Exploitable Windows RDP Vulnerability

Summary: A Windows Remote Desktop Protocol (RDP) vulnerability was recently discovered by the security service vendor CyberArk. The details of the vulnerability were released in a report written by Gabriel Sztejnworcel on 1/11/2022. As of now the vulnerability is being tracked as CVE-2022-21893 and there is no patch available. This vulnerability affects both Windows server and desktop operating systems as old as Windows Server 2012 R2 and as new as the most recent Windows 10 update.

RDP is a Windows tool that allows users to remotely access other computers over a network connection. Normal usage of RDP requires the correct credentials and permissions for a user to access another system remotely. However, the newly discovered RDP vulnerability may allow any user to access another user’s computer. By exploiting the vulnerability, a user can access data stored on different systems, impersonate another user, and even steal smart card credentials.

The vulnerability lies within the background processes which are used for RDP to function. In short, RDP operates by splitting a connection into several different channels which are tasked with handling different data types. The data passes in between the channels and the Remote Desktop Service (RDS) by using “Windows named pipes”, which are a mode of inter-process communication in Windows. The vulnerability exists in the naming of the pipes. Any user can create a new pipe with the name of an existing pipe. The data sent over the pipes can then be viewed in cleartext.

Why it matters: 

It is important to monitor the use of protocols and services that are used to provide remote access to data. Protocols such as the remote desktop protocol, the secure shell protocol (SSH), and file transfer protocols (SFTP/FTP) are all highly desired targets for attackers since they can potentially provide easy access to sensitive data.

Microsoft Security blog post by James Ringold provides basic suggestions for adding additional security measures to secure remote desktop connections. Some of the security measures included in the guide are:

  • Implement Multi-factor authentication (MFA)
  • Control, audit, and log all remote access
  • Restrict remote desktop sessions by IP address
  • Vulnerability and patch management
Windows Bug
RDP Exploit >
Update Guide:
CVE-2022-21893 >
CyberArk: Attacking
RDP from Inside >

Hackers are Mailing Out USBs Infected with Malware

Summary:On 1/10/2021, the FBI has issued a warning that a cybercrime group is mailing malicious USB flash drives to companies to infect the target networks with malware. The group responsible for carrying out this strategic attack is FIN7, a cybercriminal group behind Darkside and BlackMatter ransomware. The attackers mailed packages containing ‘BadUSB’ devices.

According to the FBI, “There are two variations of packages – those imitating HHS are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card and a USB. The packages were sent using the United States Postal Service and United Parcel Service.”

The way a BadUSB device functions is that it utilizes the USB to impersonate a keyboard and sends malicious commands or runs malicious programs to any computer to which it is attached. Additionally, the FBI reports these USBs are executing malware strains that act as backdoors for the attackers to gain access to the victims’ networks.

Why it matters:The potential of compromise through USBs or any form of external media is astronomical. For years, many threat actor groups have been using USB devices to carry out attacks as it poses an effortless way for malicious actors to bypass organizational security. This tactic has been proven successful numerous times and to this day is still one of the most sought out attack methods that malicious actors are using to wreak havoc in organizations.

A few of the steps that can be implemented to reduce potential compromise:

  • A proper training plan for all personnel in an organization
  • Applying the principle of least privilege
  • Having endpoint response software applied to prevent unauthorized use of external media
Fin7 Mailing Malicious
USB Sticks >
FBI Issues Warning on
Fin7 USB Stick Exploit >
Fin7 Hackers Target US Companies
with Bad USB Devices >

VMWare Bug for Hypervisor Takeover

Summary: VMware announced an unpatched bug that affects multiple platforms including Cloud Formation, ESXi, Fusion, and Workstation. Researcher “Jaanus K\xc3\xa4\xc3\xa4p” of Clarified Security and Trend Micro’s ZDI discovered the bug that allows for a hypervisor takeover. Affected versions of the products are ESXi 6.5, 6.7, and 7.0, Workstation 16.x, Fusion 12.x, and Cloud Foundation 3.x and 4.x. Patches are still pending for ESXi 7.0 and both Cloud Foundation versions. The workaround KB87249 is currently offered for ESXi and Cloud Foundation.

