PwC Weekly Security Report
This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information.
Malware
Quick Heal identifies ‘Cerber
ransomware’ delivered from an Indian bank’s website
Threats and vulnerabilities Siemens RUGGEDCOM devices affected by several flaws
Threat and
vulnerabilities Malware Top story
Threats and vulnerabilities VMware patches Pwn2Own VM escape vulnerabilities
Threats and vulnerabilities
Top story
Google Chrome to distrust Symantec-
issued certificates
VMware patches Pwn2Own VM escape vulnerabilities
Threat and vulnerabilities
VMware on Tuesday patched a series of vulnerabilities uncovered earlier this month at Pwn2Own. The flaws enabled an attacker to execute code on a workstation and carry out a virtual machine escape to attack a host server.
Monty Ijzerman, manager of the company’s Security Response Center, confirmed that VMware
hadpushed patchesfor the bugs, critical and moderate issues in its ESXi, VMware Workstation, and VMware Fusion products.
Two groups, Qihoo’s 360 Security and Tencent Security’s Team Sniper, used the bugs to exploit the company’s Workstation hypervisor on the last day of the hacking challenge,two weeks ago, in Vancouver.
mj011sec, a hacker with 360 Security, chained together a type confusion bug in Edge, a Windows kernel bug and an uninitialized buffer in VMware for his exploit, a complete virtual machine escape.
Team Sniper, comprised of hackers from China’s Keen Lab and PC Manager, used a Windows kernel bug and two VMware bugs–an info leak and an uninitialized buffer–to go guest-to-host on their machine. The teams collectively earned $205,000 for their exploits.
It was the first time one team, let alone two, was able to successfully exploit the platform. The Zero Day Initiative and Trend Micro, Pwn2Own sponsors, upped the reward for an escape from
$75,000 to $100,000 this year after no one targeted Workstation in 2016.
According toa security advisoryposted by VMware, 360 Security technically exploited a heap buffer overflow (CVE-2017-4902) and uninitialized stack memory usage vulnerability (CVE-2017-4903) in SVGA, a virtual graphics driver in the hypervisor.
The issue that Team Sniper managed to exploit was an uninitialized memory usage vulnerability (CVE- 2017-4904) in ESXi, Workstation, and Fusion XHCI. A similar uninitialized memory usage vulnerability (CVE-2017-4905) could have led to an information leak on ESXi, Workstation, and Fusion.
All of vulnerabilities, as the teams demonstrated, could have allowed a guest to execute code on the host.
Malware Threats and
vulnerabilities
VMware was transparent about the vulnerabilities after they popped up at Pwn2Own.
The company knew going into the competition that Workstation was a target and acknowledged during the contest that its researchers were investigating the issues after receiving details around them from ZDI, 360 Security, and Team Sniper. The patches took about two weeks to deploy because the company knew the vulnerabilities affected Workstation but were unsure how they affected ESXi and Fusion.
Ijzerman says the company is encouraging its customers to expedite updating but stresses that
“emergency measures like taking environments offline are not called for.”
It’s the fifth time this month that VMware has pushed out patches for its customers and the second time this month its pushed out an update for Workstation and Fusion.
The company,just two weeks ago, released an update for several of its products to resolve a publicizedremote code execution vulnerability in Apache Struts 2. The open source extensible framework figures into VMware’s Horizon Desktop as-a-Service Platform, vCenter Server, Operations Manager, and Hyperic Server.
Source:
https://threatpost.com/vmware-patches- pwn2own-vm-escape-
vulnerabilities/124629/
Our perspective
Critical vulnerabilities have been reported by researchers which, if exploited successfully by cybercriminals, will lead to major security breaches. Administrators are advised to assess the risk and vulnerabilities in their specific environment and upgrade without taking the environment offline.
Top story
Siemens has shared recommendations for mitigating several medium and high severity vulnerabilities affecting some of the company’s RUGGEDCOM products.
Four types of security holes have been identified in RUGGEDCOM appliances running any version of ROX I (Rugged Operating System on Linux). The affected products are industrially hardened security appliances with integrated router, firewall and VPN functionality. They are used worldwide at electric utility substations, traffic control cabinets and in other harsh environments.
A majority of the vulnerabilities were discovered and reported by researcher Maxim Rupp, including cross-site scripting (XSS), path traversal, privilege escalation and cross-site request forgery (CSRF) issues. One XSS flaw was also discovered by Siemens itself.
Rupp has identified roughly 20 parameters that allow hackers to launch XSS attacks and execute arbitrary JavaScript code due to improper input validation (CVE-2017-2687). The expert has also identified a path traversal vulnerability (CVE-2017- 2686) that can be exploited to read arbitrary files and possibly access sensitive information.
