In this episode Mark discusses government encryption, Duck tells us why turning your computer off is a cool idea and Greg regales us with his reply all woes.
Host Anna Brading is joined by Sophos experts Mark Stockley, Paul Ducklin, Greg Iddon and Producer Alice Duckett.
Listen now!
Yesterday morning I got a Skype message from an ex-colleague, somebody I’d not heard from in some time but was happy to reconnect with.
I say “message”, it wasn’t much of one, it was just a link. Out of the blue.
It was clearly a phish, but it caught my eye because it didn’t link to some obviously scummy or incongruous URL. It was a link to Google, and that got me wondering, how does that work?
I’ve blurred some of the URL, but the important thing is that it it looks like this:
https://www.google.com/url?sa=t&url=[redacted]&usg=[redacted]
I wasn’t interested in where the link would lead me (for the record, it redirects to a punycode encoded URL that redirects to a malicious site), but I was interested to see how a Google URL was being used to get me there.
It reminded me of a very similar Skype message I’d received a few years ago, one that abused an open redirect in Google Maps, and I wondered if there was another.
Over the years, scammers have realised that keeping things simple works for them, and the simplest message of all is like this one – nothing more than a malicious link. Of course, if all they have is a link they don’t want one that’s going to put you off.
And that’s a problem, because their domains often are off-putting. Malicious websites are destined to be block listed and don’t have a very long shelf life, so there’s no mileage for them in trustworthy-looking dot coms. Instead, they often hack into legitimate websites and use those, either to host their content or to act as intermediaries.
The resulting collection of compromised dentistry blogs and mom-and-pop travel company website domains are incongruous and not widely known.
The crooks need a way to dress them up as more trustworthy.
One answer is to find an open redirect on a legitimate website – a redirection facility that can be abused to bounce users from a trustworthy website to another, less trustworthy one.
Open redirects tend to be bugs though, and they are likely to be closed sooner or later. The holy grail is a legitimate website with an open redirect function that’s a feature, not a bug.
Well, there is just such a feature, and it’s on the biggest website of them all.
In some browsers, like Firefox or Safari, Google search results don’t lead directly to the listed websites. Instead, Google links to itself. When you click on a search result link you’re bounced through another Google URL, which then redirects you to your destination. It does this so it can log which link you’ve clicked on. (If you use Chrome, or Chrome-based browsers like Brave, you aren’t redirected like this, but the same link back to Google tracks you via the rarely-seen ping parameter.)
The URL Google uses for redirects is https://www.google.com/url which serves, by design, as an open redirect. It will redirect you to any URL on the web, if you add an appropriate url parameter:
https://www.google.com/url?url=http://www.example.org
And that looks an awful lot like the phishing URL I received.
If you pasted the link above into a browser you’ll have noticed that you didn’t go straight to example.org. Instead, you were shown a Google web page saying “The page you were on is trying to send you to an invalid URL”.
So why doesn’t that appear when you click on Google Search results and, more to the point, why didn’t it appear when I probed the Skype phish?
The answer is that the phishing URL contained a second parameter, sa=t, and a third usg, which contains some kind of unique identifier. After a bit of cursory research I couldn’t find anyone that knows how to make a usg identifier, but crooks don’t have to make them. If a website is listed on Google Search, it has a usg, which is easily retrieved from the source code of the search results page.
https://www.google.com/url?sa=t&url=http://example.org/&usg=AOvVaw1YigBkNF7L7D2x2Fl532mA
It means the crooks can only use Google’s open redirect with a site that’s listed in the Google Search index. But that’s not a barrier if you’re already hijacking legitimate websites.
Google search results have worked this way for a long time, and I imagine the tactic I’ve described here has been used for almost as long. So why does Google tolerate it? Well, Google (which, whether you like the company or not, takes security very seriously) doesn’t consider open redirects to be a security issue.
It says that “improperly designed redirectors can lead to more serious flaws” and it’s happy to hear about those. So, for example, Google would consider the scam site I ended up at a security threat, but not the subterfuge the scammer used to get me there.
Even if you’re familiar with the way that scammers operate there’s always a chance you’ll run in to new tactics, or (as I was) be surprised by old tactics you’ve just never seen before.
When work-from-home became a sudden, urgent need in March, many organizations slapped together cloud-collaboration services such as Microsoft Office 365 for their newly locked-down staff.
Unfortunately and understandably, pressure was high. People were scrambling. Thus did a number of those services get put together with a wing, a prayer, and misconfigurations that set them up to be targeted by malicious threat actors?
According to a new report that covers the Top 10 Routinely Exploited Vulnerabilities from the US’s cybersecurity arms – the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the FBI – the abrupt shift to work-from-home that came in March led to rapid, sometimes hasty deployment of cloud collaboration services. The resulting oversights in security configurations have left some organizations vulnerable to attack.
