Samba Developers Release Patch For Remote Code Execution Vulnerability (CVE-2017-7494)

Subject: General Tech | May 28, 2017 - 07:10 PM |
Tagged: samba, linux, ransomware, security, networking

Last week, the development team behind Samba – popular software suite used on Linux and Unix clients and servers that uses TCP/IP protocol for file and print sharing to SMB/CIFS clients (including Microsoft Windows) – released a security advisory along with patches for a remote code execution hole that has been present in Samba for seven years since the release of Samba 3.5.0 in March 2010. The vulnerability, classified under CVE-2017-7494, allows an attacker to upload malicious code to a Samba server and get the server to run the code by sending a malformed IPC request that references the local file path. The Samba server will run the code in the malicious shared library (.so) file even though it is from an untrusted remote source.

Samba logo.jpg

The bad news is that this is a fairly serious flaw that could lead to an attacker successfully holding a business or home user’s files (including backups!) at ransom, stealing data, or using the now owned file server to attack other network resources that trust the file server. If not securely configured (e.g. allowing anonymous writes), the attack could even be wormable which would allow it to self-replicate across the network or Internet. Further, while various security firms have slightly different numbers, they all seem to agree that around 100,000 Internet-accessible machines are running vulnerable versions of Samba.

It is not all bad news though, and in some respects this vulnerability is not as big of an issue as the WannaCry ransomware and EternalBlue SMB vulnerability because in order to successfully exploit the Samba flaw an attacker needs to obtain credentials to upload the malicious code to the file share(s) which need to be writeable in the first place and not running as noexec under a SELinux policy. Also, attackers need to know or guess the local path name of the files on the file share to send the malformed IPC request. More importantly, the Samba team released three security releases (4.6.4, 4.5.10, and 4.4.14) for the newer branches and is working with OS distributions on providing patches for older Samba versions. For systems that cannot be updated or patched, there is also a workaround that can be implemented by modifying the global Samba config file to contain the setting “nt pipe support = no”. While this will break some expected Windows functionality (mainly machines will not be able to access null shares and will need to use the specific share path rather than just the server path), it will make it so that Samba will not accept the malicious requests.

Perhaps the most worrying aspect of this vulnerability is that security researchers estimate that up to 90% of the vulnerable Internet-connected Samba endpoints do not have a direct patch or update available yet and may not ever get one. While the enterprise hardware and even bigger consumer and SMB hardware providers will provide support for this in the form of patches or firmware updates, there is a sea of home routers, NAS boxes, file and print servers, and IoT devices running on home networks that are not open to user updates and may not ever get firmware updates. The best thing to do in this scenario according to the security advisory (if you can’t just not use it or replace it with different hardware that can be patched or isn’t affected of course) is to not expose it to the Internet. There would still be a risk of it being exploited should someone get a virus on a client machine through email, malicious downloads, or social engineering though. Considering these home NAS devices are usually used as destinations for backups, the risk of ransomware not only infecting client machines but also the main file share and network backups is scary. I have always been a fan of offline and/or cloud backups and in these modern times they are more important than ever with the rise of ransomware and other profit motivated viruses.

If you are not sure if your network is affected, there are tools being made available (including a Metasploit module, nmap scripts, and Internet scans) to help you determine that and reduce your attack surface using that information by updating to the latest security release, applying patches, updating, using SELinux policies to prevent the server from executing files itself, and preventing them from communicating with the Internet in order of effectiveness.

All that is to say don’t panic, stay vigilant, and make sure your important data is properly backed up and secured as much as possible!

Source: Samba.org

UEFI ransomware may brick your BRIX

Subject: General Tech | April 5, 2017 - 12:37 PM |
Tagged: gigabyte, brix, uefi, ransomware

Be careful what you do with your BRIX as two rather unpleasant vulnerabilities were disclosed at a recent BlackHat event.  Gigabyte did not implement two security features which these exploits take advantage of, there is no write protection on the UEFI firmware nor a system of cryptographic signatures on UEFI firmware files which can let any file update the UEFI.  While the proof of concept demonstration only prevented the infected BRIX from booting again, this could also be used to infect your machines UEFI quietly and in a way extremely difficult to repair, you would need a UEFI update that wrote over every sector of the firmware to ensure you removed the bugs.  Pop by Slashdot for more on this depressing topic.

20150603180435_big.png

"Last week, at the BlackHat Asia 2017 security conference, researchers from cyber-security firm Cylance disclosed two vulnerabilities in the firmware of Gigabyte BRIX small computing devices, which allow an attacker to write malicious content to the UEFI firmware."

Here is some more Tech News from around the web:

Tech Talk

 

Source: Slashdot

Stop paying the ransomware you idiots! You get nothing back and encourage them to continue!

Subject: General Tech | December 16, 2016 - 12:47 PM |
Tagged: ransomware, security, idiots, backup

To anyone working in the field, it will come as no surprise that almost half of the 1600 businesses and consumers in the survey quoted at The Inquirer have been the victim of a ransomware attack.  What will come as a disappointment to you is that 70% of those who were infected paid the the ransom, 25% of them between $20,000 to $40,000.  Shockingly the majority of those who paid the ransom got nothing back; after all how could someone who makes money by purposefully infecting machines not honour their word?

