FBI Starts Securing Organisations against ProxyLogon 👮‍♂️, Clubhouse Data Dump🏡, iOS Game Actually a Hidden Casino 💰

CyberLite Apr 20, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!


📰 News

Catching you up on everything important that happened this week…

🏡 Clubhouse Data Dump

Clubhouse has joined Linkedin and Facebook in having a large collection of its user data collected and posted online. If you missed those events check out last week's issue! The profile information of 1.3M users has been posted online for free. Here was Clubhouse's response to the story.

This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API. https://t.co/I1OfPyc0Bo.  — Clubhouse (@joinClubhouse) April 11, 2021

The narratives around these data dumps are interesting, they're framed as data breaches, yet nothing has been breached to access the data given it was already publicly available.

The bigger question is whether or not users' profile information should be so readily available online and via APIs. Are all users aware that this information can be accessed so easily? Link.

📧 FBI Starts Securing Organisation's Networks against ProxyLogon

We've had a few weeks without talking about the Microsoft Exchange Server vulnerabilities collectively known as ProxyLogon. Before we dive into the developments this week here's a quick recap:

At the start of March Microsoft disclosed four vulnerabilities in Exchange Server and advised that they were being actively exploited by several global threat actors. If you haven't heard of Exchange Server before it's responsible for managing users’ mail and calendar data. The vulnerabilities could be used to access users’ email accounts and install malware on victims’ computers. Wherever the vulnerability was been exploited attackers left behind a web-shell, a piece of code that enables a server to be controlled/administrated remotely. Researchers found web shells in place at over 100,000 US organizations including police departments, local governments and hospitals.

Fast forward to the present and the vast majority of organizations have patched these vulnerabilities, but a large number of the web shells remain installed on organization's servers. In an unprecedented court order, the FBI has been given permission to remove any web shells that are still installed on networks in the US. The implications of this still need to play out, do we really want the FBI to be allowed to access and change an organization’s network in the name of “security”? Particularly when there’s rarely transparency about their intentions and actions. Link.

💣 Texas Man Tries to "Kill off the internet"

A Texas man has been charged with plotting the bombing of Amazon Web Services in a quest to, wait for it... “kill off the internet.” Needless to say, he wasn't successful and may have been slightly misguided in his approach. Link.

💸 iOS Kids Game Transforms into an Online Casino

An iOS game called Jungle Run has been removed from the App Store after it was discovered to also function as a cryptocurrency casino. If you accessed the app using a VPN set to Turkey then the casino appeared. This is a pretty ingenious way of hiding an app that otherwise wouldn't be approved on the App Store. Link.

⁉ Google Project Zero Extends Their Timeline for Disclosing Vulnerabilities

Project Zero is a team of analysts at Google tasked with finding zero-day vulnerabilities in the world's most important software. Previously after Project Zero discovered a vulnerability developers would get 90 days before the details of the vulnerability public. This gave developers a timer of 90 days to fix the vulnerability and get as many users to install the fix as possible.

But now Project Zero has agreed to always wait 30 more days after developers release a patch for the vulnerability - allowing time for a majority of users to install the patch. Definitely a sensible change! Link.

Security researchers have discovered a new type of attack affecting popular desktop applications like Telegram, Wireshark and OpenOffice. These applications all allowed users to input a URL that the app would visit, however they weren't checking the URLs so researchers were able to abuse this feature to run malicious code. If researchers supplied a URL pointing to a malicious executable on a file-sharing website then the application would download and run the malware. Most of the applications have now fixed the issue thankfully but the attack was certainly an interesting discovery! Link.

💻 US and UK Officially Accuse Russia's Intelligence Service of Carrying Out SolarWinds Attack

The Russian Advanced Persistent Threat Group (APT) known as "Cozy Bear" has been officially accused of carrying out last year's SolarWinds attack. Want a recap on SolarWinds? Check out a previous CyberLite issue! Link.

🔐 Privacy Focused Browsers and Search Engines Block Google's FLoC

Google's proposal for replacing third-party cookies, Federated Learning of Cohorts (FLoC) hasn't received the best reception. FLoC groups Chrome users based on their interests and demographics. The Brave and Vivaldi browsers as well as the DuckDuckGo search engine have all blocked FLoC from working on their platforms. They've all said that they don't condone tracking of any sort. Link.


🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week. We had March's Patch Tuesday last week. Patch Tuesday is when Microsoft and other software makers like Adobe all release security updates - it’s the second Tuesday of each month.

📱 Whatsapp patched two vulnerabilities affecting older Android devices on Android 9 or lower (around 50% of Android devices). The vulnerabilities allowed researchers to execute arbitrary code and compromise the encryption on messages. Link.

🌐 Two critical zero-day vulnerabilities in Chrome that were being actively exploited have been patched. One vulnerability involves an input not being sufficiently validated, the flaw was uncovered at the Pwn2Own hacking contest 2 weeks ago. The second flaw is a use-after free vulnerability; both flaws would enable an attacker to execute arbitrary code. Link.

🏠 Microsoft's April update patched more than 110 security flaws across all of their software; 19 flaws earned Microsoft’s critical rating, meaning they can be exploited without help from an insider. Four more flaws were found in Exchange Server, not to be confused with the ProxyLogon vulnerabilities mentioned earlier. Another notable flaw was a Windows vulnerability that would allow an attacker to elevate their privileges on a system they'd already gained access to. Link.

📷 Adobe has fixed four critical vulnerabilities in Adobe Bridge which is their creative-asset manager. Two vulnerabilities would enable arbitrary code to be executed. Photoshop also received some love with two buffer overflow vulnerabilities being patched. Link.

👩‍💻 A set of nine vulnerabilities dubbed NAME:WRECK have been discovered in networking software that's commonly used in IoT devices. The vulnerabilities affect any devices that use FreeBSD, Nucleus NET, NetX or IPnet. Patches are available for all of them except for IPnet, although it will be some time before patches are widely adopted. IoT devices can be very difficult to update, it's difficult to determine what software devices are running and some simply aren't built to allow updates. The vulnerabilities could enable attackers to find their way into an organization's networks and exfiltrate sensitive information. Link.


💭 Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

🤼 CSO Online outline some social engineering tactics that have been on the rise. Any new social engineering techniques are interesting because they exploit the weakest and most complex piece of the security equation - the people. Link.

🐦21 Cybersecurity Experts to Follow on Twitter. Link.

🦜 A great Twitter thread from Devdatta Akhawe on how organizations should approach improving supply chain security. Link.

📑 Heard of no-code/low-code platforms? This article breaks down this new ecosystem and gives you recommendations on tools to help improve your own workflow. Link.


❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!


🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!

Oli

Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.