Another flaw, described as a privilege escalation (CVE-2017-2689), can be exploited to bypass access restrictions and obtain privileged file system access or change configuration settings.
The security hole exists due to several issues related to improper access control mechanisms, missing checks for unrestricted file uploads, and server misconfigurations.
Rupp has also identified a CSRF vulnerability (CVE- 2017-2688) that can be exploited to perform various actions on behalf of a logged-in user who is tricked into clicking on a malicious link. The researcher said an attacker can combine the CSRF with the privilege escalation flaw to access files on the host without access to the device’s web interface.
Siemens RUGGEDCOM devices affected by several flaws
Threats and
vulnerabilities
MalwareThreat and vulnerabilities
The vulnerabilities affect the web interface on port 10000/TCP and they either require the targeted user to click on a link, or the attacker needs to have network access and valid credentials in order to exploit them.
Advisories have been made available by ICS-CERT, Siemens and Rupp. While it hasn’t released any updates, Siemens has advised users to obtain a mitigation tool that can be used to disable the web interface and guest/operator accounts on the affected ROX I devices. The vendor also
recommends limiting access to trusted admins, and using VPNs.
“As a general security measure Siemens strongly recommends to protect network access to the web interface at 10000/TCP of ROX I-based devices with appropriate mechanisms. It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment,” Siemens said.
Source:
http://www.securityweek.com/siemens- ruggedcom-devices-affected-several-flaws
Top story
Malware
Quick Heal identifies ‘Cerber
ransomware’ delivered from an Indian bank’s website
Threats and vulnerabilities Threat and
vulnerabilities
Quick Heal Technologies Limited has detected that the Cosmos Bank website was compromised with the infamous RIG exploit kit which was delivering
‘Cerber Ransomware’. The RIG Exploit Kit has been dropping the ‘Cerber Ransomware’ very frequently, off late. Quick Heal learnt about the infection on Cosmos Bank website while analyzing the telemetry information collected from its own users.
After reproducing the threat in its own Threat Research Lab. on 20thMarch, 2017, Quick Heal discovered that the Cosmos Bank website was compromised by the RIG Exploit Kit and used as a carrier of the ‘Cerber Ransomware’. Quick Heal has informed Cosmos Bank on 20thMarch, 2017 about this incident and had also shared the advisory with Cosmos Bank. It must be noted that Cosmos Bank is not the creator of the ransomware but a victim.
Quick Heal has been constantly monitoring the website since 20thof March, 2017 and according to the latest findings (as we share this information), the Cosmos Bank website is still infected.
Websites have become easy targets for malware writers to spread malware and it is not uncommon for a website to be compromised by more than one type of malware. Exploit Kits which have surfaced during the past 10 years are more intelligently designed software kits that runs on the
users/victim’s machine and gathers information from the victim’s machine, finds vulnerability, determines the appropriate exploit and delivers it on the machine usually by drive-by-downloads and starts executing the malware.
As per the information gathered by Quick Heal labs;
malware launched by the RIG Exploit Kit are not focused on any particular website or industry. Such campaign based exploit kits, especially; the RIG Exploit Kit targets individual users.
Sharing an insight into the ‘Cerber Ransomware’
detection, Sanjay Katkar, MD & CTO, Quick Heal Technologies Limited said; “At Quick Heal we constantly monitor the ever evolving threat landscape and analyze the detected threats in our labs. We consider it to be our prime responsibility to create awareness on the threat landscape and alert our customers as well as enterprises in preventing these threats.” He further added; “Ransomware remains a major and rapidly growing threat even in 2017. Quick Heal has been actively monitoring the threat landscape for new ransomwares and their propagation techniques as well as the activities of the existing ransomware and has been capturing this data in its quarter and annual threat reports. To take corrective and timely action against it, we have included the ‘Anti Ransomware feature’ in all our offerings.”
Quick Heal’s ‘Anti-ransomware feature’ uses Quick Heal’s behavior-based detection that analyzes the behavior of programs in real time to detect ransomware activity. This helps in detecting and blocking ransomware. As an added layer of
protection, this feature also encompasses the ‘Data Backup and Restore Tool’ to back up the data in a secure location and restore the files in case of a ransomware attack.
Top story
Malware
Quick Heal identifies ‘Cerber
ransomware’ delivered from an Indian bank’s website
Threats and vulnerabilities Threat and
vulnerabilities
Source:
http://www.digitalterminal.in/news/quick- heal-identifies-cerber-ransomware-
delivered-from-an-indian-banks- website/8973.html
The ‘Anti-ransomware feature’ is not exclusive to the Quick Heal product line only, but is also an integral feature of all offerings from the ‘Seqrite’
product line. ‘Seqrite’ is Quick Heal’s enterprise security solutions brand. ‘Seqrite’ products are designed to simplify security management across endpoints, mobile devices, servers and networks.
