Connect with us

Biz & IT

Hackers are exploiting a critical zeroday in firewalls from SonicWall



Network security provider SonicWall said on Monday that hackers are exploiting a critical zeroday vulnerability in one of the firewalls it sells.

The security flaw resides in the Secure Mobile Access 100 series, SonicWall said in an advisory updated on Monday. The vulnerability, which affects SMA 100 firmware versions 10.x, isn’t slated to receive a fix until the end of Tuesday.

Monday’s update came a day after security firm NCC Group said on Twitter that it had detected “indiscriminate use of an exploit in the wild.” The NCC tweet referred to an earlier version of the SonicWall advisory that said its researchers had “identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products.”

In an email, an NCC Group spokeswoman wrote: “Our team has observed signs of an attempted exploitation of a vulnerability that affects the SonicWall SMA 100 series devices. We are working closely with SonicWall to investigate this in more depth.”

In Monday’s update, SonicWall representatives said the company’s engineering team confirmed the submission by NCC Group included a “critical zero-day” in the SMA 100 series 10.x code. SonicWall is tracking it as SNWLID-2021-0001.

The disclosure makes SonicWall at least the fifth large company to report in recent weeks that it was targeted by sophisticated hackers. Other companies include network management tool provider SolarWinds, Microsoft, FireEye, and Malwarebytes. CrowdStrike also reported being targeted but said the attack wasn’t successful.

Neither SonicWall nor NCC Group said that the hack involving the SonicWall zeroday was linked to the larger SolarWinds hack campaign. Based on the timing of the disclosure and some of the details in it, however, there is widespread speculation that the two are connected.

NCC Group has declined to provide additional details before the zeroday is fixed to prevent the flaw from being exploited further.

People who use SonicWall’s SMA 100 series should read the company’s advisory carefully and follow stopgap instructions for securing products before a fix is released. Chief among them:

  1. If you must continue operation of the SMA 100 Series appliance until a patch is available
    • Enable MFA.  This is a *CRITICAL* step until the patch is available.
    • Reset user passwords for accounts that utilized the SMA 100 series with 10.X firmware
  2. If the SMA 100 series (10.x) is behind a firewall, block all access to the SMA 100 on the firewall;
  3. Shut down the SMA 100 series device (10.x) until a patch is available; or
  4. Load firmware version 9.x after a factory default settings reboot. *Please back up your 10.x settings*
    • Important Note: Direct downgrade of Firmware 10.x to 9.x with settings intact is not supported.  You must first reboot the device with factory defaults and then either load a backed up 9.x configuration or reconfigure the SMA 100 from scratch.
    • Ensure that you follow multifactor authentication (MFA) best practice security guidance if you choose to install 9.x.
      SonicWall firewalls and SMA 1000 series appliances, as well as all respective VPN clients, are unaffected and remain safe to use.

Continue Reading

Biz & IT

Microsoft issues emergency patches for 4 exploited 0-days in Exchange



Microsoft is urging customers to install emergency patches as soon as possible to protect against highly skilled hackers who are actively exploiting four zero-day vulnerabilities in Exchange Server.

The software maker said hackers working on behalf of the Chinese government have been using the previously unknown exploits to hack on-premises Exchange Server software that is fully patched. So far, Hafnium, as Microsoft is calling the hackers, is the only group it has seen exploiting the vulnerabilities, but the company said that could change.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” Microsoft Corporate Vice President of Customer Security & Trust Tom Burt wrote in a post published Tuesday afternoon. “Promptly applying today’s patches is the best protection against this attack.”

Burt didn’t identify the targets other than to say they are businesses that use on-premises Exchange Server software. He said that Hafnium operates from China, primarily for the purpose of stealing data from US-based infectious disease researchers, law firms, higher-education institutions, defense contractors, policy think tanks, and nongovernmental organizations.

Burt added that Microsoft isn’t aware of individual consumers being targeted or that the exploits affected other Microsoft products. He also said the attacks in no way are connected to the SolarWinds-related hacks that breached at least nine US government agencies and about 100 private companies.

The zero-days are present in Microsoft Exchange Server 2013, 2016, and 2019. The four vulnerabilities are:

  • CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allowed the attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is when untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. The group could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

The attack, Burt said, included the following steps:

  1. Gain access to an Exchange server either with stolen passwords or by using the zero-days to disguise the hackers as personnel who should have access
  2. Create a web shell to control the compromised server remotely and
  3. Use that remote access to steal data from a target’s network

As is usual for Hafnium, the group operated from leased virtual private servers in the US.

More details, including indicators of compromise, are available here and here.

Microsoft credited security firms Volexity and Dubex with privately reporting different parts of the attack to Microsoft and assisting in the investigation that followed. Businesses using a vulnerable version of Exchange Server should apply the patches as soon as possible.

Continue Reading

Biz & IT

Rookie coding mistake prior to Gab hack came from site’s CTO



Over the weekend, word emerged that a hacker breached far-right social media website Gab and downloaded 70 gigabytes of data by exploiting a garden-variety security flaw known as an SQL injection. A quick review of Gab’s open source code shows that the critical vulnerability—or at least one very much like it—was introduced by the company’s chief technology officer.

The change, which in the parlance of software development is known as a “git commit,” was made sometime in February from the account of Fosco Marotto, a former Facebook software engineer who in November became Gab’s CTO. On Monday, Gab removed the git commit from its website. Below is an image showing the February software change, as shown from a site that provides saved commit snapshots.

The commit shows a software developer using the name Fosco Marotto introducing precisely the type of rookie mistake that could lead to the kind of breach reported this weekend. Specifically, line 23 strips the code of “reject” and “filter,” which are API functions that implement programming idioms that protect against SQL injection attacks.

