Infosec bods: After more than a year, Sky gets round to squashing hijacking bug in 6m home broadband routers

Plus: DNS cache poisoning again, cops probe property conveyancing group's IT outage, Azure hole addressed, and more


In brief Sky has fixed a flaw in six million of its home broadband routers, and it only took the British broadcaster'n'telecoms giant a year to do so, infosec researchers have said.

We're told that the vulnerability could be exploited by tricking a subscriber into viewing a malicious webpage. If an attack was successful, their router would fall under the attacker's control, allowing the crook to open up ports to access other devices on the local network, change the LAN's default DNS settings to redirect browsers to malicious sites, reconfigure the gateway, and cause other general mischief and irritation.

This exploitation is non-trivial: it involves luring people to a webpage that uses JavaScript to cause the browser to first use an attacker-controlled DNS server to lookup the IP address for a subdomain to connect to an outside server, then the browser is encouraged to reconnect to the server, the IP address is looked up again, and this time, the subdomain resolves to the local IP address of the router rather than the outside server.

Now the browser starts talking to the router as if it's the remote server, and the JavaScript on the page can access the router's web configuration panel. The browser thinks it's still talking to the remote server and doesn't get in the way.

This will work reliably if the subscriber hasn't changed their router username and password from the default of admin and sky; if the credentials have been changed, they'll have to be brute-forced. It's not too easy to pull off, but not impossible. Pen Test Partners (PTP), which said it found and disclosed this DNS rebinding vulnerability to Sky, made this video demonstrating the hole:

Youtube Video

The security firm said last week it told Sky about the issue in May 2020, and developed a proof-of-concept exploit. Sky, according to PTP, said it would fix the issue in a November software update that year for its routers, but this got pushed back to December and then "early 2021." It was only when the vulnerability researchers started to talk to the press that Sky got a wriggle on and issued the patch, PTP said.

"Sky's communications were particularly poor and had to be chased multiple times for responses," PTP's Rafael Fini said.

Police are investigating the ongoing and near-month-long IT breakdown at Simplify, which operates Premier Property Lawyers and other brands.

It's understood the UK conveyancing giant was hit by some kind of potentially criminal cyber-security drama, the end result of the tech outage being home buyers and sellers were, or still are, unable to complete transactions and move.

In a note on its website on Monday this week, Premier Property Lawyers noted: "We are pleased to report that by the end of today, the majority of our conveyancing colleagues will be back up and running on core systems, and actively working on cases.

"Our team, supported by external experts, has been working non-stop for the past two weeks to get our systems safely back up and running and to ensure we prioritise the most urgent cases, enabling clients to move."

Microsoft squashes Azure privilege-escalation bug

Microsoft has fixed a flaw in Azure that, according to the infosec firm that found and privately reported the issue, could be exploited by a rogue user within an Azure Active Directory instance "to escalate up to a Contributor role."

"If access to the Azure Contributor role is achieved, the user would be able to create, manage, and delete all types of resources in the affected Azure subscription," NetSPI said of the vulnerability, labeled CVE-2021-42306.

Essentially, an employee at a company using Azure Active Directory, for instance, could end up exploiting this bug to ruin an IT department or CISO's month. Microsoft said last week it fixed the problem within Azure:

Some Microsoft services incorrectly stored private key data in the (keyCredentials) property while creating applications on behalf of their customers.

We have conducted an investigation and have found no evidence of malicious access to this data.

Microsoft Azure services affected by this issue have mitigated by preventing storage of clear text private key information in the keyCredentials property, and Azure AD has mitigated by preventing reading of clear text private key data that was previously added by any user or service in the UI or APIs.

"The discovery of this vulnerability," said NetSPI's Karl Fosaaen, who found the security hole, "highlights the importance of the shared responsibility model among cloud providers and customers. It’s vital for the security community to put the world’s most prominent technologies to the test."

Oh look, it's a new way to poison Linux-powered DNS caches

It appears boffins have found a way to bypass some DNS cache poisoning defenses, and, in the right circumstances, trick a DNS cache into accepting the wrong IP address as the answer to a domain-name lookup query. Subsequent queries for this domain-name from the cache by clients will return the wrong IP address. This could be exploited to, for instance, redirect netizens to malicious websites that masquerade as legit sites to harvest login credentials.

