image of breaking badness
Breaking Badness
Breaking Badness

25. Exploits Worm My Heart

Here are a few highlights from each article we discussed:

TAG You’re It

  • These exploits and implants affected thousands of users every day, while Apple stated this was a targeted campaign affecting the Uighur people.
  • This group has been involved in conflict with the Chinese government, so it would not be outrageous to assume they were the authors of the attack.
  • The binary is compiled without optimizations and written Objective-C. The code snippets here are mostly manually decompiled with a bit of help from hex-rays.

You Down with RDP?

  • Pretty much all versions of Windows are affected. The initial BlueKeep vulnerability from May affected up through Server 2008, but the two new vulnerabilities—nicknamed DejaBlue—affect all versions up through Windows 10.
  • As Microsoft mentioned this is a wormable vulnerability—meaning no interaction from any user is required to spread. Desktop vulnerabilities of this kind are always more concerning to me than a mobile OS equivalent for a few reasons:
    1. There isn’t as much sandboxing, isolation or general security as you get on most mobile operating systems on the desktop. A lot of people don’t follow even the most basic security practices with their desktop machine where on their mobile phone they don’t even have to think about it—Google and Apple are doing AV work in their app stores, ports are locked down, logins are requiring two factor auth by default, there are specific permissions that applications are granted or not. A compromise requires a lot more hoops to jump through.
    2. Updates for mobile phones are pushed—and are sometimes forced—by manufacturers and for some reason people want to update as soon as they see the popup. Maybe it’s just how we interact with our phones. Desktop updating gets in the way of our real work and we delay it as long as possible. The psychology behind that is weird, but if you look on Shodan right now there are still machines with open RDP that are vulnerable despite this fix being out since May. They’ll probably still be there and vulnerable a year from now. Desktop machines get forgotten.
    3. The barrier to entry is much lower on a vulnerability like this. Normally—like in the case of these latest iOS bugs—it requires some knowledge of how to set up a server that will attack vulnerable victims or some knowledge of how to package up malicious APKs or some ideas of the security features present in phones. This attack is much more approachable and most attackers are looking for that low hanging fruit.
  • Even though it hasn’t been seen in any widespread attacks yet, there is a Metasploit module that dropped over this last weekend. That means it’ll only be a short matter of time before it’s bundled into some commercial hacking tools now that pretty much anyone can leverage it.
  • In terms of mitigating the risk of this exploit, Network Level Auth or NLA is what Microsoft is recommending since the attacker would need to authenticate before they could exploit. I’d argue RDP should always be blocked externally. I understand that some people out there need to manage their boxes this way though and they should leverage a bastion host or network of some kind and restrict incoming connections to just that bastion host or management network. It’s that extra layer of depth and complexity that will save you in the end.

Betting On The Incorrect Horse Battery Staple

  • First, really appreciate the administrators of XKCD following the Incident Response. It’s PHPBB, so, it’s very likely the compromise occurred involving that. This is an assumption on my part though.
  • What did I say last time I was on? Life’s a breach. That continues. XKCD, Facebook, Mastercard’s German Rewards Program, a ton of forums. It is so sad that I actually used a leak recently to figure out what my old address was from over a decade ago because I’d forgotten and needed it for an application. So there’s an upside.
  • Favorite XKCD comics:
    1. Password Strength
    2. Exploits of a Mom
    3. Python Environment
    4. Automation
    5. Insanity

This Week’s Hoodie/Goodie Scale

TAG You’re It

[Tarik]: 10/10 Hoodies
[Chad]: 9/10 Hoodies

You Down with RDP?

[Tarik]: 10/10 Hoodies
[Chad]: 10/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!