CyberSec Watch Report - October 2017 - Misconfiguration, Defacing and WPA2
As every month , you can find on our blog our report about the most relevant cybersecurity topics of the past month.
With the cold weather coming, the pipes (and databases) are weakening and guess what, it causes leaks!
Apart from that, we’ll talk about Equifax and a serious flaw in the WPA2 protocol.
After Deloitte, it is now to another one of the Big Four, Accenture, to suffer from a data leak. The reason? A misconfiguration leaving four storage buckets unsecured and publicly accessibleto anyone entering the buckets’ web addresses in their browser.
It gave the opportunity to anyone to access secret API data, authentication credentials (40,000 plaintext password), certificates, decryption keys and more, exposing both Accenture’s internal systems but also their clients’.
We could think that this leak is an isolate case, but it is not. According to Skyhigh Networks, 7% of all S3 buckets have unrestricted public access, and numerous recent leaks came from such buckets’ misconfiguration.
If you don’t remember, attackers breached Equifax’s website and exfiltrated Social Security numbers, names, driver license numbers and more for more than 145 million US consumers earlier this year.
Equifax’s website has been targeted again, and for several hours, the site was used to deliver fraudulent Adobe Flash updates which if clicked, infected the visitors’ computers with adware. Unfortunately, only 3 antimalware products could detect the threat at the time of the event (23 can at the time of writing).
It is still unclear how the attackers managed to compromise the website, but it is certain that Equifax is still targeted and cyber criminals are apparently not done yet.
The most used Wi-Fi security protocol has come on the front of the scene this month as researchers found serious weaknesses that can be exploited mostly against devices running Android, Linux, OpendBSD, and to a lesser extent macOS, Windows and other types of devices.
These weaknesses allow an attacker to target both vulnerable access points as well as vulnerable connecting clients in order to intercept passwords, e-mails, and other data presumed to be encrypted. In some cases, it can be more destructive as the attacker could inject and manipulate data.
The proof-of-concept is called KRACK for Key Reinstallation Attacks. The attack targets the four-way handshake that’s executed when a client joins a WPA2-protected Wi-Fi network.
The scary part is that the attack works against all modern protected Wi-Fi networks.
One solution : PATCH!
This month recommendations are:
- Ensure all sensitive information is accessible with at least a (strong) password requirement
- Keep antimalware as updated as possible and if possible, ensure workstations and servers of your costumers run various antimalware
- Monitor your extranets and ensure Security Officers are quickly notified when breached or defaced
- Patch, patch and guess what, patched again 😉
For cryptographic amateurs, here is a description of the ROCA vulnerability. It allows the attacker to retrieve the private key from the public key when generated on a device having the vulnerability.
You can find your previous monthly Cyber Watch Report here: September 2017, August 2017 and July 2017.
Written by Florian Boudot with the participation of Charles Le Reun.