Security in the tools we use

Thursday, July 30, 2020 by Jason Slagle

As technology advances, more businesses find themselves increasingly reliant on tools and software either developed in-house or commercially.  As that world becomes increasingly dependent on technology, crimes that attack businesses also become increasingly technological.

All too often business make the mistake of implementing a technology and then letting it sit, treating it like an appliance such as a microwave or washing machine.  However, doing so can be dangerous and can often leave the business and it's users at risk to this new technological crime.  Increasingly groups such as Evil Corp and Maze have launched a number of high profile attacks on companies including Garmin, Xerox and others.  These groups of bad actors are becoming increasingly sophisticated and are targeting smaller businesses and technology providers using a combination of social engineering attacks and weaknesses in software or tools in use by those organizations.  I'd like to explore a couple of recent vulnerabilities in tools and software used across a variety of industries.  Each of these vulnerabilities was revealed in July - in fact dozens to hundreds of vulnerabilities are reported every month.

Microsoft Server Operating Systems (CVE-2020-1350)

Recently a 17 year old bug was discovered in the DNS server of the Microsoft Windows operating system.  This bug exploits a vulnerability in ironically enough of the DNS Security (DNSSEC) section of the Windows Server DNS server.  DNS or Domain Name System is the protocol which turns your friendly names such as into the IP addresses or numbers that the internet is actually based on.  Microsoft provides an implementation of the software which can do this conversion and it is a core piece of the Active Directory system.  As such it is enabled on all Domain Controllers (Each network typically has at least one) as well as numerous other servers.

This weakness in the server has existed since Windows Server 2003 and is present up until the patches for Windows Server 2019.  This is by no means a new bug and shows that even long trusted software and tools can be exploited when investigated closely.

Proper exploitation of this vulnerability can be performed remotely and can lead to full takeover of the systems in question.  Since Domain Controllers serve as the core of many business networks, this can result in your entire business being vulnerable.  At the time of writing this, there are not known instances of this being exploited in a widespread fashion.  However since proof of concept code is available, it is likely only a matter of time.  More information from Microsoft can be found here.

Rukus Wireless Software (CVE-2020-13917)

It's not just server software or operating systems that can be vulnerable.  The above vulnerability is an example of a critical issue located in a "device".  Increasingly "Internet of Things" devices and other things such as security camera systems are being utilized by attackers to provide either attack capabilities to other networks, or as entrypoints to your network.  Imagine if you will you have a DVR externally visible so you can view the cameras at your Business.  If the attacker can compromise that camera system, they can use it as a jumping point to bypass your firewall and begin poking around inside your network.  Suddenly many areas you considered unreachable and safe are wide open to attackers.

This vulnerability in the Unleashed software running on the access points allows an attacker to essentially take control of the device.  They could then intercept wireless traffic or any number of other things.  Details on this particular vulnerability are light, and at the time of writing it's new enough no proof of concept or attacks in the wild exist, but how often do you consider the need to keep the firmware on your devices - essentially anything that plugs into the network including printers and IP phones - up to date?

Adobe Photoshop (CVE-2020-9687)

FInally, let's discuss less technical applications.  It's easy to just think these sorts of issues are limited to things your IT provider has installed or managed, but that is often not the case.

In July, Adobe release a patch to a many products including Photoshop to address an issue with MP4 editing.  A user opening a specially crafted MP4 file could find that their entire computer could end up compromised as the vulnerability creates the ability for the attacker to run arbitrary code.  This sort of attack is common and is often used on the web or in phishing campaigns to attempt to get the user to open an offending file.

As in the other attacks, there is no indication it has been exploited in the wild, but each of these attacks is less than a month from release, so there are chances that any of them could be used in the future.

Technology Providers as attack vector

As the trend towards compromise of smaller businesses has occurred, so to has the trend for service providers to be targeted.  As an attacker, successfully exploiting a service provider effectively lets you compromise multiple businesses at once and leaves you a centralized point to negotiate ransom.  Due to the scale which many providers operate at, they end to use diverse toolsets which enable them to more easily manage and maintain systems in bulk.  These tools while useful can also provide a method for bulk exploitation of client systems.  It is imperative that IT service providers are extra diligent in maintaining security of their systems.  There have been multiple news articles written about this recent such as the one here.

Multiple Vulnerabilities in Connectwise Automate

In June of 2020, a vulnerability was discovered in the Automate remote monitoring and manage platform.  This platform is used by many IT service providers to provide monitoring of client systems.  The CVE for the vulnerability provided some details on the issue once it was released, however the vendor did a bad job at communicating with partners - indicating only that there was a security issue and we needed to patch.

This lack of clarity and information led CNWR's own Jason Slagle to perform a security review of some of the Automate server side code.  Upon review, Jason submitted two separate bug reports to Connectwise (CVE-2020-15008 and CVE-2020-15027) which when combined could enable complete takeover of an Automate system by a remote attacker.  Connectwise has since patched both vulnerabilities and rest assured, CNWR is patched and protected.  Jason continues to audit tools in use by CNWR and will be submitting any other bugs found.

What you can do

This article has been a bit doom and gloom and makes it sound hopeless - what can you the end user do to stay protected.

Security comes in layers, and no single defense is likely to be effective in all situations.  It is important that you keep your software up to date, including devices, as well as employ other techniques such as Firewalls to ensure your network is protected.  If you are a small business this can be a daunting task.  You don't have to go alone - IT Service Providers such as CNWR are here to help.

If you already have a service provider, there are things you should be asking them.  Do they maintain Cyber Insurance - if the disaster strikes and they get attacked that insurance will help them recover.  Do they have an incident response plan?  How do they keep abreast of security issues and schedule remediating them.

It's a tough world out there - you don't have to go it alone.  If you need help feel free to contact us today!