The vulnerability, named CVE-2021-22045, was identified to be a heap-overflow vulnerability in the CD-ROM device emulation. Heap-overflow occurs when a processes memory is continuously allocated and never freed, causing memory leakage issues. The vulnerability allows malicious actors with access to a virtual machine with a CD-ROM emulator to run malicious code on the hypervisor from the virtual machine.

Why it matters: The ability for threat actors to execute malicious code on hypervisors could allow attackers control over the underlying hardware. Combined with other exploits, this vulnerability could give attackers access to sensitive information. Part of the Open Web Application Security Project’s Top Ten Application Security Risks framework is the list of common application vulnerabilities. In this example, the insecure design of the applications provides attackers with a new attack vector. Given that patches for some versions have been released, companies that have yet to patch their systems expose their systems to vulnerable and outdated components.
Unpatched VMWare Bug
Hypervisor Takeover >
VMWare Advisory:
VMSA-2022-001 >
CVE-2021-22045 >

MacOS TCC vulnerability

Summary: A Mac OS X vulnerability was discovered by Microsoft, named “powerdir”, that allows users to bypass privacy preferences. The bug allows malicious apps to bypass Apple’s Transparency, Consent and Control (TCC) technology and gain access to a user’s protected data. The issue is fixed in macOS Monterey 12.1, macOS Big Sur 11.6.2.

The vulnerability was named CVE-2021-30970 and affected the TCC database. The TCC database stores the permissions and consent history of application requests. Microsoft was able to determine that a fake TCC database could be implanted which could allow attackers to give their own malicious apps permission. Permissions include screen sharing, microphone, and webcams.

Why it matters: TCC vulnerability is present in versions prior to Monterey 12.1 and Big Sur 11.6.2. An attacker exploiting this vulnerability could access sensitive data in a user’s machine. Part of the Open Web Application Security Project’s Top Ten Application Security Risks framework is the list of common application vulnerabilities. In this example, the Broken Access Control of the TCC provides attackers the ability to replace a central database. Attackers with full-disk access can receive access to the original TCC database. The attack works by replacing the original TCC database with a fake database that has the same structure. The fake database could bypass the privacy settings previously set within the system. Given that patches have been released, companies should update their macOS version as soon as possible.

 
MacOS Bug Snooping >
Apple Support >
CVE-2021-30970 >
Microsoft: New MacOS
Vulnerability powerdir Could Lead to
Unauthorized Data Access >

Security Tip of the Month

Summary: A Potentially Unwanted Program (PUP) is a program/application that is typically bundled and installed alongside other software. Often, users click through the installation process of a new program and without noticing they agree to download additional software.

Since PUPs are only downloaded and installed after user consent is given, by clicking an “agree” button, the programs are technically not considered malware. Therefore, PUPs can make it past certain anti-malware software that does not have the appropriate PUP detection settings enabled.

Why it matters: Applications that are considered PUPs are typically applications that do not pose a major threat to the systems they are installed on. However, they may behave in a way that can hinder the performance of a computer by using up processing resources. Additionally, PUPs may distract users by displaying ads, adding toolbars to browsers and some PUPs are known to collect private user data. Questionable characteristics such as these are why removal of PUPs are recommended as a good security practice.

blog post on Malwarebytes Labs by Wendy Zamora provides the following tips on preventing the installation of PUPs:

    • Use an ad blocker when browsing the web
    • Utilize PUP settings on anti-malware/spyware programs
    • Read through each step of software installation wizards
    • Read End User License Agreements (EULAs) to identify and decline terms for bundled programs.

 

How to Avoid Potentially
Unwanted Programs >

Microsoft Defender: Detect and Block
Potentially Unwanted Apps >