Category Archives: Security strategies

SonicWall says products vulnerable to zero-day attack limited to SMA 100 line

IT administrators with SonicWall’s Secure Mobile Access SMA 100 devices running on their networks are being warned to implement added protection after the company discovered what it calls a “coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities.”

For the time being, administrators should create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet while it continues to investigate the vulnerability, the company’s latest update says.

While an initial alert told admins not to use the company’s NetExtender VPN client for remote access, an updated advisory on Sunday said that after an investigation it could advise current SMA 100 Series customers to continue using the client.  “We have determined that this use case is not susceptible to exploitation,” the company noted.

The update also said other products initially thought vulnerable are safe. These include:

  • SonicWall Firewalls: “All generations of SonicWall firewalls are not affected by the vulnerability impacting the SMA 100 series No action is required from customers or partners.”
  • NetExtender VPN Client: “While we previously communicated NetExtender 10.X as potentially having a zero-day, that has now been ruled out. It may be used with all SonicWall products. No action is required from customers or partners.”
  •  SMA 1,000 Series: “This product line is not affected by this incident.  Customers are safe to use SMA 1,000 series and their associated clients. No action is required from customers or partners.”
  • SonicWall SonicWave APs: “No action is required from customers or partners.”

The SMA 100 series (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v) is aimed at small and medium-sized organizations of up to 100 employees for remote access to corporate resources hosted on-premise, in the cloud and in hybrid data centres.

Two of Sonicwall’s SMA 100 series

The warnings began late Friday when SonicWall issued an urgent security notice about the SMA line and NetExtender client. But in that initial warning, the company urged admins to enable multifactor authentication on all SonicWall SMA, and MySonicWall accounts.

SecurityWeek reported that before the news broke, it received an unverified anonymous email claiming that SonicWall was hit by ransomware and that hackers managed to steal “all customer data.” A second unverified anonymous email said all SonicWall internal systems went down last Tuesday and that the attackers left a message on Wednesday asking to be contacted by the company’s CEO. The same individual also claimed all source code was stolen from SonicWall’s GitLab repository as a result of the breach.

Meanwhile, BleepingComputer reported that it was contacted last Wednesday by a threat actor who said they had information about a zero-day in an unspecified but “well-known” firewall vendor.  “I have information about hacking of a well-known firewall vendor and other security products by this they are silent and do not release press releases for their clients who are under attack due to several 0 days in particular very large companies are vulnerable technology companies,” the email read.

The post SonicWall says products vulnerable to zero-day attack limited to SMA 100 line first appeared on IT World Canada.

Canadian commercial real estate services firm acknowledges cyberattack

A Toronto-based commercial real estate services and investment management firm has acknowledged it was the victim of a cyberattack in November but isn’t saying if the incident was ransomware as a gang is claiming.

A spokesperson for publicly-traded Colliers International Group, which has corporate and institutional clients in 36 countries, acknowledged the breach of security controls on Wednesday after IT World Canada asked about a listing on the dark web by the Netfilim ransomware gang. The listing suggests that the company had been hit with ransomware and that its files had been copied.

“In November 2020, Colliers’ information technology team discovered a cyberattack to the company’s IT infrastructure in North America,” company communications director Pamela Smith said in an email. “Thanks to the immediate and decisive actions taken by Colliers’ IT team, the impacts on business continuity were limited. Colliers conducted a comprehensive investigation with the support of leading cybersecurity experts in an effort to determine what data may have been impacted during the recent event. Colliers continues to monitor the situation closely and will continue to notify affected individuals or organizations. The Colliers IT network is secure, safe and fully operational at this time.”

The spokesperson was mum when asked to confirm if the attack was ransomware, that files had been copied, whether the information affected was corporate or personal, and, if personal, did it involve current and former employees.

In its most recent quarterly financial statement for the period ending September 30, 2020, Colliers said it had a net income of just under $32 million on revenues of just over US$692 million. According to its 2019 financial results at the beginning of last year, it had about 15,000 employees.

Colliers performs a number of services for real estate firms including property management, sales and appraisals as well as tenant representation.

The Netfilim website entry for Colliers has the headline “Part 1,” suggesting the two files it has posted proves the firm was compromised and could be followed by more trouble.