That’s just one of the vulnerabilities that the agencies are seeing being exploited this year by, what they say are, sophisticated foreign cyber actors. Another trend for 2020 is malicious cyber actors who are increasingly targeting unpatched Virtual Private Network (VPN) vulnerabilities. These are two of the specific VPN vulnerability attacks they’ve spotted:
All that for 2020, and we still haven’t even gotten to the meat of the report: the 10 most exploited vulnerabilities for the years 2016 through 2019. Before we hit that list, though, take heed of what the US cybersecurity outfits are telling us: namely, that it’s vital for IT security pros at public and private sector organizations to place “an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.”
The rationale behind the report is to provide details on vulnerabilities that are routinely exploited by foreign cyber actors – primarily Common Vulnerabilities and Exposures (CVEs) – in order for organizations to reduce the risk of these foreign threats, according to the US.
Leaving systems unpatched is making it easy as pie for those foreign threat actors. From the report:
Foreign cyber actors continue to exploit publicly known – and often dated – software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.
In other words, there are ways to force attackers to work a lot harder: namely, by patching in a timely fashion, as soon as practicable when patches come out:
The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.
The list below, in no particular order, is where to focus a concerted patching campaign: on the Top 10 Most Exploited Vulnerabilities for 2016-2019. Included are their CVE numbers, vulnerable products, associated malware, and mitigation strategies. I’ve also included a sample of just some of Naked Security’s coverage of each vulnerability.
The lists of associated malware corresponding to each CVE isn’t exhaustive. Rather, it’s intended to identify a malware family commonly associated with exploiting the CVE. You can also access the list as a PDF . As well, the US gave mitigations for vulnerabilities exploited in 2020.
CVE-2017-11882
CVE-2017-0199
CVE-2017-5638
CVE-2012-0158
CVE-2019-0604
CVE-2017-0143
CVE-2018-4878
CVE-2017-8759
CVE-2015-1641
CVE-2018-7600
CVE-2019-11510
CVE-2019-19781
Oversights in Microsoft O365 Security Configurations
Organizational Cybersecurity Weaknesses
The report also includes resources that can help organizations fend off attackers, including several free screening and testing services from CISA, online resources and more.
Microsoft is the latest browser vendor to join the encrypted DNS club by supporting DNS over HTTPS in Windows 10. In Build 19628 and higher, you’ll be able to encrypt your DNS traffic to prevent your geeky flatmate, that hoodie-wearing person in your local coffee shop, and possibly your ISP from snooping on your browsing destinations.
We’ve explained encrypted DNS before, but briefly, it encrypts DNS queries between your computer and the DNS resolver (which does the DNS lookup for you) so those in between can’t see which websites or other URLs you’re asking for. There are two types. One is DNS over TLS (DoT) which is tricky to implement on many networks. The other, which more networks are likely to play nicely with, is DNS over HTTPS (DoH). The latter is the version that Microsoft is using.
Encrypted DNS is better in some ways than the existing DNS, which operates in plain text, but as some Naked Security readers have pointed out, it still has some gotchas.
First, your DNS resolver has to support the technology. Second, that company can still see all your traffic, so you still have to trust someone who can see where you’re surfing to respect your privacy. Third, it stops any local cybersecurity tools from inspecting your DNS traffic to filter out malicious URLs. Your DoH-enabled DNS resolver might well have its own filtering, but that means you’re trusting it with just about everything, and makes it difficult to introduce multi-layered DNS filtering protection. It also stops the authorities from censoring certain sites or snooping on your traffic, which is a divisive issue.
When it first announced its plans to introduce DoH in November, Microsoft said that “supporting encrypted DNS queries in Windows will close one of the last remaining plain-text domain name transmissions in common web traffic.”
This month sees the company fulfil its vow by experimenting with it as part of the Windows Insider program. To enjoy encrypted DNS queries, you must be in the Fast Ring, which is the group in the program that gets weekly updates with brand new features. That gets you Preview Build 19628. Even then, you’ll have to turn DoH on because it’s off by default.
With this announcement, Microsoft joins Firefox, which aims to make DoH a default feature in Firefox, and Google, which is experimenting with it in Chrome.
When it announced its intention to move to DoH, Redmond said that it wouldn’t change users’ DNS settings, but offers a choice of three DoH providers for those who want to use DoH: Cloudflare, Google, or Quad9. It also provides instructions for adding your own DoH-capable resolver using the command line.
Whether or not you take advantage of this feature depends on your local network configuration, and – given that Microsoft warns this is an experimental feature – your risk appetite. If you decide to take the plunge, Microsoft offers instructions on how to flip the DoH switch here.
This month’s Patch Tuesday fixes just came out in what we’re calling a “bumper update“.
Microsoft pushed out fixes for 111 different CVE-tagged vulnerabilities, 16 of which are deemed critical.
That includes bugs that could in theory be remotely exploited, for example via rogue attachments or booby-trapped web pages, to implant malware without popping up any dialogs or warnings.