According to Quick Heal’s Annual Threat Report 2016, it has been observed that ransomware detections on Windows desktops have gone up by 92% from the year before. Reportedly, 14 new Windows ransomware families were discovered in 2016, cementing the fact that ransomware attacks are only increasing. With increased usage of Android devices, malware targeting them have also grown at an enormous rate. Mobile ransomware on Android platform has clocked a 450% increase from Q1 to Q4 in 2016 while mobile banking Trojan has shown a 110% rise. It has also been found that detections of almost all the vulnerability types have been higher in 2016 when compared with those in 2015.
Top story
Google Chrome to distrust Symantec- issued certificates
Top
storySymantec Corporation has been failing to properly validate certificates. After continuously observing and investigating Symantec’s seemingly ineffective certificate issuance policies and practices over the past several years, Google Chrome has announced that it intends to distrust all currently-trusted Symantec-issued certificates. This drastically severe implication would now affect all websites with Symantec SSL certificates.
This is not the first time that Symantec has issued certificates without adhering to the necessary policies and practices. In 2015, Symantec’s Thawte- branded CA had issued an Extended Validation (EV) pre-certificate for “google.com” and
“www.google.com” without any request or authorization from Google.
Later, Symantec disclosed that it had misissued 23 certificates. A further audit revealed that they had misissued 164 additional certificates over 76 domains, and had also misissued 2,458 certificates for unregistered domains. Considering these misissued vulnerabilities, Google had decided to insist that all Symantec certificates should support Certificate Transparency.
But that insistence does not seem to have improved Symantec’s certificate issuance policies. Google Chrome team’s latest investigation reveals that Symantec had misissued at least 30,000 certificates.
Symantec’s lackadaisical certificate issuance policies and practices along with “continually increasing scope of misissuance” had led to Google’s
announcement to distrust ALL existing Symantec- issued Certificates.
Google Chrome’s proposal:
A reduction in the accepted validity period of newly issued Symantec-issued certificates to nine months or less, in order to minimize any impact to Google Chrome users from any further misissuances that may arise.
An incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec- issued certificates, requiring they be revalidated and replaced.
Threats and
vulnerabilities Malware
Source:
http://www.valuewalk.com/2017/03/googl e-chrome-distrust-symantec-issued-
certificates/
Removal of recognition of the Extended Validation status of Symantec issued certificates, until such a time as the community can be assured in the policies and practices of Symantec, but no sooner than one year.
Details provided by Symantec reveal that they did not perform the critical functions of a root certificate authority and also did not take adequate measures to prevent the issuance of fraudulent certificates.
Symantec had allowed access to its infrastructure that allowed other parties to issue certificates, who however did not follow the necessary secure policies and practices to issue certificates only to non- fraudulent entities. However, even after knowing about the misissued certificates Symantec did not proactively disclose and warn website operators or users about these fraudulent certificates. This poses a significant risk to all website visitors who had trusted Symantec so long. Symantec had also proposed remedial measures that were inadequate to restore trust and confidence in theirSSL
certificates.
While it is true that Symantec has been losing its market share to other CAs such as Comodo, this careless attitude in misissuing certs will affect all existing users and site operators using Symantec SSL certificates. Further, this would also affect
certificates issued by their acquired CAs, such as Thawte, Verisign, and Equifax.
Mitigation measures for site operators Site operators will have to restore user trust in their website. They must switch over to a CA that atleast follows the Baseline Requirements of the
CA/Browser Forum in issuingSSL certificates.
Acquiring an SSL certificate is just not enough.
Getting it from a CA who takes more than adequate security measures is what matters. Protect your website and your users with robust certificates.
Threat and vulnerabilities
About PwC
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 2,23,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com
In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity. Please see www.pwc.com/structure for further details.
©2017 PwC. All rights reserved
For any queries, please contact:
Sivarama Krishnan
[email protected] Amol Bhat
All images in this presentation are protected by copyright, trademark, patent, trade secret and other intellectual property laws and treaties. Any unauthorised use of these images may violate such laws and shall be punishable under appropriate laws. Our sharing of this presentation along with such protected images with you does not authorise you to copy, republish, frame, link to, download, transmit, modify, adapt, create derivative works based on, rent, lease, loan, sell, assign, distribute, display, perform, license, sub- license or reverse engineer the images. In addition, you should desist from employing any data mining, robots or similar data and/or image gathering and extraction methods in connection with the presentation.
© 2017 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.
VS/April2017-9239