It's said that 38 per cent of public-facing open resolvers are vulnerable to this latest attack. Whether or not a DNS cache is vulnerable depends on the version of the Linux kernel it is running on, and the software involved, be it BIND, Unbound, or dnsmasq. See table 1 in this academic paper [PDF] on the attack to work out whether your service is at risk of poisoning.

You can also use the ID CVE-2021-20322 to track kernel-level patches to thwart the attacks: here's Debian and Red Hat's pages for the flaw, for instance.

The poisoning technique builds upon last year's SADDNS approach. First, understand that DNS cache poisoning, as pointed out by the late Dan Kaminsky, was possible by waiting for a DNS cache to query another server for a domain-name lookup, and replying to that query from another machine before the server. If you managed to guess, or brute force, the correct transaction ID in the reply in time, your answer would be accepted over the server, allowing you to poison the cache with a bad IP address.

To counter this, a randomized UDP port would be used for the query, meaning the attacker would have to brute-force guess the 16-bit transaction ID and the correct UDP port, making poisoning infeasible. Last year, SADDNS showed it was possible to figure out the UDP port, reducing the attack complexity and prompting various patches.

This latest technique, devised by Keyu Man, Xin'an Zhou, and Zhiyun Qian at the University of California Riverside, is a side-channel attack: it involves spraying the cache with ICMP errors to determine the UDP port to use. The trio wrote the aforementioned paper, which was presented at the ACM Conference on Computer and Communications Security this month.

"This paper presents novel side channels during the process of handling ICMP errors, a previously overlooked attack surface," they wrote.

"We find that side channels can be exploited to perform high-speed off-path UDP ephemeral port scans. By leveraging this, the attacker could effectively poison the cache of a DNS server in minutes. We show that side channels affect many open resolvers and thus have serious impacts."

FBI warns of FatPipe zero-day exploit

In a flash notice [PDF] the FBI has warned that criminals have been able to hijack FatPipe VPN devices using a zero-day bug since May.

The Feds said they had conducted forensic analysis into an attack and found the exploited vulnerability in all FatPipe WARP, MPVPN, and IPVPN device firmware prior to the latest versions, 10.1.2r60p93 and 10.2.2r44p1. An attacker could use the security hole to upload a web shell on the equipment that would provide root access to the device. The FBI said this was used to commandeer VPN boxes and route malicious traffic to target parts of the US infrastructure.

Finding out if you're one of the victims could be tricky, however, since the attackers frequently used cleanup scripts to hide evidence of their activities. If you do find any evidence of an attack, please preserve it as the FBI would like to hear from you.

The US government wants you! If you do security

As part of its ongoing efforts to modernize and skill up in cybersecurity, the US Department of Homeland Security has unveiled new methods for finding and keeping talent.

Dubbed the Cybersecurity Talent Management System (CTMS), the framework may make it easier for Uncle Sam to recruit infosec types by allowing recruiters to hire people based on "demonstrated competencies" rather than holding industry certificates, streamlining the hiring process so candidates aren't waiting months, and enabling pay rates more in line with private-sector positions.

"The DHS Cybersecurity Talent Management System fundamentally re-imagines how the Department hires, develops, and retains top-tier and diverse cybersecurity talent," said Secretary of Homeland Security Alejandro Mayorkas. "As our Nation continues to face an evolving threat landscape, we cannot rely only on traditional hiring tools to fill mission-critical vacancies."

For once, WordPress users not hit with ransomware

Over the past week or so, hundreds of WordPress users were greeted with a sight every webmaster dreads: their websites replaced with a message demanding 0.1 Bitcoin to decrypt and restore the sites' data.

Sucuri was called into one such case and had some good news. It's not actually ransomware.

The site content isn't actually encrypted: it's just hidden. A rogue plugin called directorist was generating the messages and hiding the posts. See here for more info on which plugin to remove, and how to restore the vanished content with an SQL database command. ®

Broader topics

Narrower topics


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022