Thursday, June 1, 2017

Cyber Updates - 1st June 2016

Breach at Identity Provider

Cloud based identity management provider OneLogin reported a breach. Early indications are that it was bad with customers being requested to recycle OAuth tokens, API keys, certificates, credentials, etc. They have previously released detailed “post-mortem” explanations so hopefully they will do so again. It is noteworthy that OneLogin have an extensive and detailed explanation of their security and compliance regime on their site.

Key takeaways:
  • Breaches will happen even with the best controls - make sure you have a plan for when a breach occurs at your own company or at a key supplier.
  • This is especially important for a supplier like OneLogin which provide a centralised identity management platform which could literally hold "the keys to the kingdom" for its customers.
  • When engaging with a supplier like this, make sure you have performed a risk analysis and assessed their security controls and procedures to help inform your own internal breach planning.

This week's cool hack

A bug bounty hunter called Peter Adkins was able to take a Server-side Request Forgery (SSRF) attack where the attacker can make the application make an HTTP request to an arbitrary endpoint and escalate it to achieve Remote Code Execution (RCE) on the target server. He write a nice writeup found here.

Key takeaways:
  • This was possible due to mis-configuration in an "off the shelf" product, Hashicorp Consul. Make sure you are securely configuring all products in the environment, even those which are not externally exposed.
  • Periodic reminder that several vulnerabilities which seem to be low risk could be chained to create a higher risk so it is important to consider vulnerabilities together.

More exploits to be dumped

We have previously covered the release of live and dangerous exploits by TheShadowBrokers. In a new post, they have claimed they will start releasing exploits on a monthly basis to paying "subscribers".

Key takeaways:
  • Whilst this didn't happen last time, be ready for the possibility of dangerous exploits targeting unpatched vulnerabilities.
  • Companies should be ready to install critical patches but also be ready to mitigate unpatched vulnerabilities through other protective or detective controls.
  • Company's planning should include all devices which could be active in their technology ecosystem including mobile devices and "Internet of Things" devices.

Windows SMB: "Well that was a bad few weeks!", Samba: "Hold my beer!"

Details were released this week of a nasty Remote Code Execution vulnerability in Samba (the Linux re-implementation of SMB/CIFS) and proof of concept exploit code has been released. Guardicore have a nice write-up of the issue. There is no link to the recent Windows SMB vulnerabilities aside from the timing.

Key takeaways:
  • Patch your Linux machines or use the workaround 
  • Same as the previous section :)

Josh Grossman
Senior Information Security Consultant and Team Leader