Last Week’s Security News: Black Hat Pwnie Awards, iPhone Checks Photos, Evil Windows Print Server, Cisco VPN Routers Takeovers

Hello everyone! Last Week’s Security News, August 1 – August 8.

Black Hat Pwnie Awards

Last week was more quiet than normal with Black Hat USA and DEF CON security conferences. I would like to start with the Pwnie Awards, which are held annually at Black Hat. It’s like an Oscar or Tony in the information security world. Pwnie Awards recognizes both excellence and incompetence. And, in general, is a very respectable, adequate and fun event.

There were 10 nominations. I will note a few.

  • Firstly 2 nominations, which were received by the guys from Qualys.
    Best Privilege Escalation Bug: Baron Samedit, a 10-year-old exploit in sudo.
    Most Under-Hyped Research: 21Nails, 21 vulnerabilities in Exim, the Internet’s most popular mail server.
  • Best Server-Side Bug: Orange Tsai, for his Microsoft Exchange Server ProxyLogon attack surface discoveries.
  • Most Epic Fail: Microsoft, for their failure to fix PrintNightmare.
  • Best Song: The Ransomware Song by Forrest Brazeal

“You can make a fortune in Ransomware with a little bit of math
It’s called encryption, just a little bit of math cause a conniption”

and

“You can blame IT or some Russian sociopath
But personally I blame math”

Brilliant. =)

iPhone Checks Photos

Now I would like to talk about the Apple scandal. They want to detect illegal photos on users’ iPhones and report them to a special non-profit organization established by the US Congress. As far as I understand, report this to the police, but not directly.

And when you hear this, you can imagine that some system component in the iPhone operating system is scanning the file system, somehow cleverly analyzing the files on the device, or uploading them to the cloud for analysis and informing officials. But this is not the case. At least for now.

Apple will check photos on users’ device, but only

  1. Photos to be uploaded to iCloud. This check will be performed using a database of known illegal photo hashes. If iCloud is off, the photos will not be checked. It looks like they don’t want to see illegal content in their cloud, even for a short time. They have the right to do so.
  2. Photos to be sent and received via Messages app. This check will be carried out using neural networks. Accordingly, if you do not use Messages app, there will be no such check. Again, the data is transferred inside the Apple cloud and they are free to do whatever they want with it.

In general, so far it does not look like some kind of total surveillance mechanism or something that could easily become such a mechanism. But it’s always a good idea to think about who exactly controls your devices. Even if this someone has the best intentions. So, as I mentioned in another video, the iPhone is an odd choice if you’re serious about privacy. Not only because the iPhone is the number one target for attackers, but also because of the features of the platform itself.

Evil Windows Print Server

Last week there was an interesting update to the PrintNightmare story.

Mimikatz creator Benjamin Delpy created an Internet-accessible print server that installs a print driver and launches a DLL with SYSTEM privileges. The current version drivers launches a SYSTEM command prompt. This new method effectively allows anyone, including threat actors, to get administrative privileges simply by installing the remote print driver. Once they gain administrative rights on the machine, they can run any command, add users, or install any software, effectively giving them complete control over the system. This technique is especially useful for threat actors who breach networks for the deployment of ransomware as it allows quick and easy access to administrative privileges on a device that helps them spread laterally through a network.

Cisco VPN Routers Takeovers

And finally I would like to tell about critical vulnerabilities (CVE-2021-1609, CVE-2021-1610) in Cisco VPN routers. A critical security vulnerability in a subset of Cisco Systems’ small-business VPN routers could allow a remote, unauthenticated attacker to take over a device – and researchers from Tenable said there are at least 8,800 vulnerable systems open to compromise.

“While both flaws exist due to improper validation of HTTP requests and can be exploited by sending specially crafted HTTP requests, CVE-2021-1610 can only be exploited by an authenticated attacker with root privileges,” according to Tenable. “Successful exploitation would grant an attacker the ability to gain arbitrary command execution on the vulnerable device’s operating system.” If patching isn’t possible, users should make sure that remote web management is disabled, the firm added.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.