SERIES: Security Now!
DATE: September 11, 2018
TITLE: Exploits & Updates
HOSTS: Steve Gibson & Jason Howell
DESCRIPTION: This week we discuss Windows 7's additional three years of support life, MikroTik routers back in the news (and not in a good way), Google Chrome 69's new features, the hack of MEGA's cloud storage extension for Chrome, Week 3 of the Windows Task Scheduler zero-day, a new consequence of using “1234” as your password, Tesla making their white hat hacking policies clear (just in time for a big new hack!), our PCs as the new malware battlefield, a dangerous OpenVPN feature spotted, and Trend Micro, caught spying, getting kicked out of the macOS store.
SHOW TEASE: It's time for Security Now! with Steve Gibson. I'm Jason Howell, filling in for Leo on the second of three weeks in a row. Steve's going to talk about a whole bunch of updates. Security news is flowing even as the show is going on. We're going to talk a little bit about Google Chrome 69's URL hiding feature and whether you want to keep that or maybe toggle it off. There's a hack of MEGA's cloud storage extension for Chrome. We'll dive into that. Tesla is making its white hat hacking policies very clear, and it really just happened at just the right time because there's basically breaking news involving Tesla, and a whole lot more coming up next on Security Now!.
JASON HOWELL: This is Security Now! with Steve Gibson, Episode 680, recorded on Tuesday, September 11th, 2018: Exploits & Updates.
It's time for Security Now!. This is the show where we talk about all things security. And boy, today do we have a ton of security stories to check in on. Obviously Leo is out. I, Jason Howell, am in, in Leo's place. Not in his comfortable studio digs. I'm more in like the big studio here, the big open space that allows us to actually have an audience. Steve Gibson, we have a live audience in the studio today.
STEVE GIBSON: I think Leo kind of likes to keep the office to himself; right?
JASON: I think so.
STEVE: It's sort of like his inner sanctum, and everybody else gets to play out there in the studio.
JASON: Yeah, totally.
STEVE: So I think that works.
JASON: I think it's fair. He kind of like owns the place. He runs the place. So he's - it's fairly done.
STEVE: Ah, I see somebody's white pants with their legs crossed in the…
JASON: I know. We've got not one, not two, not three, but four people.
STEVE: Now they're uncrossed. Oh, okay.
JASON: Four folks in here who all made the trek. They're all in the Bay Area specifically for no other reason than to watch Security Now!. That's what I'm to understand, anyway.
STEVE: And, you know, having driven that goat trail up from San Francisco to Petaluma, I really do appreciate the effort that they went to.
JASON: Oh, I know.
STEVE: It's not easy to get there from civilization.
JASON: It's not easy to get there. But what they get at the end of the rainbow, they get Steve Gibson and Security Now!.
STEVE: Eh, well, sorry about that. So we're Episode 680. And this is, of course, the 17th anniversary of 9/11.
JASON: Yes, it is.
STEVE: The day that lives in infamy for the U.S.
STEVE: So there's been lots of acknowledgement of that and so forth. And so it's a perfect day for Security Now!. We were talking about before we began there wasn't any one big thing that seemed to, like, dominate. So I just named this episode “Exploits & Updates” because we have a lot of both.
I did have news on Patch Tuesday, which we will get to. We're going to discuss Windows 7's newly announced additional three years of life support. MikroTik routers are back in the news yet again, and of course never in a good way. Google has released Chrome 69 with some controversial new features which are raising some questions. There was a hack of MEGA's - MEGA is an encrypted cloud storage solution that's very popular. Their Chrome extension got hacked and was present in the Chrome Store for, I think, about four hours last week. And we'll talk about the consequences of that.
We've got Week 3, and that's the final week, actually, of the Windows Task Schedule zero-day, that advanced local procedure privilege elevation. We have an interesting new consequence of using a weak password like 1234. Tesla has made their white hat hacking policies very clear, and just in the nick of time because there's also a big new hack of the original security key that the Tesla Model 2s have been using. Our PCs are becoming a battlefield for malware, which we'll talk about.
We've got a dangerous OpenVPN feature was spotted, and looks like the door was closed before it got abused. And then Trend Micro was caught spying and has gotten itself kicked out of the macOS store. And we of course have a fun Picture of the Week that we'll talk about.
