CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 67: August 07 2023

Links

https://securityaffairs.com/149076/data-breach/burger-king-exposed-sensitive-credentials.html

https://lolbas-project.github.io/

https://www.bleepingcomputer.com/news/security/hackers-can-abuse-microsoft-office-executables-to-download-malware/

https://youtu.be/bOa5frisxss

https://www.securityweek.com/decommissioned-medical-infusion-pumps-expose-wi-fi-configuration-data

https://www.rapid7.com/blog/post/2023/08/02/security-implications-improper-deacquisition-medical-infusion-pumps/

https://www.networkworld.com/article/3694848/your-decommissioned-routers-could-be-a-security-disaster.html

https://www.helpnetsecurity.com/2023/04/19/decommissioned-routers-sensitive-corporate-data/

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-flaw-after-being-called-irresponsible-by-tenable-ceo/

Burger King’s Password Mistake

  • Burger King
    • 19 thousand restaurants
    • revenue of $1.8 billion
    • French domain site
    • Subdomain for job postings
    • Fixed now.
  • Cybernews research team
    • June 1
    • publicly accessible environment file
      • .env
      • Environment variables
      • used to store sensitive data.
        • passwords
        • API credentials
        • information that should not be written directly in code.
      • Code
        • The file shows their production database credentials.
          • Researchers couldn’t look to see what it had…legally.
            • Assume job posting information.
            • Any maybe job hunter’s information
          • Just having the credentials is part of a breach.
            • Still need a way to exfil the data.
          • Google Tag Manager
            • used to optimize update measurement codes and related code fragments.
            • Maybe change it to their own, to monitor the site.
          • Protect yourself.
            • Ensure proper permissions.
            • Use a dedicated secret manager.
              • Another piece you need to learn by safer.

Growing Dangers of LOLBAS

  • LOLBAS
    • Living Off the Land Binaries And Scripts (some libraries)
      • Formally called LOLBins
    • Binaries (and now scripts/libraries) of a non-malicious nature
    • local to the operating system
    • that have been utilized and exploited by malicious actors to camouflage their malicious activity.
  • LOLBAS Project
    • 150 Windows-related binaries, libraries, and scripts
    • Tied to MITRE framework.
  • Pentera
    • Security Researcher, Nir Chako
    • Wanted to find LOLBAS in Microsoft Office.
      • Found 3 used as downloaders.
        • MsoHtmEd . exe (not yet)
        • MSPub . exe (accepted)
        • ProtocolHandler . exe (not yet)

Proper Decommissioning of Devices

  • Rapid7
    • Analyzed 13 infusions pumps.
      • 3 different models
        • Alaris PC 8015
        • the Baxter Sigma Spectrum model 35700BAX2 and associated Wireless Battery Module (WBM),
        • Hospira Abbott PLUM A+ with MedNet.
      • No longer manufactured.
        • devices are still in use within numerous medical organizations worldwide.
      • Findings
        • attempted the extraction of sensitive data
          • devices’ compact flash cards
          • observing serial communication
            • removing the flash memory chips from the main circuit boards.
          • Alaris 8015
            • Found
              • hostnames with domain information
              • AES keys for encryption
              • service set identifiers (SSIDs)
              • clear text Wi-Fi Pre Shared Keys (PSK) passphrase
              • credentials for Microsoft Active Directory authentication
              • Wi-Fi configuration settings.
            • While there is no documentation regarding the data purge process for the Alaris 8015 decommissioning found online, Alaris did publish security service bulletins that are available for organizations having support contracts with Becton, Dickinson and Company (BD).
          • Baxter Sigma Spectrum 35700BAX2 devices and associated Wireless Battery Module (WBM)
            • Wi-Fi configuration data
              • including the Wi-Fi Protected Access (WPA) passphrase converted to a 64-character hex key (PSK).
            • provide documentation detailing the steps that should be taken to reset wireless configurations and remove any other information from both the device and the WBM.
          • The Hospira Abbott PLUM A+ with MedNet
            • Found
              • WiFi configuration information
            • no single procedure could be located that detailed the needed steps for removing all critical data such as PHI, and Wi-Fi configuration data in preparation of decommissioning.
          • Tools
            • Easy to get
            • $250-$1500
          • April 2023
            • Routers on secondhand market
              • 22% contained customer data.
              • 33% exposed data allowing third-party connections to the network.
              • 44% had credentials for connecting to other networks as a trusted party.
              • 89% itemized connection details for specific applications
              • 89% contained router-to-router authentication keys.
              • 100% contained one or more of IPsec or VPN credentials, or hashed root passwords.
              • 100% had sufficient data to reliably identify the former owner/operator.

Microsoft fixes flaw after being called irresponsible by Tenable CEO

  • Power Platform Custom Connectors feature
    • Microsoft fixed a security flaw.
    • let unauthenticated attackers access cross-tenant applications and Azure customers’ sensitive data.
  • Root Cause
    • stemmed from inadequate access control measures for Azure Function hosts launched by connectors within the Power Platform
      • use custom C# code integrated into a Microsoft-managed Azure Function featuring an HTTP trigger.
    • custom connectors usually happen via authenticated APIs, the API endpoints facilitated requests to the Azure Function without enforcing authentication.
      • opportunity for attackers to exploit unsecured Azure Function hosts and intercept OAuth client IDs and secrets.
    • Tenable v Microsoft
      • It’s not an issue of information disclosure.
        • This is about being able to access and interact with the unsecured Function hosts.
          • From there trigger behaviors that could have further impact
        • Tenable, pointed out because of the nature of the service, the impact would vary for each individual connector.
          • be difficult to quantify without exhaustive testing.
        • Tenable very quickly discovered authentication secrets to a customer who was a bank with permission.
      • PoC
        • Tenable also shared proof of concept exploit code and information on the steps required to find vulnerable connector hostnames and how to craft the POST requests to interact with the unsecured API endpoints.
      • Microsoft blows off Tenable.
        • Microsoft initially stated that the researcher was the only one who exploited the issue.
        • After further analysis in July, Microsoft determined that there were some Azure Functions in a “soft delete” state that had not been properly mitigated.
          • Finally resolved the issue for all customers on August 2nd
            • after an initial fix deployed by Redmond on June 7th was tagged by Tenable as incomplete.
          • Microsoft addressed it after a five-month period
            • but not before the CEO of Tenable voiced vehement criticism against the initial response. Calling it “grossly irresponsible” and “blatantly negligent.” In a lInkedIN post
            • “Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers’ networks and services? Of course not. They took more than 90 days to implement a partial fix – and only for new applications loaded in the service,”
            • “That means that as of today, the bank I referenced above is still vulnerable, more than 120 days since we reported the issue, as are all of the other organizations that had launched the service prior to the fix.