The GoldBrute botnet is trying to crack open 1.5 million RDP servers

By John E Dunn

Even its most optimistic users would have to concede that it’s been a bracing few weeks for anyone who relies on Microsoft’s Remote Desktop Protocol (RDP).

The latest round of bad news emerged last week when Morphus Labs’ researcher Renato Marinho announced the discovery of an aggressive brute force campaign against 1.5 million RDP servers by a botnet called ‘GoldBrute’.

That came hot on the heels of Microsoft’s urgent warning in May about the risk of a dangerous “wormable” vulnerability called BlueKeep (CVE-2019-0708) in Windows XP and 7’s Remote Desktop Services (RDS) which use RDP.

Underlining the worry, two weeks after the initial alert, Microsoft issued a second anxious nudge when it discovered at least one million vulnerable systems had yet to apply the available patch.

By the time the US National Security Agency (NSA) chipped in with its own mildly apocalyptic BlueKeep alert on 4 June 2019, it was clear they believed something unpleasant might be brewing.

It’s behind you

The mega-attack exploiting BlueKeep has yet to materialize, but what users have got in the meantime is GoldBrute, a much more basic threat that targets the problem of RDP servers left exposed to the internet.

A search on Shodan puts the number of servers in this vulnerable state at 2.4 million, 1,596,571 of which, Morphus discovered, had been subjected to an attempted brute force attack targeting weak credentials.

Read more at https://nakedsecurity.sophos.com/2019/06/10/the-goldbrute-botnet-is-trying-to-crack-open-1-5-million-rdp-servers/

Cryptocurrency attack thwarted by npm team

By Danny Bradbury

Cryptocurrency users narrowly escaped losing all their funds last week after an attacker poisoned a digital wallet with malicious code that stole their blockchain access details.

The attacker injected malicious code into Agama, a cryptocurrency wallet created by Komodo. If successful, they could have stolen around $13m of Komodo’s KMD cryptocurrency, which is a privacy-centric coin. Luckily, they were thwarted by quick action from both Komodo and software repository npm.

On 8 March 2019, the sneaky developer published what appeared to be a useful update to a software component used by the Agama wallet. The attacker, who called themselves ‘sawlysawly’, posted the update on the GitHub developer collaboration website where Komodo hosts its source code.

Open source developers like to reuse each other’s’ software rather than reinventing the wheel. When a software application relies on a third party to do something, it’s called a dependency. The third-party building blocks on which applications depend are known as packages or modules, and people publish them in central repositories for developers to find. One of those repositories is npm. Started in 2009, it deals with JavaScript packages.

A npm package called electron-native-notify was introduced by sawlysawly as a dependency in the Agama wallet, meaning that the new version of the wallet would use that code.

At the time of the commit, the version of electron-native-notify (1.1.5) on npm was legit, but 15 days after making the commit, the npm package was updated to 1.1.6, which included a malicious payload. The next version of Agama was released on 13 April 2019.

The change in electron-native-notify enabled the attacker to steal the wallet seed, which is a secret phrase that enables users to retrieve their coins using any wallet.

Read more at https://nakedsecurity.sophos.com/2019/06/10/thwarted-cryptocurrency-attack-shows-importance-of-testing-open-source-code/

Laptops used in 2016 NC poll to be examined by feds – after 2.5 years

By Lisa Vaas

More than two and a half years after the fact, the Feds are finally going to investigate the failure of voter registration software – from a ­company that had been cyber-attacked by Russians just days before the November 2016 US presidential election – in the swing state of North Carolina.

Politico has reviewed a document and spoken to somebody with knowledge of the episode, both of which suggest that the vendor, VR Systems, “inadvertently opened a potential pathway for hackers to tamper with voter records in North Carolina on the eve of the presidential election.”

Specifically, VR Systems used remote-access software to connect for several hours to a central computer in Durham County so as to troubleshoot problems with the company’s voter registration software. In fact, election officials would come to find out that this was common practice, according to Politico’s source, in spite of the fact that election technology security experts agree that it opens up systems to hacking.

Election Day 2016: Dunham County

When the polls opened in Dunham County on 8 November 2016, election officials discovered that the laptop computers used by precincts to verify voter registration had malfunctioned. They were forced to cross-check voter registration with old-fashioned paper poll registries and to extend voting hours.

It was suspicious, and it wasn’t an isolated incident. Five or six precincts reported the same problem with the computerized check-in system from VR Systems, a Florida-based e-voting vendor with customers in eight states. The county, which leans heavily to the Democrats, had delivered 75% of its votes to Barack Obama during both of his presidential runs, and North Carolina was considered a key swing state in the 2016 presidential election.

