Our weekly InfoSec incident roundup begins, as we often do this year, with news related to Meltdown/Spectre (this time Microsoft-related), followed by Under Armour’s password hack and Boeing’s WannaCry infection. Serious Drupal vulnerability.
Microsoft will patch Meltdown and then patch it again.
In a case where the cure is likely to be worse than the disease, a Microsoft patch for Meltdown released in January created a serious security hole on certain systems that had it installed.
Microsoft made two attempts to resolve an issue affecting Windows 7 (x64) and Windows Server 2008 R2 (x64) systems. The company believed it had resolved the vulnerability (CVE-2018-1038) There was a patch scheduled for last Tuesday, but we had to rush an emergency fix two days later.
Ulf Frisk, a security researcher who discovered the vulnerability, call “It’s much worse” than Meltdown. Because it “allows any process to read the entire memory contents at gigabytes per second” and also write to arbitrary memory.
“We didn’t need any fancy offense. Windows 7 already does the hard work of mapping the memory needed by all running processes,” Frisk wrote. “The attack was a matter of reading and writing to already mapped virtual memory within a process. No fancy APIs or system calls required. Just standard reads and writes.”
Gill Langston, Director of Patch Management Product Management at Qualys wrote This blog currently has no active exploits for this vulnerability, but it does have proof-of-concept code. “Opportunistic actors could weaponize these exploits using multi-stage attacks to gain access to affected assets,” he warned.
Langston recommends installing Thursday’s out-of-band patch if your organization installed security updates after January of this year. “Also, make sure your other layers of protection (anti-malware, email security, web filtering) are up to date to minimize your risk profile,” he wrote.
Qualys generated QID 91440 from: Vulnerability Management. Detection requires an authenticated scan. Qualys Cloud Agent Installed on the asset.
Under Armour’s MyFitnessPal app password has been swiped.
Cyber thieves stole usernames, email addresses, and hashed passwords from 150 million accounts for Under Armour’s MyFitnessPal app at some point in February. Affected people should immediately change their MyFitnessPal app password and do the same for any other online accounts using the same password.
You should also be alert to suspicious activity in all your other online accounts and unsolicited requests to provide personal information, visit web pages, click on email links, or download attachments.
Sports apparel manufacturer Under Armor did not comment in the report. notice of violation Learn how hackers were able to access your data. The company discovered the hack last week.
In ‘Sophos’ Naked Security BlogMark Stockley points out that it took the hackers at least a month to “send targeted MyFitnessPal phishing emails, decrypt stolen password hashes, and try decrypted passwords on other services (e.g. social media accounts).”
“The information at risk can be used to log into your MyFitnessPal account, so any data you see when you log into your account is also at risk,” he added.
writing on a wireLily Hay Newman takes a hard look at the hack and what Under Armor did well (quick disclosure, system partitioning, using the “bcrypt” hashing function) and what it didn’t (use the SHA-1 hashing function).
WannaCry infects Boeing systems.
If you thought WannaCry was really 2017, think again. The infamous ransomware made headlines again last week. The news is out This is what happened at Boeing, a giant airplane manufacturer.
When it was first discovered, Boeing executives feared the worst, including disruption to manufacturing processes, but once the dust cleared, the damage was limited. Quickly included and fairly limited.
“We have completed our final evaluation,” Linda Mills, director of communications for Boeing Commercial Aircrafts, told The Seattle Times. “The vulnerability was limited to just a few computers,” she said. We have released a software patch. “There was no disruption to the 777 jet program or any of our programs.”
Nonetheless, this incident serves as a reminder that WannaCry (official name WanaCrypt0r 2.0) spreads via an exploit called EternalBlue for a Windows OS vulnerability that Microsoft patched in March 2017. It’s been over a year now.
Vulnerabilities in the Windows Server Message Block (SMB) protocol are described in the following topics: Security Bulletin MS17-010was rated “critical” by Microsoft at the time because it was possible for an attacker to execute remote code on an affected system.
On Sophos’ Naked Security blog, John E. Dunn suggests that systems remain unpatched for WannaCry because fixing these vulnerabilities is not always straightforward.
“One reason for this persistence is that WannaCry not only affects regular desktops, laptops, and servers, but also spreads among unpatched Windows 7 systems that are widely used in manufacturing, such as Windows Embedded.” Dunn wrote.
here Additional information Describes how to detect and resolve the MS17-010 vulnerability in Qualys products.
Other WannaCry resources from Qualys include:
Drupal: Very serious vulnerability affects over 1 million websites
As was the case recently PromiseDrupal last week released a patch for a remote code execution vulnerability rated “very important” that affects multiple subsystems in Drupal 7.x and 8.x.
“This could potentially allow an attacker to exploit multiple attack vectors on a Drupal site, potentially leading to a complete compromise of the site.” Drupal warned In advisory.
in companion frequently asked questionsThe Drupal security team pegged the scope of the affected systems at 9% of sites, or more than 1 million sites, that use the content management system (CMS) platform.
Drupal does not know if this vulnerability has been successfully exploited, but nonetheless recommends immediate remediation because “site owners should anticipate that exploits may develop and should update their sites immediately.”
Workaround: Upgrade to the latest version of Drupal 7 or 8 core.
Specifically, users running 7.x should upgrade to: Drupal 7.58or alternatively apply this patch Systems that cannot be upgraded immediately. Meanwhile, tHosts running 8.5.x must be upgraded to: Drupal 8.5.1or apply this patch Systems that cannot be upgraded immediately. The FAQ states that Drupal 6 is also affected and users of that version will be notified of their version. Long Term Support Page.
Writing on the Qualys Community site, Dave Ferguson, Director of Product Management for Web Application Scanning at Qualys, said: called weakness(CVE-2018-7600) “Very dangerous.”
According to Ferguson, customers who regularly scan all of their websites using Qualys Web Application Scanning (WAS) can quickly determine if they are running a vulnerable version of Drupal without having to run additional scans.
“Just open WAS and go to Detection. In the search field, enter “150183” (this is the WAS QID reported when the Drupal CMS was detected). If WAS identifies a web app running Drupal, you’ll see QID 150183 in the detections. Open each detection and check the Results section to see which version of Drupal the site is running. If necessary, initiate the patch process,” Ferguson wrote.
In other information security news…
- Atlanta city government recently suffered severe damage ransomware attack The company, which halted operations, was warned months ago that its IT systems were riddled with “serious and serious vulnerabilities” that put it at serious risk of cyberattacks. According to CBS46Your local CBS affiliate.
- Hackers compromised Baltimore City government servers, affecting the city’s 911 system. reported Written by the Baltimore Sun.
- Cryptocurrency Monero may not be as private as previously thought. research report It was published last week. Sophos’ Naked Security blog states: Take away As with research, madCoinDesk fire The results are considered “old news.”