According to Brett Callow, a British Columbia-based threat researcher for Emsisoft,  Nefilim was first noticed in the spring of last year and has since racked up a string of enterprise-space victims including Whirlpool, MAS Holdings, Luxottica and Australian logistics company Toll Group. “Unlike most other big game-hunting groups, Nefilim appears to be a closed shop rather than a ransomware-as-a-service provider, which may explain why the group is less active others,” he said in an email. “The group typically uses Microsoft RDP (remote desk protocol) and other public-facing applications for initial access of victims. Frequently, it also exploits unpatched versions of Citrix’s Application Delivery Controller going after CVE-2019-19781.”

Imitation – the greatest form of flattery

Coincidentally, Emsisoft released its annual state of ransomware in the U.S. report this week. At the beginning of 2020, only the Maze group used the threat of releasing stolen information as additional leverage to extort payment. By the end of the year, at least 17 others had adopted it and were publishing stolen data on so-called leak sites. At least 2,354 American governments, healthcare facilities and schools were impacted by ransomware last year. In addition, it estimated by looking at data leak sites that more than 1,300 companies around the world, many U.S.-based, lost data.

“We anticipate there will be more cases of data theft in 2021 than there were in 2020 – likely, at least twice as many,” the report concludes. “We also anticipate that cybercriminals will put stolen data to more use, using it to attack the individuals to which it relates in order to put additional pressure on the organizations from which it was stolen.”

Ransomware attacks can generally be fended off or, at least, their scope limited, it adds. “While organizations can never completely eliminate the possibility of human error, they can design their networks in such a way that they do not collapse like houses of cards when those errors occur.”

The post Canadian commercial real estate services firm acknowledges cyberattack first appeared on IT World Canada.

Researchers flag fourth piece of malware seen in SolarWinds hack and detail how Microsoft 365 got exploited

Two security vendors issued more details about the SolarWinds hack and abuse of its Orion network management platform.

Symantec says the list of malware pieces that could be delivered to victims of the SolarWinds Orion supply chain hack has grown to four. It found the new malware, a backdoor which it dubs Raindrop, was used against a select number of victims that were of interest to the attackers.

Raindrop is a loader that delivers a payload of the Cobalt Strike threat emulation software often used by infosec teams for penetration tests. It joins other malware used by the attackers, including the initial backdoor called Sunburst/Soloriagate and back another door later deposited called Teardrop. The malware used to get into the SolarWinds network is called Sunspot.

Raindrop, Symantec says, is very similar to Teardrop. But while the initial Sunburst backdoor delivered teardrop, Raindrop appears to be used for spreading across the victim’s network. The security firm also notes that its seen no evidence of Raindrop being delivered directly by Sunburst to date. Instead, it appears elsewhere on networks where Sunburst has already compromised at least one computer.

The attack by a threat group FireEye calls UNC2452 — believed by the U.S. to be of Russian origin — compromised updates downloaded by some 18,000 users of the Orion network management platform between March and August 2020. SolarWinds has evidence that the attack on its update mechanism started as early as the fall of 2019.

FireEye today also issued a report saying that the UNC2452 group used its access to on-premises networks to access victims’ Microsoft 365 environment during certain attacks. In addition to issuing a detailed paper describing these attacks and how to harden Microsoft environments, FireEye released a free tool on GitHub named Azure AD Investigator. The tool is meant to help organizations determine if the SolarWinds hackers got into Microsoft 365.

In its report, Symantec describes how Raindrop was used against one victim. In early July 2020, Sunburst was installed through the SolarWinds Orion update, compromising two computers. The following day, Teardrop was added to one of them.  That computer was found to have an Active Directory query tool and a credential dumper designed specifically for Orion databases. The credential dumper was similar to, but not the same as, the open-source Solarflare tool.

Eleven days later, on a third victim computer in the organization, where no previous malicious activity had been observed, a copy of the previously unseen Raindrop was installed under the name bproxy.dll. This computer was running computer access and management software. The attackers could have used this software to access any of the computers in the compromised organization.

One hour later, the Raindrop malware installed an additional file called “7z.dll”. Symantec was unable to retrieve this file because, within hours, a legitimate version of 7zip was used to extract a copy of what appeared to be Directory Services Internals (DSInternals) onto the computer. DSInternals is a legitimate tool that can be used for querying Active Directory servers and retrieving data, typically passwords, keys, or password hashes.