However, there’s one apparently minor vulnerability that you may have seen in the media, because it’s created quite a stir: CVE-2020-1048.
Here’s how Microsoft describes it:
Windows Print Spooler Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application.
Security researchers Alex Ionescu and Yarden Shafir of technical seminar company Winsider have just published a very lengthy blog post in which they present this bug with the catchy name of PrintDemon.
For those not familiar with Unix, that’s a pun on the word daemon, pronounced “demon” and essentially the same word in a more Greek-like spelling, which is the Linux and Unix equivalent of a Windows service.
The name “PrintDemon” seems to have given this bug a fearsomeness that it probably doesn’t deserve.
Both Windows and Unix still use the archaic computing word spooler to describe background software that handles printing jobs.
That word almost certainly derives from spools of magnetic or punched tape that were used for intermediate storage in the early days of computing.
Computers are fast but printers are slow and may go offline unpredictably, for example due to a paper jam or the toner running out.
So it makes sense to write printed output, or to spool it in the jargon, into some intermediate storage for later processing, where it won’t take up system resources such as RAM that would be better used for more pressing and complex tasks.
What the researchers discovered, very greatly simplified, is that with some simple PowerShell commands, any user (not just a system administrator) can setup a new printer device on Windows, provided that there’s already a low-level driver program installed to support the destination printer.
By combining the built-in printer driver called Generic / Text Only (which produces plain old text-only output, as its name suggests) with a local printer spoolfile for temporary output, anyone can set up a “new” printer with any name they like.
For example, a trio of PowerShell commmands of this sort…
Add-PrinterPort -Name spoolfilename Add-PrinterDriver -Name "Generic / Text Only" Add-Printer -Name MyPrinter -DriverName "Generic / Text Only" -PortName spoolfilename
…will set up a printer called MyPrinter, and pretty much whatever you print to it will end up sitting around, until you print something else, in the intermediate file called spoolfilename.
The problem, according to the Winsider researchers, is that you can specify a spoolfilename that you aren’t allowed to write to yourself at the time you do the Add-PrinterPort…
…but when you come to print to the MyPrinter device, then maybe, just maybe, you’ll be able to trick the Windows Print Spooler into writing its temporary output into spoolfilename anyway.
As you can imagine, this means that commands such as the following could lead to the printer being a sneaky way to “output” rogue software where it wouldn’t normally be allowed:
Add-PrinterPort -Name C:\Windows\System32\PROGRAM.EXE Add-PrinterPort -Name C:\Windows\System32\SNEAKY.DLL
Apparently, if the Print Spooler is able to process the printing job immediately, then it will use your own account privileges to access the spoolfile, and so the print job will fail because you are blocked from changing or adding files in the system folders.
But if the print job can be deferred, for example until after a reboot, then the Print Spooler will try to catch up on unfinished print jobs later on, this time using its own account, which has SYSTEM privileges.
And thus an unprivileged user can get the Print Spooler to send untrusted data where it’s not supposed to go.
Ironically, it looks as though this bug has been around in Windows quite literally for decades.
According to the researchers, it was partially but not completely patched following its abuse by the infamous Stuxnet virus more than a decade ago, but it nevertheless remained potentially expolitable until yesterday’s patches came out.
The PrintDemon article authors finish up with the claim that:
So yes, walk to any unpatched system out there […] and just write Add-PrinterPort -Name c:\windows\system32\[REDACTED] in a PowerShell window. Congratulations! You’ve just given yourself a persistent backdoor on the system.
But we agree with the public assessment of Rapid-7 researcher Brendan Watters, who offered the opinion that the authors of the PrintDemon article have overstated the dangers somewhat.
As Watters points out, “this is not a single command to [a] root backdoor. It is more like several thousand lines of code and some well-timed execution gets you a rooted backdoor.”
In particular, we couldn’t figure out how to use just one line of PowerShell to control exactly what would get printed to the rogue spoolfile, so we couldn’t write any content that came out as a legal Windows executable.
That’s because, by default, even the Generic / Text Only printer driver doesn’t blindly copy the characters that you print into the spoolfile – it adds blank lines at the top of the output, and space characters after every line’s worth of output, to create page margins.
By default, nothing we printed out ever led to a spoolfile that actually started with the characters MZ, even if we put the literal characters MZ at the start of our output.
But Windows programs will be ignored by the operating system unless they start with exactly those characters.
(Amusingly, the text MZ is a magic marker formed from the initials of Mark Zbikowski, the Microsoft programmer who invented the EXE file format many decades ago.)
It’s definitely a bug, and it’s a bad one, but:
You can guess what we are going to say.
Patch early, patch often!
Oh, and if you are a programmer, never ignore bug reports just because you think you fixed the hole more than a decade ago.
It’s tempting to assume that a known hole that was patched and then never re-exploited for more than ten years must surely have stood the test of time…
…but cybersecurity isn’t like that.
