SSD’s Security Disclosure weekly news recap — March 18, 2021
In this edition, we’ll follow up on the MS Exchange Server Leak and its origins, a hacker gaining access to 150,000 Verkada security cameras, the new Regexploit tool, and three 15-year-old vulnerabilities found in the Linux Kernel.
The Microsoft Exchange Hack
A Taiwanese security researcher indicated last week that exploit code he developed and privately shared with Microsoft in early January ended up in hostile hands.
The exploit was used to attack 20,000 Exchange email servers before Microsoft deployed software patches out of band on March 2 and Microsoft is now investigating whether one of its partners is at fault.
The researcher who developed the exploit code — Cheng-da Tsai, who is known by the handle Orange Tsai, tweeted on Friday that the attack code used in the breaches was similar to the code that he developed and sent to Microsoft on Jan. 5.
Tsai and Devcore had been looking closely for bugs in the Exchange server since October, according to a timeline Devcore published on a website is set up for the flaws, which is grouped together under the name “ProxyLogon.”
Microsoft says it has found no indications that it was at fault. But the company is investigating whether one of its partners did. There’s a chance we’ll never know who leaked it. Although Microsoft’s MAPP partners are likely in an investigative spotlight. We’ll continue to monitor the situation and will provide updates as the story develops.
Another update to that story is that Hackers are now abusing the Microsoft Exchange ProxyLogon exploits for crypto mining the Lemon_Duck botnet.
Illicit crypto-mining leverages resources stolen from victims to mine cryptocurrencies on behalf of criminals. Usually, the amounts are quite small but if it is done on a large scale the gains can be significant.
The Lemon_Duck bot is sending payloads that install the XMR CPU to mine cryptocurrency using these vulnerable servers. The group operating the botnet is targeting vulnerable servers that haven’t been patched yet. We advise you to update your system if you haven’t done it already to prevent these attacks.
Verkada Security Cameras Hacked
Verkada is a Security Camera System firm that provides video security solutions for many companies and individuals around the world.
The attacker, in this case, managed to gain footage from over 150,000 of these cameras including footage from hospitals, jails, and courts in the US and multiple companies, including Tesla’s factory in Shanghai.
The attacker gained access to these cameras using an unprotected internal development system, which contained credentials of an account with super admin rights.
Tillie Kottmann, one of the hackers who claimed credit for breaching San Mateo, California-based Verkada, claims that this attack was done out of curiosity, for the freedom of information, and against intellectual property.
In response, Verkada has disabled all of the internal administrator accounts to prevent any unauthorized access and says they are investigating.
The New Regexploit Tool
Regexploit was designed by Ben Caller of Doyensec with the goal of finding Regular Expression Denial of Service vulnerabilities. Regular expressions are a sequence of characters that specifies a search pattern used in text-processing tasks.
A Regular Expression Denial of Service occurs when an input doesn’t successfully match the regular expression pattern, thus overwhelming the regular expression engine which will try to match this input in every possible way causing Denial of service.
Regexploit is designed to find these kinds of attacks by scanning Regular Expression patterns and locating the vulnerabilities. It was officially released on March 11th, but the developer had already used it to find 13 vulnerabilities before releasing it to the public.
CVE of the Week — Three 15-years-old CVEs that were found in the Linux Kernel
These vulnerabilities have been present in the Linux Kernel module iSCSI since the system was developed in 2006. They were found by researchers from GRIMM cybersecurity organization who reported it to Linux.
The first vulnerability is a Heap Buffer Overflow vulnerability that is caused by setting an attribute larger than one page.
The second vulnerability is a kernel pointer leak that can be used to determine the address of the iscsi_transport structure.
The last flaw that was found is an out-of-bounds kernel read vulnerability that can cause a data leak or Denial of Service using a message that the driver fails to validate due to their size.
By exploiting these vulnerabilities an attacker could cause a Denial of Service attack, cause data leaks, or in some cases gain root privileges.
The researchers from GRIMM reported these findings to the Linux security team and patches correcting them have been released.
Want to Be Part of the News?
At SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD provides the fast response and support needed to get zero-day vulnerabilities and disclosures reported to vendors and to get researchers the compensation they deserve. We help researchers get to the bottom of vulnerabilities affecting major operating systems, software, or devices.
We are constantly publishing our findings, intended on educating our global security researcher’s community. You can find more vulnerabilities on our Advisories page. If you have findings of your own you can send us your findings here using our report template.