A pattern emerges

A second victim organization seen by Symantec had the Raindrop loader in late May. Several days later, PowerShell commands were executed on that computer, attempting to execute further instances of Raindrop on additional computers in the organization.

In a third victim, Symantec says Raindrop was used to install a version of Cobalt Strike that didn’t have an HTTP-based command and control server. Instead, it was rather configured to use a network pipe over Windows SMB (Server Message Block) protocol. Symantec theorizes the victim’s computer did not have direct access to the internet, so command and control was routed through another computer on the local network. Otherwise, the three Raindrop samples seen by Symantec used HTTPS communication.

The report outlines how UNC2452 and other threat actors moved laterally to the Microsoft 365 cloud using a combination of four primary techniques:

  1. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism.
  2. Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
  3. Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
  4. Backdoor an existing Microsoft 365 application by adding a new application or service principal credential to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.

“It is important to note that there is no formal security boundary between on-premises networks and cloud services provided by Microsoft 365,” FireEye warned. “If an organization discovers evidence of targeted threat actor activity in their on-premises network, a thorough review of the cloud environment is often necessary as well.”

The post Researchers flag fourth piece of malware seen in SolarWinds hack and detail how Microsoft 365 got exploited first appeared on IT World Canada.

Quebec insurer says personal information of present, past staff may have been exposed in cyberattack

A Montreal-based insurance firm’s website is still offline four weeks after a cyberattack and is still trying to recover from the incident.

Promutuel Assurance says the attack started on Dec. 20 and made its IT systems unavailable. In a statement yesterday, the firm said that, so far, its investigation shows no signs of compromised social insurance numbers, driver’s licence numbers, credit card numbers or banking information of insured members.

However, the statement added, personal information of past, present and retired employees “may have been compromised.” As a precaution, Promutuel says it will provide them with credit monitoring and data protection services.

In an email, a spokesperson for the company was asked to confirm to IT World Canada if the incident was ransomware. According to a source working for a cybersecurity research firm in Canada who wished to remain anonymous, the website of the DoppelPaymer ransomware gang lists Promutuel as a victim. It also lists file names it allegedly copied in an attack. Typically, DoppelPaymer threatens to release copied files if the victim doesn’t pay for a data decryption key.

The spokesperson referred the publication to its official statement, which didn’t explain the attack’s source.

Another attack

Meanwhile, Winnipeg-based fashion retailer Nygard, which is in receivership, has acknowledged that it was hit by a ransomware attack.

Earlier this week, the Journal de Quebec reported that confidential documents from the firm had been published online. In a story today, the news site said Promutuel told it those 15 files were recovered.

Meanwhile, late Friday afternoon, the receiver for the Nygard group of companies issued an advisory to employees, customers and partners about a Dec. 12 ransomware attack.

Richter Advisory Group Inc., the court-appointed receiver of Nygard Holdings (USA) Limited, Nygard Inc., and several related companies, said it issued the statement to advise current and former employees, customers, suppliers and others to monitor their information for any unusual activity, including suspicious emails or other communications that claim to be from the retailer.

Richter has been selling off Nygard assets for several months after taking control of the company in March 2020. The cyberattack happened after the receiver took over the company. However, it says that while the attack encrypted many servers, data copied for forensic purposes wasn’t impacted.

On Dec. 30, Richter issued a report to the Manitoba court on the progress of its work, which included a description of the attack. It said the attackers from the Netwalker ransomware gang initially demanded the equivalent of about $3.6 million in bitcoin for the decryption key or copied data would be released. That demand has gone up to the equivalent of $7 million.

In its statement to the court, the receiver said a ransom wouldn’t be paid.

Richter has hired security firm Sophos to work with it to try and restore data from Nygard backups. As of the end of December, the receiver couldn’t say who might be impacted by the attack. Of Nygard’s 245 servers, 58 were encrypted, including five with data on current and former employees, five with sales data and eight with financial data. The report says 54 backup servers are available, but it isn’t confident the data can be relied on in part because the attack damaged  Nygard’s IT system.

Former company head Peter Nygard was taken into custody Dec. 15 and is awaiting extradition to the U.S. on allegations of racketeering, sex trafficking and related crimes.

The post Quebec insurer says personal information of present, past staff may have been exposed in cyberattack first appeared on IT World Canada.

