The end of the year always grants us the opportunity to reflect, assess and set new goals for the New Year. In 2019, we saw major data breaches of Facebook and its subsidiary Instagram, DoorDash and CapitalOne, among many others with customer data leaking all around the world – exposing over 150 MILLION people to immediate and future exploitation. With the rise of consumer-based home monitoring equipment, there has also been an uptick of malicious attacks on Ring doorbells (and other brands) which we predict will become a bigger issue in 2020 as consumers reuse passwords on a dangerous number of monitoring devices in their own homes.
As we reflect on things that could have been done better and set goals for 2020, please look at some of the most significant vulnerabilities of 2019. We interviewed some of the experts from GoVanguard who were asked to list the most significant exploits on specific systems that they encountered in 2019 with some advice for remediation going into the New Year!
Mobile OS use continues to rise, and therefore some of the most egregious attacks of 2019 were focused on the most ubiquitous of
consumer devices: smartphones! While smartphone operating systems are designed with security in mind, they are the least likely to be
properly upgraded by the user as bugs and exploits are found, creating a ripe attack surface. However, one of the biggest exploits this year was a fundamental design flaw in Apple iPhone
devices! GoVanguard Information Security Engineer Jason Choy shares the Android and iOS exploits he came across in 2019:
- Android: “Android kernel zero-day vulnerability from October 2019, CVE-2019-2215. The flaw is a use-after-free vulnerability that affects the Android kernel’s binder driver. It requires a local privileged attacker (e.g., through a malicious app already installed on the device) in order to exploit. The vulnerability allows such an attacker to gain root access. It affected the following devices: Google Pixel 2 with Android 9 or Android 10 preview, Samsung S7 through S9, Oreo LG phones, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3, Moto Z3.”
- iOS: “This year saw the release of the ‘checkm8’ open-source jailbreaking utility that affects every Apple device with an A5 through A11 chipset, aka iPhone 4S through X. Dubbed ‘unfixable,’ this exploit relies on flaws in Apple's ‘bootrom’ memory in the processor that contains the fundamental code that runs first when a device powers on. A researcher known as Axi0mX found the bootrom vulnerability by reverse-engineering and examining a patch Apple released in summer 2018 for the iOS 12 beta. Since the bootrom is a fundamental part of the system, this makes for a very effective jailbreaking technique that's not dependent on iOS-specific vulnerabilities. Here is a GitHub repo for the exploit.”
“A breach of the integrity of a partner’s dependency can lead to the publishing of malicious code through version increments of targeted packages. If improper steps are taken to lock dependencies down, then malicious code can be engineered to target and attack users of that package. Proper remediation of these vulnerabilities includes using dependency security scanners like Snyk and locking the versions of all dependencies to avoid accidentally upgrading to a malicious version of a package. While remaining on known secure versions is a good idea, remaining up to date with security patches and updates is a reality, so proper auditing of dependencies is a must.”
How Did Cloud Computing Tools Manage?
Taking a side-step into open source cluster management software, Kubernetes is an open-source container orchestration framework derived from Google’s proprietary cloud-based management systems. It is designed to speed up deployment and management of cloud applications, and it has seen rapid adoption! As Kubernetes is quickly increasing in use for managing Linux-based clusters, exploits are also growing in frequency, and 2019 saw several exploits in the wild. GoVanguard Chief Technology Officer, Shane Scott and President, Christian Scott shared a few exploits that they experienced in the wild in 2019.
“CVE-2019-11245 – Non-root containers run as root. Quick explanation: A regression that causes containers that should run as non-root to run as root after they are restarted twice. This results in numerous risks, especially if the container has been hardened under the intention of running as non-root explicitly.”
“CVE-2019-16276 – HTTP Protocol Violation in Go’s net/http Library Quick explanation: A scenario where an authenticating proxy is used to funnel authenticated requests to Kubernetes can be hijacked by sending an invalid header to trick the proxy to forward a valid set of authenticated, valid headers to Kubernetes.”
“CVE-2019-11253 – ‘Billion laughs attack’ – Kubernetes YAML Parsing Vulnerable to DoS Quick explanation: A denial of service attack on the underlying YAML parser of GO allowing an attacker to cripple a Kubernetes deployment using a special YAML payload. This could be delivered directly or if an attacker has the roles to POST YAML configurations. Kubernetes releases 1.14.8, 1.15.5 and 1.16.2 include the fixes to all these issues.”
What about desktop and laptop operating systems?
As we make our way toward the target with the most vulnerabilities of 2019 (hint: it’s Windows) other popular NIX based desktop operating systems, such as MacOS, saw a significant rise (perhaps more so than any other year to date) in malicious activity with more aggressive persistence and evasion techniques as well as few of their own APTs. Below, we will take a good look at the major desktop operating systems and some of the ways they were attacked in 2019. The below exploits were curated by GoVanguard CEO Mahdi Hedhli, InfoSec Intern, Justin Scott, and me: Kurt Wuckert Jr.
The specialist’s operating systems are often Linux-based, but like every system, they have vulnerabilities!
