Threat Report

Wednesday October 31, 2018

It’s time to rise from your graves for our Halloween threat report. This week we’re going to point you at a few Twitter doors to knock on, hand out some zero-day tricks and treats, and discuss a white paper that’s giving energy and water a fright.

Zero-Day Tricks and Treats

Many security professionals get their news through sources like Twitter. If you’re looking for some Twitter doors to knock on to get the good treats this Halloween, check out @SandboxEscaper and @HackerFantastic.

In recent months, security researcher @SandboxEscaper has released proof-of-concept(PoC) exploits for two Windows zero-days on Twitter. The most recent vulnerability is a privilege escalation flaw in Microsoft Data Sharing (dssvc.dll). The Data Sharing Service runs as LocalSystem account and provides data brokering between applications. @SandboxEscaper zero-days have been turned around by threat actors and seen in the wild. If you want some early warning on the next Window’s zero-day, give her a follow.

On the Linux side of the world, security researcher Narendra Shinde discovered a local privilege-escalation and file-overwrite vulnerability in X.Org X server that opens the door for a trivial compromise of a Linux system.

Essentially, Shinde says this is the result of “incorrect command-line parameter validation”. The system doesn’t check for correct permissions on the -modulepath or -logfile command line switches. Both are root-privileged processes.

Although this was only given a 6.6 CVE score (likely because it was considered a local exploit) security pro @HackerFantastic has released a PoC on Twitter that shows this working remotely via SSH. This makes CVE-2018-14665 a dime in my little black book.

“Xorg Local Privilege Escalation (LPE) via CVE-2018-14665 can be triggered from a remote SSH session, does not need to be on a local console. An attacker can literally take over impacted systems with three commands or less”. @HackerFantastic regularly posts PoCs and other good security news. You should give him a follow too.

Spectre of Spectre Returns to Haunt Halloween

Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) have reported an industry-wide issue found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). The vulnerability relies on the presence of a precisely-defined instruction sequence in the privileged code. As well as the fact that memory read from address to which a recent memory write has occurred may see an older value. Subsequently this will cause an update into the microprocessor’s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. This impacts the qemu-kvm and libvirt packages.

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.

The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

This reminded us of the OG speculative execution vulnerability, Spectre, disclosed Jann Horn and Paul Kocher in collaboration with Daniel Genkin, Mike Hamburg, Moritz Lipp and Yuval Yarom.

Water and Energy Industrial Controls Exposed on the Web

Trend Micro has recently published a white paper on water and energy infrastructure exposed to the Internet, and it’s worth a read. Trend Micro reports that Energy is the top critical infrastructure for most industrial economies and Water is a natural extension of the energy sector; with water being a key component in hydroelectric and geothermal plants. Protecting critical infrastructure against cyber attacks should be of the highest priority for the organizations that operate it.

Perch provides threat detection services to a number of Critical Infrastructure providers in the Water and Energy space. We looked for some of the common exposed services mentioned in this white paper. After reviewing all customer data for the last 30 days we found no established flow from the wild Web to a port related industrial control systems. Good job, Perchy people. You get a treat.

Paul Scott

Paul Scott
SOC Nightwatchman