Weak cyber hygiene behind many successful cloud attacks, warns US agency

Experts maintain that organizations that mandate multifactor authentication as an extra step to protect logins greatly improves their defences. However, it’s not fail-proof.

The latest example is this week’s warning from the U.S. government’s cyber expert that successful hacks have been reported on cloud services, including one that got around MFA, possibly by stealing browser cookies.

The report from the Cybersecurity and Infrastructure Security Agency (CISA) also makes it clear that firms thinking cloud services alone improve security are wrong: “Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” the report says.

“Threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.”

One thing many cloud attacks have in common, the report adds, is that victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access the cloud services.

Phishing tactics

Threat actors often use phishing emails with malicious links to harvest credentials for users’ cloud service accounts. Some included a link to what appeared to be a secure message, while others looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain to the user’s cloud service account. The attackers then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within the organization’s file hosting service.

Port 80 open

In one case, the report says an organization didn’t require a virtual private network (VPN) for accessing the corporate network. Although their terminal server was located within their firewall due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it—leaving the organization’s network vulnerable. The threat actor attempted to exploit this by launching brute force login attempts.

Abuse of email forwarding

In several cases, threat actors collected sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts.

In one case the attackers modified an existing email rule on a user’s account — originally set by the user to forward emails sent from a certain sender to a personal account — to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts.  Attackers sometimes modified existing rules to search users’ email messages (subject and body) for several finance-related keywords and then and forward the emails to the hackers.

In other cases the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.

MFA abuse

CISA verified that in one case a threat actor successfully signed into one user’s account with proper multi-factor authentication (MFA). CISA believes the threat actors may have used browser cookies to defeat MFA with a “pass-the-cookie” attack.

On the other hand the agency admits MFA did thwart attempted brute force attacks on some accounts.

The report “is a rude awakening that attackers are seeing personal email accounts as the soft underbelly to corporate environments and are starting to use “pass-the-cookie” techniques to successfully bypass multi-factor authentication,” said Ed Bishop, CTO of security firm Tessian. “While phishing is a persistent threat to company security, the risk posed by people sending emails to personal accounts is often overlooked, and it’s a risk that’s been heightened as people work remotely.”He added that personal accounts are easier to compromise because they are typically only protected by home routers often have remote management APId. Companies should only allow access to corporate cloud infrastructure from known IP addresses, ideally via a corporate VPN endpoint with separate strong authentication or MFA in place.

In addition, businesses must treat remote home networks as untrusted, in the same way they do for airports or coffee shops, and require remote workers to use a VPN for any work-related task. Lastly, it’s important that companies monitor when new forwarding rules are created, and in some cases even disable auto-forwarding rules altogether.

Christian Espinosa, managing director at Cerberus Sentinel, noted that pass-the-cookie attacks aren’t new.

Cookies establish session persistence for web applications, he said in an email, and are placed on a computer whether MFA is used or not. The cookie contains the session ID and access tokens to the web application to avoid constant re-authentication. “This is an inherent flaw in the HTTP protocol and how web applications work. HTTP is a stateless protocol and relies on cookies to maintain state.”

He said the way to mitigate the MFA pass-the-cookie vulnerability is with better cookie management and better user training. Cookies should be set with a short lifespan and for a single session, so when the browser is closed, the cookie is made void. Users should be trained to logoff the web application and close their browser after they are done using the web application. Many users never logoff or close a browser, he noted, which increases risk.

The CISA report includes a long list of recommendations for better security cloud applications. For those using Microsoft Office 365, it specifically recommends:

  • Assigning a few (one to three) trusted users as electronic discovery (or eDiscovery) managers to conduct forensic content searches across the entire environment (Mailboxes, Teams, SharePoint, and OneDrive) for evidence of malicious activity.
  • Disabling PowerShell remoting to Exchange Online for regular users. Disabling for non-administrative users will lower the likelihood of a compromised user account being used to programmatically access tenant configurations for reconnaissance.
  • Don’t allow an unlimited amount of unsuccessful login attempts.
  • And consider using a tool such as Sparrow or Hawk, which are open-source PowerShell-based tools used to gather information related to Office 365, to investigate and audit intrusions and potential breaches.

The post Weak cyber hygiene behind many successful cloud attacks, warns US agency first appeared on IT World Canada.