Developers: Sanitize user input

These idioms “sanitize” the inputs that website visitors enter into search boxes and other web fields to ensure that any malicious commands are stripped out before the text is passed to backend servers. In their place, the developer added a call to the Rails function that contains the “find_by_sql” method, which accepts unsanitized inputs directly in a query string. Rails is a widely used website development toolkit.

“Sadly Rails documentation doesn’t warn you about this pitfall, but if you know anything at all about using SQL databases in web applications, you’d have heard of SQL injection, and it’s not hard to come across warnings that find_by_sql method is not safe,” Dmitry Borodaenko, a former Production Engineer at Facebook who brought the commit to my attention wrote in an email. “It is not 100% confirmed that this is the vulnerability that was used in the Gab data breach, but it definitely could have been, and this code change is reverted in the most recent commit that was present in their GitLab repository before they took it offline.”

Marotto didn’t respond to an email seeking comment for this post. Attempts to contact Gab directly didn’t succeed.

Revisionist history

Besides the commit raising questions about Gab’s process for developing secure code, the social media site is also facing criticism for removing the commits from its website. Critics say the move violates terms of the Affero General Public License, which governs Gab’s reuse of Mastodon, an open source software package for hosting social networking platforms.

Critics say the removal violates terms that require forked source code be directly linked from the site. The requirements are intended to provide transparency and to allow other open source developers to benefit from the work of their peers at Gab.

Gab had long provided commits at Then, on Monday, the site suddenly removed all commits—including the ones that created and then fixed the critical SQL injection vulnerability. In their place, Gab provided source code in the form of a Zip archive file that was protected by the password “JesusChristIsKingTrumpWonTheElection” (minus the quotation marks).

Representatives from the Mastodon project didn’t immediately respond to an email asking if they shared the critics’ concerns.

Besides questions about secure coding and license compliance, the Gab git commits also appear to show company developers struggling to fix their vulnerable code. The image below shows someone using the username “developer” trying unsuccessfully to fully fix the code containing the SQL injection vulnerability.

Thread participants respond by sarcastically pointing out the difficulty the developer seemed to be having.

Gab’s security breach and behind-the-scenes handling of code before and after the incident provide a case study for developers on how not to maintain the security and code transparency of a website. The lesson is all the more weighty given that the submission used the account of Gab’s CTO, who among all people should have known better.

Continue Reading

Biz & IT

Donald Trump is one of 15,000 Gab users whose account just got hacked



The founder of the far-right social media platform Gab said that the private account of former President Donald Trump was among the data stolen and publicly released by hackers who recently breached the site.

In a statement on Sunday, founder Andrew Torba used a transphobic slur to refer to Emma Best, the co-founder of Distributed Denial of Secrets. The statement confirmed claims the WikiLeaks-style group made on Monday that it obtained 70GB of passwords, private posts, and more from Gab and was making them available to select researchers and journalists. The data, Best said, was provided by an unidentified hacker who breached Gab by exploiting a SQL-injection vulnerability in its code.

“My account and Trump’s account were compromised, of course as Trump is about to go on stage and speak,” Torba wrote on Sunday as Trump was about to speak at the CPAC conference in Florida. “The entire company is all hands investigating what happened and working to trace and patch the problem.”

An important data set

GabLeaks, as DDoSecrets is calling the leak, comes almost eight weeks after pro-Trump insurrectionists stormed the US Capitol. The rioters took hundreds of thousands of videos and photos of the siege and posted them online. Mainstream social media sites removed much of the content because it violated their terms of service.

“The Gab data is an important, but complicated dataset,” DDoSecrets personnel wrote in a post on Monday morning. “In addition to being a corpus of the public discourse on Gab, it includes every private post and many private messages, as well. In a simpler or more ordinary time, it’d be an important sociological resource. In 2021, it’s also a record of the culture and the exact statements surrounding not only an increase in extremist views and actions, but an attempted coup.”

Gab and a competing site called Parler were some of the last refuges that allowed much of the content to remain publicly available. Amazon and web hosting providers later cited a lack of adequate content moderation in suspending service to Parler.

Shortly before the shuttering, however, somebody found a way to use Parler’s publicly available programming interfaces to scrape about 99 percent of the user content from the site and subsequently make it publicly available.

While law enforcement groups likely had other ways to obtain the Parler data, its public availability enabled a much wider body of people to do their own research and investigations. The leak was especially valuable because materials contained metadata that’s usually stripped out before users can download videos and images. The metadata gave people the ability to track the precise timelines and locations of filmed participants.

DDoSecrets said that the 70GB GabLeaks contains over 70,000 plaintext messages in more than 19,000 chats by over 15,000 users. The dump also shows passwords that are “hashed,” a cryptographic process that converts plaintext into unintelligible characters. While hashes can’t be converted back into plaintext, cracking them can be trivial when websites choose weak hashing schemes. (Best told Ars they didn’t know what hashing scheme was used.) The leak also includes plaintext passwords for user groups.

Hate-speech haven

Gab has long been criticized as a haven for hate speech. In 2018, Google banned the Gab app from its Play Store for terms of service violations. A year later, web host GoDaddy terminated service to Gab after one of its users took to the site to criticize the Hebrew Immigrant Aid Society shortly before killing 11 people in a Pittsburgh synagogue.

Gab has also been investigated by Pennsylvania’s attorney general. In January, the Anti-Defamation League called on the US Justice Department to investigate Gab for its role in the insurrectionist attack on the capitol.

Attempts to reach Torba for comment didn’t succeed.

Best said that DDoSecrets is making GabLeaks available only to journalists and researchers with a documented history of covering leaks. People can use this link to request access.

Continue Reading