If you are infected with ransomware you have lost the data, pure and simple.  Reimage and move on, this is why you have backups.  It is painful and frustrating but if you pay the bitcoins you are not going to get anything back and are encouraging them to continue by making this a lucrative business.  Just as it is with spam, it takes only a tiny percentage to fall for it to make it profitable.  Go and back your stuff up, twice.  If you need a stocking stuffer for someone get them an external drive or a subscription to an online backup service, look into CryptoDrop or a similar program.  Just don't give them bitcoins

536px-Triple-facepalm.jpg

"The report suggested that as many as 46 per cent of the respondents had been affected by ransomware and that 70 per cent of these had admitted to paying the ransom, contrary to the advice of law enforcement agencies."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

CryptoDrop, an early warning system against ransomeware

Subject: General Tech | July 13, 2016 - 01:29 PM |
Tagged: ransomware, CryptoDrop

Given the choice between a confirmation pop up every time you zip numerous files simultaneously or add encryption to a folder or being infected with ransomware; which would you choose?  Researchers at the University of Florida and Villanova University have developed software called CryptoLock which scans your systems for bulk modification of file types, a significant change in the contents of those files and an increase in the Shannon Entropy of the files.  All three of those indicate a file is being encrypted and if it is happening to numerous ones in a very short period of time then the software will put a halt to it until you confirm that this is expected behaviour.  You get a quick overview over at The Register as well as a link to the PDF of the researchers work.

Sounds like a pop up we can live with, considering the alternative.  Hopefully this will arrive on the market soon.

Capture.PNG

"Taking a “save what you can” approach, the authors of this PDF reckon in their tests they were able to lower the boom on ransomware when it had encrypted just 0.2 per cent of files on their test setup."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

I love it when a bad guys plan doesn't come together

Subject: General Tech | March 17, 2016 - 01:25 PM |
Tagged: ransomware, Malware, security, idiots

With the lousy news below the fold, up to and including yet another StageFright exploit, here is a bit of amusing news to balance out the bad.  A recently unleashed ransomware program seems to have been developed on stolen code and the original developer has taken offence to this.  His original program, EDA2, was designed to illustrate how ransomware works and he intentionally included a backdoor to ensure that the data could be unencrypted. 

He has used that backdoor to break into the program and has obtained the complete list of decryption keys and posted them to the net, The Register has a link to that list right here.  It is good for the soul to see incompetent bad guys every once and a while.

Vault door.jpg

"A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Ransomware Spreading Through Major Websites Via Infected Ad Servers

Subject: General Tech | March 16, 2016 - 01:12 AM |
Tagged: ransomware, Malwarebytes, Malware, adware

Compromised ad servers have been pushing out ransomware directly to unwitting users of many popular domains. As reported by Ars Technica (via MalwareBytes and others), whose story is heavily referenced here, the domain list contains a number of high traffic sites.

"It hit some of the biggest publishers in the business, including msn (.com), nytimes (.com), bbc (.com), aol (.com), my.xfinity (.com), nfl (.com), realtor (.com), theweathernetwork (.com), thehill (.com), and newsweek (.com). Affected networks included those owned by Google, AppNexis, AOL, and Rubicon."

teslacrypt-640x577.png

(Image credit: Ars Technica)

Unfortunately, the story doesn't get better from here. The Ars report continues:

"The ads are also spreading on sites including answers (.com), zerohedge (.com), and infolinks (.com), according to SpiderLabs. Legitimate mainstream sites receive the malware from domain names that are associated with compromised ad networks. The most widely seen domain name in the current campaign is brentsmedia (.com)."

The ads have been traced back to multiple domains, including: trackmytraffic (.biz), talk915 (.pw), evangmedia (.com), and shangjiamedia (.com). The report continues:

"The SpiderLabs researchers speculate the people pushing the bad ads are on the lookout for expired domains containing the word "media" to capitalize on the reputation they may enjoy as a legitimate address."

The full article from Ars technica can be found here as well as the source link, and the cited Malware Bytes post can be found here.

So how did they do it? The banner ads themselves contained the malware, which could infect the viewers system undetected.

"When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.
'If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page,' SpiderLabs researchers Daniel Chechik, Simon Kenin, and Rami Kogan wrote. 'Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware...' "

Of course it goes without saying that advertising online is a sticky issue. It can be intrusive, with ads blocking article text, or autoplay videos creating a cacophony of unwanted noise, somewhere amidst the many open tabs. Of course it can be done with class, respectful of the reader's experience (and I would use our own site as an example).

A large number of web users employ ad-blocking extensions to their browser, though it is often the case that ad revenue pays for the costs associated with keeping such sites online. This outbreak is a further blow to the current financial stability of many sites when news such as today's ransomware debacle hits the tech (and soon the mainstream) press.

Source: Ars Technica