General InfoSec discussion

Discussion in 'Business & Enterprise Computing' started by Gunna, Nov 18, 2019.

  1. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    9,944
    Location:
    Briz Vegas
    Favicon supercookie (proof of concept)
    https://github.com/jonasstrehle/supercookie

    https://www.ghacks.net/2021/01/22/favicons-may-be-used-to-track-users/

    Need to write a pi-hole filter to block all favicons now, happy sunday hacking.
     
  2. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,950
    Location:
    Pooraka Maccas drivethrough
    this is pretty hyperbolic, even by infosec writeup hype standards.
     
    millsy likes this.
  3. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,428
    Location:
    Brisbane
    favicons, so hot on the gartner hype cycle right now
     
    Gargamel likes this.
  4. Zyklone

    Zyklone Member

    Joined:
    May 1, 2005
    Messages:
    516
    Location:
    Canberra
    Can't wait for some fucko to show me the latest magic quadrant report on it.
     
  5. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,217
    Location:
    Brisbane
    Last edited: Feb 9, 2021
    Daft_Munt, Gargamel and GumbyNoTalent like this.
  6. randomman

    randomman Member

    Joined:
    Oct 21, 2007
    Messages:
    4,976
    Location:
    Vancouver, BC
  7. Fred Nurk

    Fred Nurk Member

    Joined:
    Apr 5, 2002
    Messages:
    2,245
    Location:
    Cairns QLD
    The crew where I work have discovered Google Chrome Remote. I'll probably use this in the next discussion as to why such things aren't a good idea...
     
    elvis likes this.
  8. tobes

    tobes Member

    Joined:
    Dec 23, 2001
    Messages:
    4,099
    Location:
    Melbourne
  9. OP
    OP
    Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,844
    Location:
    Brisbane
  10. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,217
    Location:
    Brisbane
  11. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,721
    Location:
    NSW
    Problem with this patch is it's shutting the gate after the horse has bolted. Patch was released March 2 but it was well and truly already being exploited before then - a few security companies noted hacks with unknown origin (that turned out to be due to the exchange vulnerability) in Jan and I've heard rumours of some in Dec too - so it was being exploited for a couple of months before the patch was available.
    Also seems the attackers knew (or guessed) the timeline of the patch as they moved from targeted exploits to mass exploitation not long before the patch dropped.
     
  12. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,538
    It looks like, pre-patch was targetted.
    Post patch, they have just loaded the Scattergun.

    The nature of the announcement (and how close it is to the next CU, and regular patch tuesday), led us to believe that "Something" was happening, before news of how widespread it was, and we were able to patch straight away, with no Indicators of Compromise present. (Although new IOC's are coming daily)
     
  13. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,217
    Location:
    Brisbane
  14. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,066
    Location:
    Canberra
    one of the places I work, is going through a couple months of pain, because their core network infra has never been updated. auditors rightly threw the book at them, now they have dozens of patches to implement, some require config changes (not directly compatible) etc. etc. all because previous PHB said can't have any network downtime for patches.

    take your pain in small regular doses don't save it up until it's too much.
     
    elvis likes this.
  15. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,217
    Location:
    Brisbane
    Amen to this. I got asked at previous org why I patched production Linux systems daily. The answer was this - small daily problems are far easier to deal with than large annual problems.

    And in the model of the US Navy who never test patches and deploy straight to production: a service outage from a bad patch is always better than a service outage from an active attacker.

    Choose your poison.
     
    Rass likes this.
  16. OP
    OP
    Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,844
    Location:
    Brisbane
    The fact this also exists in 2010 which was also patched shows this exploit has been open for 10 years and if it's been open for that long you would assume some nation states were aware of it.

    I havent looked into it too deeply outside of advising our email admins (and catching a snarky email from Infosec for doing so) however as part or one of the exploits works over port 80 so with a load balancer that redirect to 443 and enforces TLS would mitigate the issue. I would hope a lot of big org would have it configured this way.
     
  17. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,721
    Location:
    NSW
    We had some probing occur day of the patch, but no IOCs so far - monitoring the situation while new info comes to light, and watching for any suspicious traffic.

    I'm a big fan of not making too many changes in one hit, if you make one change and something goes wrong you know it was that change, so it's easy to reverse and fix - make 100 changes (or apply 100 patches) at once and any one of them could be the cause of the issues, and fixing that issue could cause other issues.
     
    elvis likes this.
  18. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,538
    Unless you were doing request rewrites on your load balancer, I think you would still be vulnerable, you didn't need to have a virtual directory published with HTTP to get stung (as in HTTPS isn't a mitigation)


    I think the probing on the day, would have been the various govt agencies, determining how fucked everyone is.
    We patched early, because it felt 'off' - Microsoft releasing out of Band exchange patch, 1 week before Patch Tuesday, and a few weeks before a CU is set to drop. Am glad we did.
     
  19. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,568
    Location:
    Adelaide
  20. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,721
    Location:
    NSW
    Timeline is all over the place at the moment, but DEVCORE (the first group that reported it to MS) had a workable pre-auth RCE on Dec 31 and reported it to MS on Jan 5 - but Volexity have reviewed their data and found attacks on Jan 3. Raises a bit of a question as to whether DEVCORE were also compromised - tinfoil hat time but they're a Taiwainese org and the attacks seem to be Chinese in origin, so it wouldn't surprise me if China had compromised them.
    Also suspicious that attacks seemed to intensify and become less targeted a couple of days before MS released the patch.

    https://proxylogon.com/#timeline
    https://www.volexity.com/blog/2021/...-microsoft-exchange-zero-day-vulnerabilities/
     
    elvis and ir0nhide like this.

Share This Page

Advertisement: