• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Vulnerabilities & Exploits   »   Preparing for zero-day vulnerabilities: Lessons from forum and ATM breaches

Preparing for zero-day vulnerabilities: Lessons from forum and ATM breaches

  • Posted on:January 27, 2014
  • Posted in:Vulnerabilities & Exploits
  • Posted by:
    Trend Micro
0

The number of zero-day exploits rose throughout 2013, affecting a wide swathe of individuals and organizations. Moreover, the impending end of official support for Microsoft Windows XP has broadened the conversation about addressing systemic IT weaknesses, whether through upgrades, patching or additional security software, to ward off similar would-be zero-day incidents.

While infinite Windows XP zero-days is still only a prospect at this point (especially now that Microsoft will issue malware fixes until 2015), the implications of such vulnerabilities can already be gleaned from the fallout of breaches of vBulletin-powered forums. MacRumors and the official page for the OpenSUSE Linux distribution were compromised by attackers taking advantage of a potential zero-day flaw in the popular forumware. Although recently patched, these sites had little recourse against tactics that bypassed security to scrape passwords and email addresses.

What can be done to address the rise in zero-day campaigns? The stakes for answering this question are high – just look at the number of ATMs that still run Windows XP, despite the aging operating system’s approaching obsolescence. Preventing damage from future zero-days will require a proactive approach that addresses common weak points in IT security, including the reliance on outdated software, lack of knowledge about cost-effective alternatives such as virtualization and slow implementation of patches.

By definition, zero-day exploits are difficult to address because attackers have already found the weakness and security teams are playing catch-up. Still, zero-days don’t materialize out of thin air and go after random targets – typical attack magnets such as Windows XP, Internet Explorer and vBulletin are widely used, built on relatively old yet frequently updated technology and often insufficiently patched by their users. Staying safe need not be a strictly reactive process that simply tries to undo the damage of an attack – with the right focus, potential attack surfaces for zero-days can be minimized.

Attacks on openSUSE page, MacRumors may have been result of vBulletin zero-day
Several pages at forums.opensuse.org were replaced after an attacker used a zero-day exploit to access the site’s databases. He used a PHP shell backdoor, targeting vBulletin, to gain read and write permissions to openSUSE servers.

However, access credentials were not compromised since openSUSE had implemented an external single sign-on solution, demonstrating one of the many precautions that organizations can take to prepare for zero-day breaches. At the same time, the attacker acquired email addresses that had been stored in a local database for convenience

The openSUSE breach wasn’t just a matter of someone finding another zero-day fault in vBulletin. The email storage practices, along with the site’s patch implementation, may have enhanced the incident’s impact. Although site administrators stated that having deployed the most recent patch (openSUSE was one patch behind) would not have protected the site, it’s important to note that small oversights and delays can pile up, creating a broader attack surface.

More specifically, the 4.x branch of vBulletin used by openSUSE includes a vulnerable third-party component, called uploader.swf, that is part of the Yahoo User Interface library. Yahoo does not plan to fix this item since it is only used in older, unsupported versions of YUI.  Instead, 4.x users are advised to replace the file with a dummy equivalent and instead fall back on a JavaScript uploader.

To its credit, openSUSE quickly removed uploader.swf, which could have enabled cross-site scripting attacks in which arbitrary JavaScript is injected into a page. It’s unclear if this particular vulnerability was decisive, but it could have been used in conjunction with social engineering tactics to take over an admin account and gain access to the database.

OpenSUSE wasn’t the largest target of vBulletin exploit. MacRumors, which has 867,000 registered members, and the still larger UbuntuForums were hit by similar attacks. In the case of MacRumors, email addresses, usernames and hashed passwords were exposed, and the site owner advised everyone to reset their passwords and not reuse one from a separate site.

Windows XP and ATMs: The real stakes of taking proactive measures against zero-days
These forum hacks demonstrate how popular platforms can attract enough attention to make them worthwhile targets for attackers. What’s more, seemingly minor oversights, such as relying on older software or not implementing the latest patch, can magnify the damage of such exploits.

The long life of Windows XP, and its approaching change in support, have made it more important than ever for organizations to learn from the aftermath of the vBulletin breaches and harden their systems. The issue extends beyond the IT department – Windows XP runs in the background of 95 percent of the 420,00 ATMs in the U.S, and banks have been slow to make the upgrade to Windows 7. Updating can be a costly and even risky process, but the alternative is fending off zero-day threats on their own, without official patches or support.

It could be a few years before all ATMs are upgraded to versions of Windows with mainstream support. Until then, organizations may have to deal with threats such as robbery via USB key or a botnet that could pool the resources of the 29 percent of PCs that still run XP. The OS was listed as an affected product in 45 Microsoft security bulletins issued between July 2012 and July 2013.

In Europe, an ATM was compromised after it booted from an infected USB key, demonstrating that many different endpoints are at risk from the prospect of infinite Windows XP zero-day vulnerabilities. Organizations will need to upgrade software and hardware, not only to receive official support but to reduce the number of attack surfaces.

OpenSUSE has already hinted at plans to possibly migrate to a different forum software, stating that the recent exploit confirmed its concern about issues with vBulletin. However, staying safe from zero-day exploits isn’t just a matter of picking the right platform – it also depends on following best practices such as training users to recognize social engineering tactics and issuing patches quickly.

Related posts:

  1. Why Java 6 Gives Me the Jitters about Windows XP in 2014: 160 Unpatched Vulnerabilities Combined per Year
  2. Uninstall Apple® QuickTime to Protect Your PC From Security Vulnerabilities
  3. SMB vulnerabilities overlooked in focus on big retail breaches
  4. Data Breaches, Vulnerabilities, and Online Banking Malware: Trend Micro’s 2Q 2014 Security Roundup

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.