JASON: All right. Picture of the Week to begin things. Tell us what we're looking at here.
STEVE: So this will not convey well in words, unfortunately. So I think our listeners, if they're interested, are going to have to grab the show notes and take a look at it. But I'll describe it. It's the ever-wonderful and often brilliant xkcd brings us this. So we sort of start in the upper left. There's four frames. And the first frame shows sort of a network diagram with some things connected, but they're like floating around. And the caption is: “I wish these parts could communicate more easily.”
And then there's an arrow taking us to the next frame that shows sort of the same parts that have a bunch of green connections, interconnections between them, and that seems like a good thing. The caption says: “Oh, this new technology makes it easy to create arbitrary connections integrating everything.” And then the third frame shows now these things are all still connected, but now we've got some red lines and circles, and looks like it's not quite so happy. And the caption is: “Uh-oh. There are so many connections it's creating bugs and security holes.”
Which leads us to the fourth frame, which shows a bunch of green enclosures around the different areas, breaking them apart. And now the caption is: “Oh, this new technology makes it easy to enclose arbitrary things in secure sandboxes.” Which leads us - there's a fourth arrow leading us back to the first one that says: “I wish these parts could communicate more easily.”
JASON: Wait. So we never reach the end. There is no actual end. We've never solved all these problems. It just keeps getting more and more complicated.
STEVE: Yes. And in fact, you just said the word. As a consequence of our desire to interconnect, then realize, whoops, we've got some side effects that we didn't expect from the interconnections. So now we've got to isolate them, but now we're not happy that they're isolated because they really need to be talking to each other. So we're going to interconnect them maybe in a different way. Whoops, different problems. Now let's re-isolate them and so forth. We go around in circles. We end up dizzy and with lots of complications. So anyway, xkcd just does it again.
JASON: Love it.
STEVE: It's like, you know, brilliant.
JASON: Yeah. They are super brilliant. It just reminds me of how services, I mean, this is such a, you know, as far as like Internet services are concerned, such an indicator of what we're so used to seeing. Service starts out, it's one single use case. You're like, oh, I love it for its simplicity. But then over the years they feel the need to kind of build upon it and do all these other things, which is great from a feature set standpoint, but just complicates things so specifically. And it's such a great effect that it loses the thing that it once captured.
STEVE: Well, and probably there are several great examples of that. But one that is apparent, I think, to everyone is the original iPhone. The original iPhone, it's funny because it sort of looked incomplete. If you remember, it did not support applications, that is, third-party apps in the beginning. It had this screen with nine icons on it, kind of all in the upper. And they didn't even have a complete last row. There were, like, two icons out of the four that there was room for. It just sort of looked like it was unfinished. It's like, well, where's everything else? And the point is, no, this is what you're getting. And of course, as we know, the UI was designed for that. Everything worked really well. But people wanted more features; and unfortunately, with more features comes…
JASON: Comes a blanket.
STEVE: Yes. Now we need folders to enclose the icons because otherwise we're just scrolling, like, where did this app, I mean, I often have the problem of, like, I'm sure there's an app in here somewhere that I downloaded once. And you're just scrolling around, and it's not easy to find them. So now I just sort of search for it because I can't find it among all this junk that I've got loaded onto my iOS device. So, and of course this is the problem is that everybody wants more features, yet then with that comes interactions among them, and complexity. And then it slows down. And, I mean, also old-timers among us will remember the days when Microsoft was always several chips behind, and you just couldn't get the systems to go fast enough because we were trying to get them to do so much. And I'm glad that the days of Windows crashing constantly are behind us. I mean, for most people, Windows seems to be pretty stable now. So that's good.
And speaking of Windows, this is second Tuesday of the month of September, Patch Tuesday. Microsoft, I don't have a detailed breakdown, which sometimes it's useful to give. This time, eh, not so much. The big news is the one thing that we were hoping for, expecting, and kind of wanting, was this advanced local procedure call zero-day, which was disclosed by that disheartened hacker via Twitter a couple weeks ago. We have followed it since. It matured. It was able to run on 32-bit machines, and then someone figured out how to change a filename, change a 3 to a 1 to get it to run on Windows 7. And we'll be talking about in a minute the fact that it did end up being exploited.
