LastPass breach, Chrome Zero Day - Nov 26th to Dec 2nd - F5SIRT - This Week in Security
Welcome to this week in security! Tikka Nagi is back as the editor. This week, we saw a number of interesting developments in security world, from new vulnerabilities and malware exploiting a known CVE and finally a breach that is a reminder that we all need to revisit the current best practices for keeping your passwords secure.
I'm always on the lookout for the latest developments in the field, and this week was no exception. In this post, I'll share some of the key highlights, including the discovery of a critical flaw in a Chrome, LastPass breach and the leakage of Android app signing keys for multiple vendors.
LastPass Breach
LastPass and affiliate company GoTo have confirmed that intruders broke into a third-party cloud storage service they use and gained access to "certain elements" of their customers' information. LastPass did not specify what it meant by "certain elements," stating that it is unsure of what data was accessed. The company is working to understand the scope of the incident and determine what specific information was accessed.
Last night's statement also confirmed that the attackers used information stolen in an August attack to carry out the current intrusion. LastPass emphasized that its services were unaffected, and that customers' passwords remained "safely encrypted," though it did not rule out the possibility that some data was stolen. The company uses a one-way salted hash for master passwords, as described in a technical white paper. Master passwords are used to lock users' password vaults, where their logins for user accounts are stored. The passphrase is only ever entered by the user on their browser or app and is never sent to or stored by LastPass.
LastPass has hired InfoSec researchers from Mandiant to investigate the break-in and has also notified the authorities. GoTo, a remote access and collaboration company, stated that the incident has not affected its products and services, which remain fully functional.
The current best practices for using password managers including LastPass:
- Create strong passwords aided by a tool such as LastPass browser extension
- Set up multi-factor authentication for your online accounts including LastPass
- Change LastPass master password on a regular basis
- Do not use the same password for multiple accounts
- If you must share a password with someone, use LastPass sharing center to safely share.
https://www.theregister.com/2022/12/01/lastpass/
https://resources.hacware.com/best-practices-for-lastpass-password-management/
Chrome Zero Day
CVE-2022-4262: 9th Zero days and counting for Chrome
Since July, Google has been patching one Chrome zero-day per month. It’s a bit unbelievable that Google announced an emergency Chrome 108 update on Friday to patch yet another zero-day vulnerability in the browser - the ninth to be fixed this year. Google has confirmed that an exploit for the vulnerability exists in the wild. This caused Microsoft to release the updated Microsoft Edge (Version 108.0.1462.42) with a fix for this issue since Edge is based on same core Chromium source code.
The vulnerability was identified by a Google Threat Analysis Group security researcher, Clement Lecigne. The high-severity security bug, tracked as CVE-2022-4262, is a ‘type confusion’ in the browser's V8 JavaScript engine. The flaw could allow a remote attacker to exploit heap corruption via a crafted HTML page, according to a National Vulnerability Database advisory.
Type confusion flaws arise when a block of memory is used by a different algorithm than the one it was intended for. In Chrome, this can lead to deliberate code flow deviations, allowing attackers to achieve remote code execution when untrusted code is served from a malicious page.
Patches for the vulnerability have been included in Chrome 108.0.5359.94 for Mac and Linux, and in Chrome 108.0.5359.94/.95 for Windows. Users are advised to update to a patched iteration as soon as possible.
This emergency Chrome update comes just days after Google released Chrome 108 with patches for 28 vulnerabilities, none of which were known to be exploited in attacks. The week before, on Thanksgiving Day, Google released another emergency Chrome update to resolve a zero-day vulnerability in the GPU component, tracked as CVE-2022-4135.
Microsoft Edge Security Update
Microsoft has released a new stable version of its Edge browser, version 108.0.1462.42. This version comes with a more secure encryption policy that uses TLS-encrypted Client Hello (ECH) to enhance privacy. ECH is an upgraded extension of TLS that helps protect Server Name Indication (SNI) as well. ECH replaces the previous enhanced SNI (ENSI) feature. These improvements to the encryption policy are intended to provide users with greater security and privacy when using the Edge browser.
This update contains a fix for CVE-2022-4262, which has been reported by the Chromium team as having an exploit in the wild. For more information, see the Security Update Guide.
This update contains the following Microsoft Edge-specific updates:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-4262
Android App Signing Key Leak
Ars Technica published the story about Samsung’s leaked Android key which may be the biggest security news of the year. The story is underselling the scope of the issue as this may have impacted millions of Android users since "some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets."
The Android app-signing process is designed to ensure the authenticity and integrity of Android apps. When an app developer creates an Android app, they must sign the app with a digital certificate before it can be published on the Google Play Store or distributed to users. The digital certificate is used to create a unique signature for the app, which can be used to verify its authenticity.
The app signing process works as follows:
- The app developer creates the app and generates a private key using a keystore.
- The private key is used to create a unique signature for the app.
- The app is signed with the signature and the developer's digital certificate.
- The signed app is distributed to users or uploaded to the Google Play Store.
- When a user installs the app, their device verifies the app's signature and digital certificate to ensure that it is authentic and has not been tampered with.
This app-signing process helps protect users from installing malicious or tampered-with apps on their devices. It also ensures that only the app developer can update the app and that users can trust that the app they are installing is the genuine, unmodified version.
Mishaal Rahman, the Senior Technical Editor at Esper, has been sharing information on Twitter about this vulnerability. According to Mishaal:
“Why is that a problem? Well, it lets malicious apps opt into Android's shared user ID mechanism and run with the same highly privileged user ID as "android" - android.uid.system. Basically, they have the same authority/level of access as the Android OS process!”
Redigo: Malware for Redis
Redigo: a new Malware targeting Redis exploiting CVE-2022-0543
Aqua Nautilus has discovered a new malware attack that targets Redis servers. Redis is an open-source in-memory data structure store, used as a database, cache, and message broker. It supports various data structures such as strings, hashes, lists, sets, sorted sets, bitmaps, hyperloglogs, and geospatial indexes.
The attack was executed against one of their deliberately vulnerable Redis honeypots, and the malware was found to be written in Go. The malware, which has been named Redigo, is designed to exploit a vulnerability in Redis servers and allow the attacking server to dominate the compromised machine. The choice of name is not ideal as there is an existing lightweight and easy-to-use library called Redigo which is used for accessing Redis from Go programs.
The vulnerability CVE-2022-0543, which was discovered in the Lua scripting engine, allows threat actors to attack Redis servers and drop the Redigo malware and gain access to the server.
Researchers are unsure of the full extent of the impact of this attack, but the pattern of the attack suggests that the compromised server could be added to a large botnet. This typically means that the server will be used to participate in a Distributed Denial of Service (DDoS) attacks
Aqua Nautilus has written a blog post about the attack, where they review the attack process and recommend methods for protecting against future attacks.