SSD’s Security Disclosure weekly news recap — March 4th, 2021
This is SSD’s weekly security recap. In this weekly update, we discuss some of the latest trends and news in the cybersecurity world.
In this edition, we’ll talk about New updates on the SolarWinds attack, Privacy issues found in Alexa devices allowing attackers to steal data, Ryuk ransomware attacking Windows devices, and a pre-auth RCE found in a TP-Link router.
The SolarWinds Hack
First, a little history, SolarWinds is a major information technology firm in the US. In December 2020, it was reported that hackers, suspected to be from Russia, were able to hack the company and deploy spyware on Solarwinds’ clients. The attackers managed to breach the system through an update the downloaded their malware. This attack was missed by SolarWinds and the American authorities and left SolarWinds’ customers vulnerable for 9 months.
Last week, the CEO’s of SolarWinds, Microsoft, and FireEye have been called to testify in front of the US congress. For now, the testimonies have not given any explanation for how this attack happened and how it could have been prevented. But we did get a funny remark from the CEO of SolarWinds who said that the breach was due to an intern using the password “solarwinds123”. Just a reminder that passwords are not a proper tool against cyberattacks anymore and how top-down cybersecurity policies are important.
Another interesting update that came from this story is a policy change regarding cybersecurity coming directly from the US president. President Biden is looking into the option to sign an executive order to address gaps in the US’s national cybersecurity policy. This order is supposed to increase voluntary, combined cyber defense operations to effectively prevent attacks.
Privacy Issues in Amazon’s Alexa
Researchers found a few privacy issues in Alexa devices that could allow attackers to steal data or execute Phishing attacks. These findings were presented at the NDSS conference by researchers from Bochum University in Germany and North Carolina State University.
These researchers discovered that “Skills” developed for Alexa could be abused by attackers. “Skills” are like apps for Alexa devices, some of them developed by third-parties. The researchers accused Amazon of not properly vetting Alexa’s “Skills” thus allowing attackers to use them in Phishing attacks under a Legitimate name like Samsung.
The researchers also noted that a developer could make changes to a skill after being vetted thus allowing attackers to inject malicious code into them.
At the time of writing this recap, Amazon has dismissed these accusations and says they are vetting the Skills put into the Amazon store. The researchers still urged Amazon to validate their third-party developers and we advise users to double-check any app they install on their devices.
Ryuk Ransomware Infecting Windows Devices
The French national cyber-security agency, ANSSI, discovered that a new Ryuk ransomware has the ability to spread to other Windows devices on victims’ local networks. This malware has worm-like capabilities which means it can multiply on its own and infect other devices with no help from the victim or the attacker. It does this by listing all of the IPs connected to a certain network and then sends a message to the discovered devices.
The group that created Ryuk ransomware has been involved in many cyber attacks last year, in one of them they ransomed 34 million dollars from one client. ANSSI proposes one way to tackle the problem could be to change the password or disable the user account thus containing it in one device.
CVE-2021–27246 — Preauth Remote Code Execution
Lastly, we wanted to talk about a vulnerability found in TP-Link AC1750 Smart Wifi Router. This is a pre-authentication remote code execution vulnerability that was found by two researchers from Synacktive (@0xmitsurugi, @swapgs).
The researchers from Synacktive found that a pre-authenticated RCE can be executed in the sync-server daemon. It does not respond to network requests but parses some data written in shared memory by the TCP server daemon. By sending carefully chosen data to the tdpServer an attacker on the LAN side of the router can gain total control of the router with the highest level of privileges.
Want to Be Part of the News?
At SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD provides the fast response and support needed to get zero-day vulnerabilities and disclosures reported to vendors and to get researchers the compensation they deserve. We help researchers get to the bottom of vulnerabilities affecting major operating systems, software, or devices.
We are constantly publishing our findings, intended on educating our global security researcher’s community. You can find more vulnerabilities on our Advisories page. If you have findings of your own you can send us your findings here using our report template.
