In brief Zoom fixed a pair of privilege escalation vulnerabilities, which were detailed at the Black Hat conference this month, but that patch was bypassed, necessitating yet another fix.
Patrick Wardle, cybersecurity researcher and founder of Objective-See, talked about the two macOS Zoom client vulnerabilities at Black Hat, both of which could be exploited a local unprivileged miscreant or rogue application to reliably escalate to root privileges.
The two holes could be exploited together to, simply put, feed a malicious update to Zoom to install and run, which shouldn’t normally be allowed to happen.
Wardle gave Zoom credit for issuing quick patches for the flaws, which the biz published individually on August 9 and 13.
But look at Zoom’s recent security bulletins, and it becomes quickly clear that something went wrong: five days later a third patch was released for the same problem.
“Zoom’s patch was… incomplete, I managed to bypass it,” macOS security researcher and Offensive Security content developer Csaba Fitzl tweeted. Fitzl didn’t release any details of how he managed to bypass the patch, but Zoom credits him with reporting the third exploit.
Zoom users on macOS are encouraged to update their client immediately to version 5.11.6, unless running a version older than 5.7.3. If that latter case sounds like you, it may be a good idea to upgrade for plenty of other concerns with Zoom’s security that have come to light since it rose to prominence during the pandemic.
Test mobile apps for JavaScript injection
Worried your mobile apps are injecting JavaScript tracking tools into websites you visit? There’s a (web) app for that.
As recently reported by The Register, the in-app browsers in the iOS versions of Facebook and Instagram were caught injecting JavaScript trackers into webpages users visit. Fastlane security shop founder Felix Krause, who initially reported the issue, has since published a simple website that can tell users visiting it from an in-app browser whether or not a tracker has been injected by the app.
“After reading through the replies and direct messages [regarding reporting from The Register and other sources], I saw a common question across the community: how can I verify what apps do in their webviews,” he wrote.
Meta’s JavaScript injection effectively bypasses Apple’s restrictions on app tracking, and while Meta claims it’s not modifying traffic in any way, Krause said it’s still a privacy risk, with apps “able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap.”
Worse yet, the behavior isn’t limited to Meta’s apps: per Krause’s research, Amazon and TikTok are also guilty of injecting JavaScript via their in-app browsers. Other untested apps may be as well.
In TikTok’s case, the JavaScript it injects can monitor every keystroke (which would include passwords, credit card details, etc), what’s being tapped on the screen, and information about the elements users tap, within the in-app browser. TikTok said this monitoring was for debugging and performance-measuring purposes, and it’s not actually collecting the info.
Krause noted that his online tool may not detect all JavaScript injections, especially on newer versions of iOS. In 14.3, Apple added a form of sandboxing for JavaScript, “making it impossible for a website to verify what code is being executed,” Krause said.
To find out if an app you use is injecting JavaScript into websites via its in-app browser, just navigate to InAppBrowser.com by DMing the link to yourself, posting or commenting it, and the tool should tell you if any scripts are running, malicious or not.
Researchers weaponize PLCs to attack OT networks
Researchers with Claroty’s Team82 have demonstrated turning programmable logic controllers (PLCs) into network offensive tools.
PLCs are a fundamental part of industrial and commercial operational technology (OT) that makes up factory floors, utility infrastructure, manufacturing facilities, and other heavy industry. Malware such as Stuxnet, which was used by America and Israel to damage Iran’s uranium-enrichment facilities, as well as other modern threats rely on internet-facing PLCs that lack proper protection.
In previous cases, Team82 said in its research report, attacks involving PLCs were directly targeting the controllers. That’s not the case with their proof of concept, which they’ve named “Evil PLC Attack.”
Evil PLC doesn’t attack the PLCs themselves at all: instead, it relies on vulnerabilities in engineering workstations that control them. By compromising a PLC with malicious code and triggering a fault, an engineer who downloads the PLC’s code to inspect can unwittingly compromises their own machine. The downloaded code relies on exploiting holes in software on the workstation.
“We were able to find previously unreported vulnerabilities that allowed us to weaponize the affected PLCs and attack engineering workstations whenever an upload procedure occurred,” Team82 said.
To make matters worse, seven of the most popular PLC makers – Rockwell Automation, Schneider Electric, GE, B&R, XINJE, OVARRO and Emerson – were all found to be vulnerable. Team82 noted that all of the vulnerabilities it found were located in engineering workstation software made by those vendors, not the PLCs or their firmware.
“In most cases, the vulnerabilities exist because the software fully trusted data coming from the PLC without performing extensive security checks,” Team82 said.
While the vulnerabilities have largely been patched, Team82 warns that concerned organizations should focus just as much on protecting workstations as they do keeping vulnerable PLCs off the public internet.
Ransomware and BEC: A match made in the dark web
Security researchers at Accenture have highlighted the following point: the type of data being sold online after ransomware attacks is exactly the sort of stuff that’s ideal for launching business email compromise (BEC) attacks.
BEC attacks involve compromising a legitimate business email account to use in scamming a company’s employees. Fake invoices, often with “new banking details,” are commonly used to trick staff into remitting massive payments, making BECs some of the most popular and lucrative cyber scams currently in circulation.
According to Accenture, its team “found that the most disclosed data types overlap with the data types most useful for conducting BEC and [vendor email compromise] VEC attacks: financial, employee, and communication data, and operational documents.”
One thing that has long held cyber criminals back from making greater use of data stolen during a ransomware attack, Accenture said, is the sheer volume of the data stolen. “The utility of dedicated leak site data has historically been limited by the difficulty of interacting with large quantities of poorly stored data,” the researchers said.
New groups, however, are making that a problem of the past.
The researchers pointed to at least two data leak sites that offer searchable indexed data on easily used, publicly-accessible sites, with individual records available for as little as a dollar. “Threat actors can search for specific files such as employee data, invoices, scans, contracts, legal documents [and] email messages,” as well as hunting for companies based on industry or location, Accenture said.
Based on the types of data being stolen and sold, and the rise of indexed black data markets, Accenture said it “assesses that the primary factor driving an increased threat of BEC and VEC attacks … is the availability of data like that described above.”
Let that be a warning to companies that have been victims of ransomware attacks: be aware of the signs of BEC, how to protect against it, and know that it could be a matter of time before you’re hit again. ®