In brief Zoom fixed a pair of privilege escalation vulnerabilities, which were detailed at the Black Hat conference this month, but that patch was bypassed, necessitating yet another fix.
Patrick Wardle, cybersecurity researcher and founder of Objective-See, talked about the two macOS Zoom client vulnerabilities at Black Hat, both of which could be exploited a local unprivileged miscreant or rogue application to reliably escalate to root privileges.
The two holes could be exploited together to, simply put, feed a malicious update to Zoom to install and run, which shouldn’t normally be allowed to happen.
“Zoom’s patch was… incomplete, I managed to bypass it,” macOS security researcher and Offensive Security content developer Csaba Fitzl tweeted. Fitzl didn’t release any details of how he managed to bypass the patch, but Zoom credits him with reporting the third exploit.
Zoom users on macOS are encouraged to update their client immediately to version 5.11.6, unless running a version older than 5.7.3. If that latter case sounds like you, it may be a good idea to upgrade for plenty of other concerns with Zoom’s security that have come to light since it rose to prominence during the pandemic.
“After reading through the replies and direct messages [regarding reporting from The Register and other sources], I saw a common question across the community: how can I verify what apps do in their webviews,” he wrote.
Researchers weaponize PLCs to attack OT networks
Researchers with Claroty’s Team82 have demonstrated turning programmable logic controllers (PLCs) into network offensive tools.
PLCs are a fundamental part of industrial and commercial operational technology (OT) that makes up factory floors, utility infrastructure, manufacturing facilities, and other heavy industry. Malware such as Stuxnet, which was used by America and Israel to damage Iran’s uranium-enrichment facilities, as well as other modern threats rely on internet-facing PLCs that lack proper protection.
In previous cases, Team82 said in its research report, attacks involving PLCs were directly targeting the controllers. That’s not the case with their proof of concept, which they’ve named “Evil PLC Attack.”
Evil PLC doesn’t attack the PLCs themselves at all: instead, it relies on vulnerabilities in engineering workstations that control them. By compromising a PLC with malicious code and triggering a fault, an engineer who downloads the PLC’s code to inspect can unwittingly compromises their own machine. The downloaded code relies on exploiting holes in software on the workstation.
“We were able to find previously unreported vulnerabilities that allowed us to weaponize the affected PLCs and attack engineering workstations whenever an upload procedure occurred,” Team82 said.
To make matters worse, seven of the most popular PLC makers – Rockwell Automation, Schneider Electric, GE, B&R, XINJE, OVARRO and Emerson – were all found to be vulnerable. Team82 noted that all of the vulnerabilities it found were located in engineering workstation software made by those vendors, not the PLCs or their firmware.
“In most cases, the vulnerabilities exist because the software fully trusted data coming from the PLC without performing extensive security checks,” Team82 said.
While the vulnerabilities have largely been patched, Team82 warns that concerned organizations should focus just as much on protecting workstations as they do keeping vulnerable PLCs off the public internet.
Ransomware and BEC: A match made in the dark web
Security researchers at Accenture have highlighted the following point: the type of data being sold online after ransomware attacks is exactly the sort of stuff that’s ideal for launching business email compromise (BEC) attacks.
BEC attacks involve compromising a legitimate business email account to use in scamming a company’s employees. Fake invoices, often with “new banking details,” are commonly used to trick staff into remitting massive payments, making BECs some of the most popular and lucrative cyber scams currently in circulation.
According to Accenture, its team “found that the most disclosed data types overlap with the data types most useful for conducting BEC and [vendor email compromise] VEC attacks: financial, employee, and communication data, and operational documents.”
One thing that has long held cyber criminals back from making greater use of data stolen during a ransomware attack, Accenture said, is the sheer volume of the data stolen. “The utility of dedicated leak site data has historically been limited by the difficulty of interacting with large quantities of poorly stored data,” the researchers said.
New groups, however, are making that a problem of the past.
The researchers pointed to at least two data leak sites that offer searchable indexed data on easily used, publicly-accessible sites, with individual records available for as little as a dollar. “Threat actors can search for specific files such as employee data, invoices, scans, contracts, legal documents [and] email messages,” as well as hunting for companies based on industry or location, Accenture said.
Based on the types of data being stolen and sold, and the rise of indexed black data markets, Accenture said it “assesses that the primary factor driving an increased threat of BEC and VEC attacks … is the availability of data like that described above.”
Let that be a warning to companies that have been victims of ransomware attacks: be aware of the signs of BEC, how to protect against it, and know that it could be a matter of time before you’re hit again. ®