The Zoom conferencing app hasavulnerability that allows someone to remotely take over the computer's camera.
It's a bad vulnerability, made worse by the fact that it remains even if you uninstall the Zoom app:
This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.
On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install 'feature' continues to work to this day.
Zoom didn't take the vulnerability seriously:
This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a 'quick fix' Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom's planned solution was discussed. However, I was very easily able to spot and describe bypasses in their planned fix. At this point, Zoom was left with 18 days to resolve the vulnerability. On June 24th after 90 days of waiting, the last day before the public disclosure deadline, I discovered that Zoom had only implemented the 'quick fix' solution originally suggested.
This is why we disclose vulnerabilities. Now, finally, Zoom is taking this seriously and fixing it for real.
Paying ransomware demands will fuel further ransomware attacks, so I expect ransomware attacks to further escalate. So the big question is, can we expect UK further local government authorities and large organisations to be hard hit by mass ransomware outbreaks? The answer to that will come down to how well their patch management is, and whether lessons have been truly learnt from the destructive 2017 WannaCry ransomware outbreaks, which took down a number of NHS services. Given the recent BlueKeep Microsoft Windows critical vulnerabilityis expected to spark new strains of ransomware in the coming months, ransomware very much like WannaCry with the devasting capability of rapidly infecting and propagating via unpatched Microsoft Windows systems connected to flat networks, we shall soon find out.
An interesting article by Reuters revealed eight of the world’s biggest technology service providers were successfully hacked by APT10 aka 'StonePanda'. APT10, linked to China hackers, operated a sustained campaign over a number of years dubbed “Cloud Hopper”, which Reuters revealed affected Hewlett Packard Enterprise (HPE), IBM, Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation, and DXC Technology. The ATP10 attackers searched for access points into networks an IT systems, when found, extracted confidential information and potential trade secrets. These reported hacks may well be the tip of the iceberg. The Register stated, having gained access to the major service providers, the APT10 group may have gained access to many of their customers. Those customers run into the millions, “dramatically increasing the pool of valuable industrial and aerospace data stolen.”
The headlines this week further ramps up the pressure on the UK government to follow suit, by implementing a similar ban on the use of Huawei smartphones and network devices within the UK, a step beyond their initial 5G critical infrastructure ban announced last month. But is this really about a foreign nation-state security threat? Or is it more about it geo-economics and international politicking?
Huawei: A Security Threat or an Economic Threat?
It’s no secret that Huawei was founded in 1987 by Ren Zhengfei, a former engineer in the People's Liberation Army, and the company was quickly built with the backing of major Chinese state and military contracts. But the US government, secret services and military are also known to invest heavily in Silicon Valley and US tech firms. In recent weeks there have been a number of accusations about deliberate backdoors placed within Huawei devices, implying the usage of Huawei devices could aid Chinese forces in conducting covert surveillance, and with potentially causing catastrophic impacting cyber attacks.
The reality is all software and IT hardware will have a history of exploitable vulnerabilities, and it is pretty much impossible to determine which could be intentionally placed covert backdoors, especially as an advanced and sophisticated nation-state actor would seek to obfuscate any deliberately placed backdoor as an unintentional vulnerability.
For instance, the following are critical security vulnerabilities reported within tech made by US firms in just the last 9 days, no suggestion any of these are intentionally placed backdoors:
Secret Backdoors are already unintentionally there to be discovered
The more usual approach taken by nation-state intelligence and offensive cyber agencies is to invest in finding the unintentional backdoors already present in software and hardware. The discovery of new and completely unknown 'zero-day' security vulnerability is their primary aim. Non-published zero-days vulnerabilities are extremely valuable, clearly, a value lost if they were to inform the vendors about the vulnerability, as they would seek to quickly mitigate with a software patch.
The WhatsApp vulnerability reported last week was another public example of this approach, where a private Israeli firm NSO Group found a serious vulnerability within WhatsApp. But instead of informing Facebook to fix it, NSO created a tool to exploit the vulnerability, which it sold to various governments. The ethics of that is a debate for another day.
The Laws which allows Nation-States to Conduct Cyber Surveillance
The United States has significant surveillance powers with the "Patriot Act", the Freedom Act and spying internationally with FISA. China has its equivalent surveillance powers publicly released called the "2017 National Intelligence Law". This law states Chinese organisations are "obliged to support, cooperate with, and collaborate with national intelligence work". But just like Apple, Microsoft and Google, Huawei has categorically said it would refuse to comply with any such government requests, in a letter in UK MPs in February 2019. Huawei also confirmed "no Chinese law obliges any company to install backdoors", a position they have backed up by an international law firm based in London. The letter went on to say that Huawei would refuse requests by the Chinese government to plant backdoors, eavesdropping or spyware on its telecommunications equipment.
