This Week In Security: What’s Up With Whatsapp, Windows XP Patches, And Cisco Is Attacked By The Thrangrycat

May 21, 2019 by Jonathan Bennett 21 Comments

Whatsapp allows for end-to-end encrypted messaging, secure VoIP calls, and until this week, malware installation when receiving a call. A maliciously crafted SRTCP connection can trigger a buffer overflow, and execute code on the target device. The vulnerability was apparently found first by a surveillance company, The NSO Group. NSO is known for Pegasus, a commercial spyware program that they’ve marketed to governments and intelligence agencies, and which has been implicated in a number of human rights violations and even the assassination of Jamal Khashoggi. It seems that this Whatsapp vulnerability was one of the infection vectors used by the Pegasus program. After independently discovering the flaw, Facebook pushed a fixed client on Monday.

Windows XP Patched Against Wormable Vulnerability

What year is it!? This Tuesday, Microsoft released a patch for Windows XP, five years after support for the venerable OS officially ended. Reminiscent of the last time Microsoft patched Windows XP, when Wannacry was the crisis. This week, Microsoft patched a Remote Desktop Protocol (RDP) vulnerability, CVE-2019-0708. The vulnerability allows an attacker to connect to the RDP service, send a malicious request, and have control over the system. Since no authentication is required, the vulnerability is considered “wormable”, or exploitable by a self-replicating program.

Windows XP through Windows 7 has the flaw, and fixes were rolled out, though notably not for Windows Vista. It’s been reported that it’s possible to download the patch for Server 2008 and manually apply it to Windows Vista. That said, it’s high time to retire the unsupported systems, or at least disconnect them from the network.

The Worst Vulnerability Name of All Time

Thrangrycat. Or more accurately, “😾😾😾” is a newly announced vulnerability in Cisco products, discovered by Red Balloon Security. Cisco uses secure boot on many of their devices in order to prevent malicious tampering with device firmware. Secure boot is achieved through the use of a secondary processor, a Trust Anchor module (TAm). This module ensures that the rest of the system is running properly signed firmware. The only problem with this scheme is that the dedicated TAm also has firmware, and that firmware can be attacked. The TAm processor is actually an FPGA, and researchers discovered that it was possible to modify the FPGA bitstream, totally defeating the secure boot mechanism.

The name of the attack, thrangrycat, might be a satirical shot at other ridiculous vulnerability names. Naming issues aside, it’s an impressive bit of work, numbered CVE-2019-1649. At the same time, Red Balloon Security disclosed another vulnerability that allowed command injection by an authenticated user.

Odds and Ends

Google discovered that their Bluetooth Security Keys use Bluetooth, and maybe that’s not a great idea.
Our own Bob Baddeley finally put the Supermicro server story to bed, probably.
Fifty year old aviation technology is hackable, but probably won’t be.

See a security story you think we should cover? Drop us a note in the tip jar!

Free As In Beer, Or The Story Of Windows Viruses

July 5, 2017 by Elliot Williams 211 Comments

Whenever there’s a new Windows virus out there wreaking global havoc, the Linux types get smug. “That’ll never happen in our open operating system,” they say. “There are many eyes looking over the source code.” But then there’s a Heartbleed vulnerability that keeps them humble for a little while. Anyway, at least patches are propagated faster in the Linux world, right?

While the Linuxers are holier-than-thou, the Windows folks get defensive. They say that the problem isn’t with Windows, it’s just that it’s the number one target because it’s the most popular OS. Wrong, that’d be Android for the last few years, or Linux since forever in the server space. Then they say it’s a failure to apply patches and upgrade their systems, because their users are just less savvy, but that some new update system will solve the problem.

There’s some truth to the viruses and the patching, but when WannaCry is taking over hospitals’ IT systems or the radiation monitoring network at Chernobyl, it’s not likely to be the fault of the stereotypical naive users, and any automatic patch system is only likely to help around the margins.

So why is WannaCry, and variants, hitting unpatched XP machines, managed by professionals, all over the world? Why are there still XP machines in professional environments anyway? And what does any of this have to do with free software? The answer to all of these questions can be found in the ancient root of all evil, the want of money. Linux is more secure, ironically, at least partly because it’s free as in beer, and upgrading to a newer version is simply cheaper.

Continue reading “Free As In Beer, Or The Story Of Windows Viruses” →

Global Cyber Attack Halted: Autopsy Time

May 13, 2017 by Jack Laidlaw 131 Comments

Friday saw what looked like the most dangerous ransomware infection to date. The infection known as WannaCry was closing down vital hospital IT systems across the UK canceling major operations and putting lives at risk.

Spread Halted?

It spread further around the world and almost became a global pandemic. Although machines are still encrypted demanding Bitcoin, one security blogger [MalwareTech] halted the ransomware by accident. As he was analyzing the code he noticed that the malware kept trying to connect to an unregistered domain name “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com”. So he decided to register the domain to see if he could get some analytics or any information the worm was trying to send home. Instead much to his surprise, this halted the spread of the ransomware. Originally he thought this was some kind of kill switch but after further analysis, it became clear that this was a test hard-coded into the malware which was supposed to detect if it was running in a virtual machine. So by registering the domain name, the ransomware has stopped spreading as it thinks the internet is a giant virtual machine.

Why was the UK’s NHS Hit So Badly?

According to the [BBC] Information obtained by software firm Citrix under Freedom of Information laws in December suggest up to 90% of NHS trusts were still using Windows XP, However NHS Digital says it is a “much smaller number”. Microsoft has rolled out a free security update to Windows XP, Windows 8, and Windows Server 2003 “to protect their customers”. There was much warning about XP no longer receiving updates etc, the 2001 operating system just needs to die however so many programs especially embedded devices rely upon the fact that the OS running is Windows XP, This is a problem that needs sorted sooner rather than later. There is still obvious problems facing the NHS as all outpatients appointment’s have been canceled at London’s Barts Health NHS Trust which happens to be the largest in the country. However [Amber Rudd], Home Secretary, said 97% of NHS trusts were “working as normal” and there was no evidence patient data was affected. Let’s just hope they update their systems and get back to fixing people as soon as they can.

Where Else Was Hit?

There was quite a few other places hit as well as the UK’s NHS including The Sunderland Nissan Plant also in the UK, Spanish telecoms giant Telefonica along with some gas companies in Spain. In the US FedEx was affected, France has seen production in some of it’s Renault factories halted. Finally, Russia reported 1000 governmental computer systems has been hit.

So is this the end for ransomware?

No, this infection was stopped by accident the infected are either still infected or have paid up, had they not included the sloppy code in the first place then who knows what would have happened. Microsoft had rolled out patches but some people/organizations/Governments are lazy and don’t bother to apply them. Keep your computers up to date, Good luck because we think we will be seeing a lot more ransomware malware in the coming years.

[Update WannaCry v. 2.0 has been released without the “kill switch”, We wonder what will happen now. Probably not a lot as the media attention has been quite intense so it may not be that big an infection however there is always a few who live in the land where news doesn’t exist and will go a long their day until BAM! Ransom Ware installed and pockets emptied.]