from your computer.
Naw. The CIA doesn’t need that kind of reputation. Besides that’s a can of worms few want to open.
Hope they take down Facebook and AMAZON. Douche nozzels Zuck and Beezos can afford the ransome.
I want them to hit Musk, because there’s a man who will make some angry tweets, decide to hit them back, and then probably not sleep until he’s wiped them out.
Updated version of the quote “Never pick a fight with a man who buys ink by the barrel and paper by the ton.” Just apply it to rockets and payloads.
Yeah the best outcome here is for Amazon and Facebook to be perceived as victims, so that more laws will be enacted to protect their interests. Yup, that’s the ticket.
Risk of potentially starting another world war with that method unfortunately. I think fighting digital warfare with digital warfare would be a better idea overall.
Oh how soon we forget a certain Democratic party presidential candidate that threatened to nuke Russia over some alleged hacking that appears to not have happened, none-the-less open digital warfare.
If I were a conspiracy theorist, I might accuse Kaspersky of intentionally sabotaging their password manager.
Why not? Their dodgy antivirus program does more harm than good as it happens.
Ransomware attacks are done by amateurs. If you are getting breached by amateurs then you aren’t really investing in security.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)