Ready to Start Your Career?
December 1, 2017
UNM4SK3D: Apple, AWS, and Mirai
December 1, 2017
#emergencypatchLooks like someone took a bite out of Apple. The macOS High Sierra was discovered to contain a bug where anyone with physical access to a computer running the latest version could bypass the secure login simply by putting “root” in the username field. Developer Lemi Orhan Ergin, founder of Software Craftsmanship Turkey who discovered the flaw publicly disclosed it 11/28 on Twitter. Since then, the macOS 10.13 bug has been confirmed by security researchers. According to those researchers, the bug works on both the lock screen and System Preferences. This means that those able to gain access can view any files on the system and change or reset passwords for other users of the same macOS system. Comforting. Patrick Wardle, director of research with Synack, expands further saying, “In High Sierra this bug now allows anyone become a system administrator who types ‘root’ in the authentication prompt and then hits enter. Behind the scenes that enabled the root account and then sets a blank password. The second time you click ‘OK’ that correctly authenticates the account and you have root access."The vulnerability CVE-2017-13872 is identified by Apple in a security update as “a logic error existed in the validation of credentials. This was addressed with improved credential validation.” As of November 29th, the update will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra. Recently, Apple has come under scrutiny for bugs found in the High Sierra OS. Some applauded Apple for their fast response to the issue while others urged bugs like this should be prevented in the first place. Now, it appears there has been at least one 'inadvertent de-authentication' problem caused by yesterday’s patch, a side-effect that could stop file sharing from working on your Mac. There is little information on when that issue will be fixed, but temporary workarounds have been posted across the web.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as ‘root’ with empty password after clicking on login button several times. Are you aware of it @Apple? -Lemi Orhan ErginDig deeper into OS issues. Read '3 Reasons Why EVERY OS Fails as an OS.'
#exposedMore US military secrets have been exposed, but this time, Wikileaks isn't to blame. Looks like a leaky AWS storage bucket is the culprit. Last week, UpGuard reported finding a "massive archive of 1.8 billion publicly accessible social-media posts on the Amazon S3 storage buckets that belonged to a Pentagon contractor," and now, the cyber company found sensitive data belonging to the United States Defense Department on a different publicly accessible S3 bucket. The latest discovery was nearly 100 GB of critical data belonging to the United States Army Intelligence and Security Command (INSCOM). Of the data found, some included information labeled 'top secret' and 'NOFORN' (no foreign nationals). The majority of the files appear to pertain to a project called Red Disk, a "proposed plan to offer cloud-computing capabilities to a U.S. military intelligence network known as the Distributed Common Ground System (DCGS)." It appears the AWS storage bucket belonged to a past INSCOM partner, a third-party defense contractor named Invertix.UpGuard Director of Cyber Risk Research, Chris Vickery, is credited with finding both exposed servers. Additional findings on the bucket include a virtual hard drive and Linux-based operating system. The hard drive contains six partitions, varying in size from 1 GB to 69 GB. It is unclear at this point how sensitive the data is, but we can speculate with labels like 'top-secret'. Researchers are also saying "the virtual OS and HD can be browsed in their functional states, meaning most of the data cannot be accessed without connecting to Pentagon systems, an intrusion that malicious actors could have attempted, had they found this bucket." Since UpGuard made the disclosure, they have worked with INSCOM to remove and secure the data.
Set to allow anyone entering the URL to see the exposed bucket’s contents, the repository, located at the AWS subdomain ‘inscom,’ contained 47 viewable files and folders in the main repository, three of which were also downloadable. -UpGuardBack in July 2017, it was estimated that as many as 14 million customer’s data was exposed after NICE Systems, a third-party vendor, mistakenly left the sensitive users’ details available on a server. Get the details in this previous edition of UNM4SK3D.
#botnetMirai, Mirai, on the wall. Although it seemed we escaped the wrath of the Miari bonet, it appears reseacrhers are tracking an uptick in botnet activity associated with a variant of Mirai. As a reminder, Mirai is an IoT botnet malware that caused major companies to temporarily go offline last year by launching massive DDoS attacks against Dyndns, crippling some of the world's biggest websites, including Twitter, Netflix, Amazon, Slack, and Spotify. That makes the resurfacing of a Mirari variant all the more serious. Security researchers at Chinese IT security firm Qihoo 360 Netlab "noticed an increase in traffic scanning ports 2323 and 23 from hundreds of thousands of unique IP addresses from Argentina in less than a day." It appears the targeted port scans are actively looking for vulnerable internet-connected devices manufactured by ZyXEL Communications. The scans are using two default telnet credential combinations: admin/CentryL1nk and admin/QwestM0dem, which allow the hackers to gain root privileges on the targeted devices. “ZyXEL PK5001Z devices have zyad5001 as the su (superuser) password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP’s deployment of these devices),” reads the CVE description from Qihoo.Despite it being almost a year since the initial outbreak of the Mirai botnet, infections are still running rampant, which is severely concerning as an indicator of poor cybersecurity practices. “SecurityScorecard identified 184,258 IPv4 addresses as IoT devices infected with Mirai IoT malware from August 1, 2016 to July 31, 2017.” In fact, just a year ago, Mirari targeted internet-connected devices manufactured by ZyXEL, specifically millions of Zyxel routers, which were found vulnerable to a critical remote code execution flaw. For those concerned about the looming threat of Mirai and variants, we recommend you take precautions by changing the deault passwords for your devices and regularly checking for software updates.
ZyXEL PK5001Z devices have zyad5001 as the su (superuser) password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP’s deployment of these devices. -Qihoo 360 NetlabLearn the ins and outs of the Mirai botnet. Read 'How Not Knowing the Mirai Botnet Makes You a Rookie.'