CRTC says Canadian ISPs may be forced to get tougher on botnets

Canada’s telecom regulator may force internet service providers to adopt network-level botnet blocking to limit criminally-run automated systems’ ability to spread malware.

ISPs can use several techniques to fight botnets, including domain-based blocking, internet protocol (IP)-based blocking and protocol-based blocking. However, these and other strategies aren’t required by regulation or controlled for possible bias.

But on Wednesday, the Canadian Radio-Telecommunications and Telecommunications Commission (CRTC) called for comments on a proposal to require ISPs to implement strategies to fight botnets at the network level by blocking suspicious email, texts and communications by malware to command and control servers.

It would do so by approving a mandatory or voluntary network-blocking framework that carriers would follow. To meet privacy concerns, the commission says any approved framework has to be done in ways that protect internet user privacy, enable subscribers to opt into or out of message blocking, provide a mechanism to correct possible false positives of messages, ensure blocking decisions are unbiased and made in the best interest of Canadians, and minimize subscriber information monitoring, collection, and usage.

Technically, the CRTC says, any filtering or blocking affects the principle of net neutrality — the concept that all internet traffic should be given equal treatment by ISPs, with little or no prioritization. But there are exceptions, the CRTC notes. For example, blocking access to child exploitation material. If rules for network-based blocking are approved, “a limited exception to net neutrality may be warranted” to give Canadians protection from spyware, information theft and ransomware, the regulator says.

The commission also suggests that rather than leave decisions in the hands of ISPs, an independent body with expertise in cybersecurity might assess whether blocking a particular domain or IP address is justified. That body could also decide how message blocking decisions can be unbiased and accurate. The commission doesn’t suggest a body, but one possibility is the federal government’s Canadian Centre for Cyber Security.

The commission also acknowledges that any blocklist of forbidden IP addresses will need to change regularly to remain accurate. It wants to hear about worries of over-blocking and false positives and ways to take wrongly-blocked addresses off a list quickly.

“Malicious botnet attacks are a serious and recurring concern,” CRTC chair Ian Scott said in a statement. “Almost every week, we see another organization victimized by ransomware or hear of a fellow citizen lured in by a phishing scam. With the launch of this proceeding, we are aiming to better protect Canadian individuals, businesses and institutions against damaging botnet activity.”

ISPs, exchange carriers, web hosting companies, consumers, and others have until March 15th to file comments. Submissions are limited to 20 pages.

In an interview, telecommunications consultant Mark Goldberg said that by launching this consultation, the CRTC might be signaling that blocking and filtering measures ISPs already perform need formal approval of the commission under the Telecommunications Act. Section 36 of the act says a carrier shall not control content or purpose of communications it carries without permission.

In a statement the Competitive Network Operators of Canada (CNOC), which represents many independent ISPs, said the consultation may raise end-user concerns with content interference and blocking and overreach. At the same time, it added, network integrity, public safety, and user safety are crucial. “We will study this new consultation, to identify any meaningful areas requiring comment in terms of independent ISPs and concerns about how this might affect our users, and our ability to compete fairly.”

Greg Young, vice-president of cybersecurity at Trend Micro who used to work for the federal department of communications, applauded the proposal to create an anti-botnet framework. “Anything that blocks known bad traffic is a good thing,” he said in an interview.

The CRTC has the authority to fight spam by enforcing the Canadian Anti-Spam Legislation (CASL), which prevents Canadian-based companies from sending commercial email without the recipient’s consent, installing software on computers without consent, and making false or misleading representations to promote products or services online. The CRTC expects ISPs to take steps to limit such behaviour on their networks. Botnets, which are huge networks of interconnected PCs, servers and other internet-connected devices around the world that pump out spam, violate CASL.

However, most are controlled outside Canada and therefore out of the reach of the regulator. A framework would give ISPs a guide to implementing technologies to block messages from botnets to domains of their command and control (C2) servers, as well as meet privacy concerns.

No one-size-fits-all solution

The CRTC document notes that one strategy alone won’t accomplish its goals. Not all malware connects to C2 servers using domains, so that domain-based blocking won’t work for these attacks. That’s why IP-based blocking (through firewalls that block communications to suspected C2 servers) and protocol-based blocking need to be used.

