In what’s being described as a Humpty-Dumpty incident, Rackspace customers have lost access to their hosted Exchange service, and by extension, lots of archived emails. The first official word of trouble came on December 2nd, and it quickly became clear that this was more than the typical intern-tripped-over-the-cable incident. Nearly a week later, Rackspace confirmed what observers were beginning to suspect, it was a ransomware attack. There’s not a lot of other answers yet, and the incident FAQ answers are all variations on a theme.
Our investigation into the incident is ongoing and will take time to complete. To ensure the integrity of the ongoing investigation, we do not have additional details to share at this time.
Knowing the security issues that have plagued Microsoft Exchange over the last couple of months, one has to wonder if Rackspace was breached as a result of the PowerShell problems. What’s staggering is that a week after the incident, Rackspace still has no timeline for service restoration.
Rackspace isn’t the only major ransomware attack this week, as a hospital in Versailles has partially shut down due to another ransomware attack. Operations were canceled, and work has to be done the old fashioned way, without the network to support.
Hikvision Rebadge Gotcha
There’s a joke that’s halfway serious, that claims that there’s actually only one manufacturer of security cameras. While not entirely implausible, it’s common knowledge that many cameras on the market are rebadged Hikvision or Dahua hardware. That rebadge means that a security issue in one brand may affect far more devices than initially suspected. In this case, a vulnerability in Hikvision Ezviz cameras appeared to be limited to that brand, but research by IPVM confirmed that other Hikvision-manufactured cameras share the same issue. That is, bad crypto makes the admin password recoverable. Even worse, Ezviz cameras are a cloud solution, but many other Hikvision models are exposed to the Internet. A Shodan scan suggests over 400,000 devices are unpatched and accessible. As they’re not current models, there’s not a security update planned.
And speaking of cameras, Anker’s Eufy system seem to have some severe security issues that fly in the face of all the privacy assurances made about the system. Anker claims the cameras only store data locally, streaming is end-to-end encrypted all the way to the user’s devices, etc. The truth seems to be that anyone with a camera’s serial number could trivially brute-force the 16-bit key to produce an unencrypted stream. So far, this looks ugly. Some fixes have been rolled out, but the entire system appears to be much less secure and private than Anker advertised them to be.
ping utility has a bit of an issue, made more serious by the requirement for it to run setuid root. When sending a ping, the response from the remote server gets copied into local memory, and that response can include a quoted packet. That quoted packet can include extra, unexpected options, which can lead to buffer overflow during processing. This may be possible to chain into a Remote Code Execution (RCE), leading to a whole new meaning to ping of death. Patches were made available November 29th.
Android Keys Leaked
There are problems over in Android-land, too. It seems that multiple vendors have lost control of their secret keys, and malware is currently being distributed using those signing keys. The list includes Samsung, LG, and Mediatek. It’s bad in multiple ways. One in particular is that these keys are “platform certificate keys”, which allow a signed app to run as a system user — nearly worst-case for malware. Questions abound, like how multiple vendors are affected. Even more puzzling is the fact that VirusTotal has a malicious sample using Samsung’s signing key from 2016. How or why the key has been compromised for six years, and still in use is unknown. If more information becomes available, we’ll revisit this very odd story in the future.
The WordPress Race
How many of us have done WordPress installs? Remember how quick and easy it is? Just get the installer extracted to the right place, open it in a web browser, and punch a few details in. Give it your database information, and your site is quickly online. There’s a gotcha that may surprise you. The “5-minute install” is actually a window for exploit. The usual process puts the installer on the public internet, but since there aren’t any links pointing to the installer, it’s vanishingly unlikely to be found by an attacker before the install finishes. However, many services automate acquiring a valid SSL certificate, and every new certificate generates an entry on the Certificate Transparency Log. (Side note, every Let’s Encrypt certificate does the same, meaning your private project may not be as private as you thought.)
The actual attack, which is happening in the wild, is fiendishly clever. A single POST sets the WordPress database to the attacker’s server. When the legitimate user runs the installer, it looks just as expected, save without prompting for database settings. The result is that the attacker, who is hosting the database, is the ultimate authority over the WordPress install. When researching sites that had been compromised in this way, the researcher that caught this campaign, [Vladimir Smitka], found various compromises like web shells, malicious plugins, and more! In response, he set up an automatic service, that watches the malicious database and emails the legitimate site owner for every new compromised domain.
KmsdBot Does Us a Favor: The Fatal Typo
It’s hard to imagine a better poetic ending for KmsdBot. This botnet was written using Go, and the payload runs in memory without writing any permanent changes to disk. The author seems to have skimped on the error handling part of the code. And to our great delight, the good folks at Akamai were watching when the botnet operator sent a typo’ed command.
!bigdata http://www.bitcoin.com443 / 30 3 3 100 should have included a space between the URL and port number. It didn’t, and it looks like the entire botnet crashed as a result. One less to worry about.
Bits and Bytes
Not to be left out, Kaspersky researchers have found a wiper masquerading as a fake ransomware campaign, this time targeting machine solely in Russia. CryWiper checks in with a C&C server before actually scrambling files, and once it gets clearance it runs every 5 minutes. The malware goes out of its way to stop SQL services, Exchange servers, and other such services. This likely ensures that the database on disk is corrupted, rather than access denied because the service has a lock on the file. Also of interest, it disables Remote Desktop Protocol on the affected system.
And finally, something novel in the world of physical security. Picking some locks is laughably easy, if you have the proper tools. A skilled thief might carry a tension wrench and lock rake tool, and give a lock a few seconds of effort before giving up — or turning to an angle grinder. The traditional way to defeat a trivial picking attempt is to make a better lock. Tighter tolerances and security pins make raking very difficult. The Curt Coupler Lock has taken a different approach. The lock core is trivially raked, but the core locks in four different orientations, and the unlock procedure works by unscrewing the lock through nearly three turns. Yes, this lock has to be picked eleven times to get it open without the key. Now it’s not a perfect solution — the whole video is only three minutes long after all. But it’s clever, and that’s something.