Tag: Staff Research Engineer

Comment on Clubhouse App: Tenable

Clubhouse, an invite-only app available on iOS is seemingly the next big thing in social media for casual, drop-in audio conversations with anyone or sometimes even celebrities. As of Feb 2021, the app had 8 million downloads. Just as apps offer opportunities to learn and connect with others, they can also be breeding grounds for scammers. Satnam Narang, Staff Research Engineer at Tenable who has done extensive research into scams on social media platforms such as TikTok, Instagram and Cash App, offers his comments on the challenges and opportunities Clubhouse might present to scammers.

“In February 2021, Clubhouse topped 8 million global downloads for its invite-only voice-based social media app that is currently only available on iOS devices. Historically, I’ve found that when an app surges in popularity with users, scammers quickly take notice and find their own niche around them, whether it’s Facebook, Twitter, Instagram, Snapchat, Tinder or TikTok. There are a few challenges that Clubhouse presents to scammers as well as opportunities.

“For instance, because the app is voice-driven, there is no way to chat with users in order to peddle links to scams, which is often a scammer’s preferred method. Clubhouse does allow users to promote social profiles for Instagram and Twitter, which is the most likely way users will be driven to scams. I saw this in my TikTok research a few years ago, when scammers were promoting adult dating scams, they would ask the users to add them on Snapchat in order to take them off the platform.

“There have been reports that Clubhouse rooms have been created to promote get-rich quick schemes or fake coaching offers. They drive users off Clubhouse to social profiles created to promote these so-called opportunities. These benign profiles aren’t likely to get removed until after users have parted ways with their money, making this type of scam extremely lucrative.

“There is also an impersonation problem that faces other platforms and has already started to emerge on Clubhouse. After Elon Musk joined Clubhouse, a few fake Elon Musk profiles appeared on the platform. There are reports of other notable figures who aren’t actually on Clubhouse, but have been told by their fans that they were in a room with them. I expect this to continue until Clubhouse starts incorporating some sort of verification mechanism within the platform for these notable figures.

“The Clubhouse app itself is undoubtedly being examined by security researchers for flaws. We’ve already seen reports that users have been able to snoop on audio from Clubhouse rooms and create unofficial Android versions of the app until an official one is released.

“Unofficial versions of Clubhouse for Android is another area that is ripe for abuse. With the ability to sideload applications on Android devices, cybercriminals can create fake versions of Clubhouse that perform malicious actions on the users’ devices and potentially lead to financial harm.”—Satnam Narang, Staff Research Engineer, Tenable

Comment on Vulnerabilities in F5 BIG-IP and BIG-IQ from Tenable

“F5 recently addressed several vulnerabilities in its BIG-IP and BIG-IQ, of which four were rated critical. The most severe of these critical vulnerabilities is CVE-2021-22986, an unauthenticated remote command execution flaw in the iControl REST interface. It received a CVSSv3 score of 9.8 out of 10, making it one of the most severe flaws patched today. Successful exploitation of this flaw could lead to full system compromise.

As we saw last summer when F5 patched CVE-2020-5902, another critical vulnerability in BIG-IP, attackers quickly latch onto such flaws and begin scanning for and targeting vulnerable F5 devices that are publicly accessible. We expect history to repeat itself for CVE-2021-22986 in the coming days and weeks, especially once a proof-of-concept becomes publicly available. It’s imperative for organizations to update to a patched version immediately.” – Satnam Narang, Staff Research Engineer, Tenable.

Microsoft’s March 2021 Patch Wednesday Addresses 82 CVEs

This month Patch Wednesday contains 82 CVEs, a fix for CVE-2021-26411, a remote code execution flaw in Microsoft Internet Explorer and a reminder to organizations to apply patches to address the Proxylogon and other Microsoft Exchange related zero-days. Please find below a comment from Satnam Narang, Staff Research Engineer, Tenable.

“This month’s Patch Wednesday release addressed 82 CVEs, 10 of which are rated critical. This month’s release contains a fix for CVE-2021-26411, a remote code execution flaw in Microsoft Internet Explorer that has been exploited in the wild as a zero-day. This is tied to a vulnerability that was publicly disclosed in early February by researchers at ENKI who claim it was one of the vulnerabilities used in a concerted campaign by nation-state actors to target security researchers. In the ENKI blog post, the researchers say they will publish proof-of-concept (PoC) details after the bug has been patched. As we’ve seen in the past, once PoC details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits. We strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.

“It’s imperative for organizations to ensure they’ve also applied patches to address the Proxylogon and other Microsoft Exchange related zero-days that were disclosed last week as part of an out-of-band advisory, which nation-state groups and other threat actors have exploited indiscriminately. In addition to patching, it is vital for organizations to do their due diligence and hunt for indicators of compromise to ensure attackers haven’t established a foothold within their networks.” — Satnam Narang, Staff Research Engineer, Tenable.

Microsoft Patches Four Exchange Server Zero-Day Vulnerabilities Exploited in the Wild

Microsoft has issued out-of-band patches for multiple zero-day vulnerabilities exploited in the wild by a nation-state threat actor called HAFNIUM. Satnam Narang, Staff Research Engineer at Tenable says that by Microsoft choosing to patch these flaws out-of-band rather than including them as part of next week’s Patch Tuesday release leads us to believe the flaws are quite severe. Here’s a full analysis provided by Tenable along with a quote from Satnam Narang below.

“Four zero-day vulnerabilities in Exchange Server have been exploited in the wild by a nation-state threat actor called HAFNIUM. The fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week’s Patch Tuesday release leads us to believe the flaws are quite severe even if we don’t know the full scope of those attacks.

“While Microsoft says that HAFNIUM primarily targets entities within the United States, other researchers say they have seen these vulnerabilities being exploited by different threat actors targeting other regions.

“Based on what we know so far, exploitation of one of the four vulnerabilities requires no authentication whatsoever and can be used to potentially download messages from a targeted user’s mailbox. The other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organization’s network.

“We expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks, which is why it is critically important for organizations that use Exchange Server to apply these patches immediately.” –Satnam Narang, Staff Research Engineer, Tenable

Comment on vulnerabilities in VMware vCenter Server from Tenable

“At least four proof-of-concept exploit scripts for CVE-2021-21972, a critical remote code execution flaw in VMWare’s vCenter Server solution are currently available. We know that the availability of proof-of-concept code or exploit scripts following the publication of a critical vulnerability is a boon for threat actors.

“While some cybercriminals may be adept at developing their own proof-of-concept exploits, threat actors are keen on leveraging what’s publicly available, as evidenced in the Copy Paste Compromises report from the Australian Cyber Security Centre in June 2020 that arrived at the same conclusion.

“There are confirmed reports that attackers are probing for vulnerable vCenter Server systems. According to a Shodan search, there are over 6,700 publicly accessible vCenter Servers. Coupled with the availability of these exploit scripts, it is all the more imperative for organizations to apply the available patches immediately instead of relying on temporary workarounds.”– Satnam Narang, Staff Research Engineer, Tenable