The commission says if it goes ahead with mandating botnet traffic blocking, it could do many things to protect privacy. Suggested ideas include prohibiting carriers from monitoring, collecting, or disclosing content or metadata that does not contribute to blocking botnet traffic; limiting monitoring and collection to the destination domain name or IP address requested and the number of times the malicious service is requested, and restricting disclosure of monitored data to parties participating in the blocking program.

And while internet subscribers should know some information from ISPs to decide which provider to chose and whether to participate in a blocking program (such as whether a particular domain or IP address is blocked), the CRTC also says it may put limits on how much an ISP can publicly divulge about its blocking technology.

Carriers can use the consultation to list their preferred blocking techniques, listing pros and cons. If domain-based blocking is one, they can talk about which domain resolver technology they prefer. Domain resolvers translate domain names into IP addresses. Domain resolver providers include the Canadian Internet Registry Authority’s (CIRA) Canadian Shield, Quad9, OpenDNS, Comodo Secure DNS and CleanBrowsing.

(This story has been updated from the original to add statements from CNOC and Greg Young of Trend Micro)

The post CRTC says Canadian ISPs may be forced to get tougher on botnets first appeared on IT World Canada.

Common development error likely led to huge Parler data theft, says expert

The huge theft of data from the controversial — and now almost homeless — social media app Parler was accomplished in part through a common web development mistake, according to one expert.

“Essentially the Parler [software] engineers made a mistake in that they allowed an endpoint [a web address] to exist that people could sequentially query,” says Matt Warner, CTO and co-founder of Blumira, an Ann Arbor, Mich.-based a cloud-based threat detection provider. “And if you can stand up enough people looking at different blocks of numbers you can essentially scrape nearly unlimited amounts of data through that endpoint.”

In short, the URLs Parler developers created included sequential numbers, like “ID=12345.” Knowledgeable people could guess the next numbered page was 12346 and would get a hit if access wasn’t protected.

That’s all right if the page is public. If it’s not — for example, it’s a page only logged in bank customer “Jane” is only allowed to access — then once anyone is logged in they can see other pages/accounts just by changing the page number.

Software developers call this an insecure indirect object reference (IDOR), and for years it was one of the Open Web Application Security Project’s (OWASP) Top 10 vulnerabilities. To be exploited, OWASP says, an IDOR issue must be combined with an access control problem, which gives an attacker access to a web page. Warner suggested the researchers or activists might have gained that access after several providers like Twilio dropped Parler after last week’s mob attack on the U.S. Congress. That may have made it impacted email verification, making it easier for new users to subscribe, opening the door to the IDOR expoit.

The data scraping happened shortly after it was revealed that Parler would be de-listed by providers because people involved in last week’s mob attack on the U.S. Congress used it to communicate. Apple and Google dropped Parler from their app stores, and Amazon stopped allowing Parler to use its hosting facilities. Parler is now suing Amazon.

In what Warner calls “probably the most co-ordinated hactivism we’ve seen in a while,” some 15 people who were told of Parler’s vulnerabilities quickly copied apparently almost every users’ post and attachment. According to the news site Gizmodo, 56 terabytes of data has been captured.

A question of timing

One interesting question is whether the IDOR vulnerability was discovered after the incident in Washington, or if it’s been known for some time, according to Warner.

IDOR is “a really common risk” among developers who build their own websites and application programming interfaces (APIs), Warner said. “It used to be a lot more common five or 10 years ago when people were standing up early database-driven web sites. It’s not that common these days with the prevalence of UUIDs (universally unique identifier, sometimes called a globally unique identifier), which are long and complex [URL] IDs, but for whatever reason on this specific endpoint, which was associated with their mobile app, they weren’t doing that. And because of that it essentially exposed all of Parler’s attachments and metadata.”

It’s one of the reasons why application security and testing is essential, Warner said. Parler more than likely didn’t have their application tested from a web application point of view. And it’s one of those things that can cascade very quickly just because it indicates other areas of risk within the environment — if you’re missing checks in this area you’re probably missing other areas in the application.”

IDOR vulnerabilities can be avoided if website designers make sure authentication and authorization of URLs are included early in development, says Warner. Otherwise, “if you have a lot of complex code you have to figure out where to jam that authentication check.”

Another way is to make sure sequential IDs are not part of page numbering so people can’t guess brute force access to pages.

The post Common development error likely led to huge Parler data theft, says expert first appeared on IT World Canada.