Read more at https://nakedsecurity.sophos.com/2019/06/10/laptops-used-in-2016-nc-poll-to-be-examined-by-feds-after-2-5-years/

Online shops fear 2FA at checkout will increase abandoned carts

By Lisa Vaas

You’re sitting at your computer when it occurs to you that you really need to buy more tube socks, so you click yourself on over to Tube-Socks-R-Us.com and fill your cart full of socks.

But wait, what’s this? You’re being asked for another sign of authentication before you can check out? Why, that means you have to get up! You need to go get your phone for that one-time PIN! And that darn phone is all the way over there! Well, just forget it, you say, and yet another abandoned cart gets added to the heaps of can’t-be-bothered purchase exhaustion that’s (reportedly) the stuff of online merchant nightmares.

Well, that’s the dystopian, dys-profitable e-commerce future envisioned by Stripe, at any rate. Stripe, maker of online payment technology, recently commissioned research from 451 Research. Based on input from 500 businesses and 1,000 consumers, 451 Research concluded that the EU’s online economy risks losing €57 billion (US $64.6 billion) when Strong Customer Authentication (SCA) goes into effect on 14 September 2019 and ushers what will potentially be forget-the-socks-inducing friction into the checkout process.

SCA is all about protecting consumers by clamping down on fraud. One of the new requirements of the second Payment Services Directive (PSD2) that was passed by the EU in November 2015, it involves introducing additional authentication into online checkout. That can be as simple as a one-time PIN code generated by, say, a text message, by a code generator with an authenticator app such as Sophos Authenticator, or it could be fingerprint confirmation on those devices that support it.

Read more at https://nakedsecurity.sophos.com/2019/06/10/online-shops-fear-2fa-at-checkout-will-increase-abandoned-carts/

Action required! Exim mail servers need urgent patching

By John E Dunn

Researchers have discovered another dangerous security hole hiding in recent, unpatched versions of the popular mail server, Exim.

Uncovered in May 2019 by security company Qualys, the flaw (CVE-2019-10149) affects Exim versions 4.87 to 4.91 inclusive running on several Linux distros, the latter released as far back as 15 April 2018. The next release, version 4.92, fixed the problem on 10 February 2019 although that wasn’t realized by the software’s maintainers at the time.

The low down: anyone still running a version from April 2016 to earlier this year will be vulnerable. Versions before that might also be vulnerable if EXPERIMENTAL_EVENT is enabled manually, Qualys’s advisory warns.

The issue is described as an RCE, which in this case stands for Remote Command Execution, not to be confused with the more often-cited Remote Code Execution.

As the term implies, what that means is that an attacker could remotely execute arbitrary commands on a target system without having to upload malicious software.

The attack is easy from another system on the same local network. Pulling off the same from a system outside the network would require an attacker to…

Keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim’s code, we cannot guarantee that this exploitation method is unique; faster methods may exist.

Remote exploitation is also possible when Exim is using any one of several non-default configurations itemized in the Qualys advisory.

Read more at https://nakedsecurity.sophos.com/2019/06/07/action-required-exim-mail-servers-need-urgent-patching/

What’s the best approach to patching vulnerabilities?

By Lisa Vaas

New research shows that most vulnerabilities aren’t exploited and those that are tend to have a high CVSS score (awarded on the basis of how dangerous and easy to exploit the vulnerability is). So, not surprisingly, the most easily exploited flaws are the ones exploited most frequently.

What’s more surprising is that there’s apparently no relationship between the proof-of-concept (PoC) exploit code being published publicly online and the start of real-world attacks.

The numbers: the researchers collected 4,183 unique security flaws used in the wild between 2009 and 2018. That’s less than half of the 9,726 discoveries of exploit code that had been written and posted online.

Those numbers come from a study in which a team of researchers from Cyentia, Virginia Tech, and the RAND Corporation took a look at how to balance the pluses and minuses of two competing strategies for tackling vulnerabilities.

What’s the best way to herd cats?

Fixing them all would get you great coverage, but that’s a lot of time and resources spent on sealing up low-risk vulnerabilities. It would be more efficient to concentrate on patching just some high-risk vulnerabilities, but that approach leaves organizations open to whatever vulnerabilities they didn’t prioritize.

How do you know which vulnerabilities are worth fixing? The researchers sought to figure that out by using data collected from a multitude of sources, along with machine learning to build and then compare a series of remediation strategies to see how they perform with regards to the tradeoff between coverage vs. efficiency.

Read more at https://nakedsecurity.sophos.com/2019/06/07/whats-the-best-approach-to-patching-vulnerabilities/