Netizen Threat Brief: 21 February 2018 Edition
Listed below is information regarding three of this week’s most critical threats, and preventative measures to lessen the chances of a breach:
- Severe Skype Vulnerability
- Domain Hijacking
- Windows 10 Null Character Flaw
1. Severe Skype Vulnerability
A serious vulnerability has been discovered in one of the most popular free web messaging and voice calling service (Skype) that could potentially allow attackers to gain full control of the host machine by granting system-level privileges to a local, unprivileged user.
The vulnerability has been discovered and reported to Microsoft and resides in Skype’s update installer, which is susceptible to Dynamic Link Library (DLL) hijacking. The exploitation of this would allow the attacker to hijack the update process by downloading and placing a malicious version of a DLL file into a temporary folder of a Windows PC and renaming it to match a legitimate DLL that can be modified by an unprivileged user without having any special account privileges. When Skype’s update installer tries to find the relevant DLL file, it will find the malicious DLL first, and thereby will install the malicious code.
The Skype vulnerability will not be patched anytime soon. It’s not because the flaw is unpatchable, but because fixing the vulnerability requires a significant software rewrite, which indicates that the company will need to issue an all-new version of Skype rather than just a patch.
To mitigate a breach, we recommend:
- Do not click on suspicious links from unknown senders
- Make sure you validate the security and completeness of files downloaded from the internet
- Monitor system activities for malicious behavior
- Run updated anti-virus/anti-malware software as a first line of defense
- Overall, practice good end-user awareness and training—an informed user will be less of an inadvertent security threat to the company.
2. Domain Hijacking
Domain hijacking could potentially have significant negative implications for any company/organization that has a web presence. Attackers could replace a company’s website, or web application, with an identical replica site designed to trick visitors into entering login credentials or personal information, thereby potentially helping to facilitate fraud. Malicious software could also be uploaded onto visitors’ computers. If a hijacked domain had been whitelisted by other businesses, that trust would be extended to the attacker. Such actions would almost certainly cause significant reputational as well as financial damage to affected organizations. Managed service providers are likely to be a higher priority target of domain hijacking due to the potential access and damage they could cause to their clients.
We recommend companies protect themselves by:
- Picking an enterprise-class domain name registry
- Keep up-to-date with security patches on servers and systems
- Locking the domain using a web service to guard against unauthorized domain transfers
- Ensuring all of domain name contacts have valid contact information
- Setting the domain to auto-renew each year
3. Windows 10 Null Character Flaw
The Windows 10 anti-malware scan interface (AMSI), which handles malware scan requests from inside applications, was found to be truncating files whenever a null character was read, leaving lines of code unscanned.
AMSI handles at least part of the scanning for the antivirus app it interfaces with, leading to the problem discovered: AMSI simply stops processing whenever it runs into a null character, which can be any character with all its bits set to zero. Any malicious code hidden after the null character will simply be missed, allowing it to safely execute without detection. This means it essentially bypasses the anti-malware scanner altogether.
AMSI inspects scripts invoked at startup, such as PowerShell, VBScript, Ruby, and others. Scripts are a common way of getting malware past antivirus scanners. Anything that makes it easier for attackers to do so, like this flaw, requires immediate action.
Microsoft’s latest round of security updates fixes this vulnerability, but that doesn’t mean attackers won’t try to exploit it. WannaCry, Petya, and other widespread cyberattacks from 2017 relied on unpatched systems to propagate malicious attacks.
There’s no reason to assume attackers will stop relying on human error to spread malware, so be safe and install the February Windows 10 security updates ASAP.
How can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.