Why the UK Gov is stuck between a Rock and Hard Place
The UK government continue to be stuck between a rock and a hard place, playing a balancing act of trying to keep both the United States and China happy, in a bid to score lucrative post-Brexit multi-billion-pound trade deals. This status-quo leaves UK Huawei smartphone consumers and UK businesses using Huawei network devices, caught in the middle. However, due to the relentless US pressure causing regular negative mainstream media headlines about the security of Huawei products, the Chinese tech giant may well be driven out of UK markets without a UK government ban.
Quickly applying software updates (patching) to mitigate security vulnerabilities is a cornerstone of both a home and business security strategy. So it was interesting to see how the mainstream news media reported the disclosure of three separate ‘major’ security vulnerabilities this week, within WhatsApp, Microsoft Windows and Intel Processors.
WhatsApp The WhatsApp security flaw by far received the most the attention of the media and was very much the leading frontpage news story for a day. The WhatsApp vulnerability (CVE-2019-3568) impacts both iPhone and Android versions of the mobile messaging app, allowing an attacker to install surveillance software, namely, spyware called Pegasus, which access can the smartphone's call logs, text messages, and can covertly enable and record the camera and microphone. From a technical perspective, the vulnerability (CVE-2019-3568) can be exploited with a buffer overflow attack against WhatsApp's VOIP stack, this makes remote code execution possible by sending specially crafted SRTCP packets to the phone, a sophisticated exploit.
Should you be concerned? WhatsApp said it believed only a "select number of users were targeted through this vulnerability by an advanced cyber actor." According to the FT, that threat actor was an Israeli company called ‘NSO Group’. NSO developed the exploit to sell on, NSO advertises it sells products to government agencies "for fighting terrorism and aiding law enforcement investigations". NSO products (aka "spyware") is known to be used by government agencies in UAE, Saudi Arabia and Mexico.
So, if you are one of the 1.5 billion WhatsApp users, not a middle-east political activist or a Mexican criminal, you probably shouldn’t too worry about your smartphone being exploited in the past. If you were exploited, there would be signs, with unusual cliches and activity on your phone. Despite the low risk at present, all WhatsApp users should quickly update their WhatsApp app before criminals attempt to ‘copycat’ NSO Group exploitation.
How to Prevent Update the WhatsApp app. iOS
Open the Apple AppStore App
Search for WhatsApp Messenger
Tap 'Update' and the latest version of WhatsApp will be installed
App Version 2.19.51 and above fixes the vulnerability
Open Google Play Store
Tap the menu in the top left corner
Go to “My Apps & Games”
Tap ‘Update’ next to WhatsApp Messenger and the latest version of WhatsApp will be installed
App Version 2.19.134 and above fixes the vulnerability
Microsoft Worm Vulnerability CVE-2019-0708
Making fewer media headlines was the announcement of a new “wormable” vulnerability discovered within the various versions of the Microsoft’s Windows operating system. The vulnerability CVE-2019-0708 is within Window's “remote desktop services” component.
This vulnerability is by far the most dangerous vulnerability reported this week, probably this year, it is a similar flaw to what the WannaCry malware exploited on mass in May 2017. WannaCry was a ransomware worm which severely impacted the operation of several large organisations, including the NHS. It exploited a similar Microsoft Windows vulnerability which enabled the malware to quickly self-propagate (worm) across networks and infecting vulnerable systems on mass with ransomware, rendering such systems unusable.
Such is the concern of a second WannaCry style attack due to this flaw, Microsoft has taken the rare step of releasing security patches for their unsupported versions of the Windows operating system, such as Windows XP and Windows Server 2003.
How to Prevent Apply the latest Microsoft Windows Update. Microsoft has said anti-virus products will not provide any protection against the exploitation of this vulnerability, therefore applying the Microsoft May 2019 Security Update, as released on Tuesday 14th May 2019, is the only way to be certain of protecting against the exploitation of this critical vulnerability
Ensure automatic updates is always kept switched on. Windows by default should attempt to download and install the latest security updates, typically you will be prompted to apply the update and accept a reboot, do this without delay.
To double check, select the Start menu, followed by the gear cog icon on the left. Then, select Update & Security and Windows Update.
Businesses must also seek to apply Microsoft security updates as soon as they are released. Typically large organisations control the release of Microsoft security patches centrally, they should monitor and risk assess the importance of newly released security updates, and then apply across their IT estate at a rate based on risk.