Linux systems are not widely used outside of server and specialized environments – like InfoSec! As such, the various distributions are typically well maintained by the open-source community. Also, Linux was engineered with the internet in mind, which is why
vulnerabilities are typically less frequent and catastrophic than Windows exploits. However, the Linux exploit of the year for 2019 is a four-year-old problem rooted in the Wi-Fi driver for systems using Realtek Wi-Fi modules! CVE-2019-17666 is an unpatched, CRITICAL bug that grants a malicious actor the potential ability to execute code remotely on the compromised machine. The attacker must be within radio range of the device to attempt the take-over, but if physical proximity can be obtained, the malicious packet does not even require authentication to trigger the overflow exploit.
Linux Kernel versions through 5.3.6 are vulnerable and remain unpatched even though the Linux kernel team has been aware of the issue for all of the 4th quarter of 2019.
Do these vulnerabilities affect the most elegant (and proprietary) version of NIX – MacOS? Bad news for the “it just works” crowd, it may be time to install some endpoint detection on that shiny box from Cupertino.
While the Linux exploit is not an issue in MacOS, 2019 was not an easy year for Apple as it saw a major uptick in malware and APTs specifically targeting MacOS using much more aggressive persistence tactics than we have seen in the past. In 2019, Apple also released “Catalina” which was plagued with user complaints and a fair share of exploits. Apple decided to (finally) launch a bug bounty program in 2019 (which makes us happy). It seems they learned from their 2018 “Mojave” debut, where a security researcher disclosed multiple privacy bugs on launch day.
While Catalina has not had a catastrophic exploit in the wild, it has had many smaller issues like CVE-2019-8748 and CVE-2019-8758 memory corruption bugs which could allow an application to execute arbitrary code with kernel privileges. The CVE-2019-8769 WebKit bug could expose a user’s browsing history if they visited a malicious website.
A rare and notable MacOS zero-day was discovered by Google’s Project Zero in November of 2018 and when Apple failed to issue a patch within the allotted 90 days, Project Zero released it to the public.
Named “BuggyCOW,” after the loophole researchers found in the copy-on-write or “CoW” protection of the operating system, the exploit leverages the fact that when a program mounts a new file system on a hard drive, the memory manager has no warning system. A malicious actor can unmount the existing file system, remount it with a different set of data, and replace the information that even the highest privileged code uses.
Thankfully, the circumstances to set the attack up require almost perfect conditions and a high level of sophistication to exploit.
The most notable MacOS exploit of 2019 is CVE-2019-8589 dubbed “GateKeeper Bypass,” a zero-day discovered by independent researcher Filippo Cavallarin and reported on February 22nd to Apple. This exploit bypasses Apple’s built in built-in security feature, Gatekeeper, that is supposed to ensure that only “valid” applications run. Valid applications are signed with an Apple-issued developer certificate. However, researchers and attackers discovered several crafty ways to bypass Gatekeeper due to inherent flaws in its trust model. Some bypasses exploited locations considered trusted (network & external drives) through symbolic links making Gatekeeper think their code was being run from other locations than the local drive while others chained commands from trusted apps to spawn other processes. After Apple failed to patch the exploit in 90 days, the vulnerability was made public, and it did not take long for this exploit to be seen in the wild. Less than one month later, Intego discovered the malware OSX/Linker leveraging this exploit. Apple struggled to patch this vulnerability and finally plugged the hole in late July. However, many older versions of MacOS are still being reported as vulnerable, and we even saw malware at late as December signed with rogue Apple Developer Certificates.
Because of the ease of exploit and rapid utilization of this vulnerability, we are ranking CVE-2019-8589 the top MacOS vulnerability of 2019. Thankfully, Apple’s latest OS Catalina is more security and privacy focused than ever, but we wonder if Apple is seeing the same things as every other security researcher. Bottom line, get some endpoint protection on your Mac and ensure you don’t leave those Apple security patches sitting in your update queue.
While there are a million reasons experts can point to on why Windows is less secure than other desktop operating systems, most of them are unfair. Windows is the most popular desktop operating system on earth, and it is a big target that still holds onto some fundamental designs and the burden of compatibility for systems and applications from an era before people lived on the internet.
In 2019, we did not have another WannaCry incident, but the fundamental problem that allowed the infamous 2017 ransomware attack is still an open vulnerability on over a million computers worldwide.
This year, BlueKeep (CVE-2019-0708) gave us a “critical” vulnerability causing problems on computers from Windows XP up to Windows 7, including its server operating systems. The BlueKeep vulnerability can allow full access to the computer and data by running code at the system level. If the computer is connected to the internet, it can even be taken over remotely. This exploit is “wormable” which means that exploited machines can infect other machines; allowing attackers to spread their malware effectively and rapidly to vulnerable systems.
Patches have been released, but CVE-2019-1181 and CVE-2019-1182 showed up in September to exploit systems from Windows 7 all the way to Windows 10 which allow malicious code to execute via Remote Desktop without any user interactions at all! Good job, Microsoft!
Most of the biggest exploits in 2019 can be mitigated with simple rules and systems in place – which is usually the product of being managed by a professional IT department or MSP. Sometimes, however, that is still not enough. If your company manages critical personal, financial or medical data, your network needs to have a more robust security regimen. In these high-risk environments, GoVanguard recommends regular network penetration testing and on-going monitoring of critical systems to reduce and manage your organization’s risk.
Remember, your security is only as good as the last time you tested it. Happy 2020!