Intel CPU ZombieLoad Vulnerability
There was little mainstream coverage about a third major security vulnerability reported this week. Coined 'ZombieLoad side-channel processor', this vulnerability is present in almost every Intel processor made since 2011. This hardware vulnerability is a concern to businesses which use or provide cloud services. This flaw can also be mitigated by patching, with Microsoft, Apple, Amazon and Google all releasing security patches. For further information about the Intel CPU vulnerability, read the following posts.
A brand new processor hardware vulnerability affecting modern Intel CPUs has been uncovered by Bitdefender researchers Coined "ZombieLoad side-channel processor", the vulnerability defeats the architectural safeguards of the processor and allows unprivileged user-mode applications to steal kernel-mode memory information processed on the affected computer.
The new vulnerability can be exploited by attackers to leak privileged information data from an area of the processor's memory meant to be strictly off-limits. This flaw could be used in highly targeted attacks that would normally require system-wide privileges or deep subversion of the operating system. The flaw has an extremely large impact on cloud service providers and within multi-tenant environments, as potentially a 'bad neighbour' could leverage this flaw to read data belonging to other tenants.
The proof of concept code has been shared privately with the vendor, was said to have been successfully tested on Intel Ivy Bridge, Haswell, Skylake and Kaby Lake microarchitectures by the researchers.
Since this vulnerability revolves around a hardware design flaw, microcode patches have been available to remediate the flaw. Currently, Bitdefender and industry partners are working on fixes implemented at the hypervisor level. Industry Security Patches
Side channel attacks based on speculative execution was in the news with the identification of Meltdown and Spectre CPU vulnerabilities back in early 2018. Since then, variants of side-channel attacks have been occasionally discovered and partially mitigated via microcode and operating system patches. However, as this is a flaw that stems from a hardware design issue, a general fix to plug the hardware vulnerability is impossible.
The National Cyber Security Centre (NCSC) launched a free online tool called "Exercise in a Box", designed by the UK cyber intelligence boffins to help organisations prepare in managing major cyber attacks. The premise, is the tool will help UK organisations avoid scenarios such as the 2017’s Wannacry attacks, which devastated NHS IT systems and placed patient lives at risk.
German drug manufacturing giant, Beyer, found a malware infection, said to originate from a Chinese group called "Wicked Panda". The malware in question was WINNIT, which is known in the security industry and allows remote access into networks, allowing hackers to deliver further malware and to conduct exploits. In my view, the presence of WINNIT is a sure sign a covert and sustained campaign by a sophisticated threat actor, likely focused on espionage given the company's sector. Beyer stressed there was no evidence of data theft, but were are still investigating.
Another manufacturing giant severely hit by a cyber attack this month was Aebi Schmidt. A ransomware outbreak impacted its business' operations globally, with most of the damage occurring at their European base. The ransomware wasn't named, but it left multiple Windows systems, on their presumably flat network infrastructure, paralyzed.
I am aware of school children getting sucked into this illicit world, typically starts with them seeking to take over better online game accounts after their own account is compromised, they quickly end up with more money than they can spend. Aside from keeping an eye on what your children are up to online as a parent, it goes to underline the importance of using unique complex passwords with every web account (use a password manager or vault to help you - see password security section on the Security Expert website). And always use Multi-Factor Authentication where available, and if you suspect or have are informed your account 'may' have compromised, change your password straight away.
A Netscout Threat Landscape Report declared in the second half of 2018, cyber attacks against IoT devices and DDoS attacks had both rose dramatically. Fuelled by the compromise of high numbers of IoT devices, the number of DDoS attacks in the 100GBps to 200GBps range increased 169%, while those in the 200GBps to 300GBps range exploded 2,500%. The report concluded cybercriminals had built and used cheaper, easier-to-deploy and more persistent malware, and cyber gangs had implemented this higher level of efficiency by adopting the same principles used by legitimate businesses. These improvements has helped malicious actors greatly increase the number of medium-size DDoS attacks while infiltrating IoT devices even quicker.
In a rare speech, Jeremy Fleming, the head of GCHQ warned the internet could deteriorate into "an even less governed space" if the international community doesn't come together to establish a common set of principles. He said "China, Iran, Russia and North Korea" had broken international law through cyber attacks, and made the case for when "offensive cyber activities" were good, saying "their use must always meet the three tests of legality, necessity and proportionality. Their use, in particular to cause disruption or damage - must be in extremis". Clearly international law wasn't developed with cyber space in mind, so it looks like GCGQ are attempting to raise awareness to remedy that.
I will be speaking at the e-crime Cyber Security Congress in London on 6th March 2019, on cloud security, new business metrics, future risks and priorities for 2019 and beyond.