We now know, thanks to some researchers at ESET, almost immediately it has been patched. So it wasn't super critical because it wasn't a remote code execution. But as I said at the time, anything that gets in your system definitely wants to elevate its privileges, some say “escalate,” to obtain the rights to write itself into sensitive areas of a system or to modify system files which by design people running with non-admin privilege are unable to do. So anyway, we got 62 vulnerabilities patched today, this morning, of which 17 were critical. Most of them were browser-related. The rest include Windows Office, Hyper-V, the .NET framework, and so forth. so as I said, it's one of those things people should patch as soon as they can because Microsoft is constantly fixing problems.
And speaking of constantly fixing problems, it was announced, on looks like the 6th is the date of this blog post, that Windows 7 support would be available beyond 2020. Which doesn't really surprise me. So the title, their title was “Helping Customers Shift to a Modern Desktop.” However, being the author of Never10, I should mention now with nearly three million downloads of this little utility that I wrote, rather than “Helping Customers Shift to a Modern Desktop,” I would title the blog posting “Being of Necessity Somewhat More Patient in Our Effort to Force Customers onto a Less Desirable Desktop, That They Really Do Not Want….” Anyway…
JASON: I actually think that that fits in with Microsoft's kind of ambition and habit of naming things really long strings of words. So I think that would actually work for their naming template.
STEVE: Almost a more appropriate title than their official one. Yes. And speaking of which, even the guy's title, this is the “Microsoft Corporate Vice President for Office and Windows Marketing” is the person who wrote this. Anyway, he says, under the subheading of “Windows 7 Extended Security Updates,” they wrote: “As previously announced, Windows 7 extended support is ending January 14th, 2020. While many of you are” - love this - “are already well on your way to deploying Windows 10” - yeah - “we understand that everyone is at a different point in the upgrade process.” Yes. There's, like, barricades in front of some of us.
JASON: Wishful thinking.
STEVE: Yes. And let's note that, despite Microsoft's extensive and highly controversial efforts to actively force everyone over to Windows 10, such that no one would still be on Windows 7 without actively resisting the push to Windows 10 - as we know, I mean, you had to struggle not to have your Windows 7 machine grant you Windows 10 despite your desire to stay where you were - today, okay, today Windows 7 remains the majority desktop in the world, with a greater market share than Windows 10. Now, not by much, granted. Windows 7, courtesy of Bleeping Computer, I got this chart from them because they pulled some market research - Windows 7 is at 40.27% to Windows 10 at 37.8. And then followed by the macOS at 5.86, Windows 8.1 at 5.10, and believe it or not, well, actually I shouldn't say that because I was on XP not long ago, XP at 3.30%.
JASON: I believe it. I actually kind of expected XP to be higher than that. But it was a longstanding version.
STEVE: It doesn't know about, I guess it was SP2 doesn't know about SHA-256. It doesn't know about any of the TLS protocol updates. I mean, it's really - XP was really sort of struggling to stay alive. But the point is, for Windows 7 to still be more popular, to have a larger market share than 10, I mean, the only way that would happen is if people refused to budge. So it's worth noting, though, Windows 7 is waning, and 10 is gaining.
And of course one of the reasons is it is no longer possible for consumers to purchase systems with Windows 7, much as they may wish to. And the latest Intel chipsets are no longer compatible with Windows 7. Ask me how I know. Yes, I know. I'm deliberately now, when I need a new machine, I have to go an older, I think it's i6 or 7; 8 won't run Windows 7 any longer. So the reason 10 is ultimately going to win is just through attrition. People will hold onto 7 with, apparently, with their dying gasp. But they're going to end up ultimately losing because you just can't get it anymore.
Anyway, so Microsoft continues their blog post, saying: “With that in mind” - that is, that we're all in different stages of adoption - “today we are announcing that we will offer paid Windows 7 Extended Security Updates” - of course we have an acronym, the ESU Program - “through January 2023. The Windows 7 ESU will be sold on a per-device basis, and the price will increase each year.” Oh, they're going to just force people off this thing one way or the other.
“Windows 7 ESUs will be available to all Windows 7 Professional and Windows 7 Enterprise customers in Volume Licensing” - meaning not end-users - “with a discount to customers with Windows software assurance, Windows 10 Enterprise, or Windows 10 Education subscriptions. In addition,” they said, “Office 365 ProPlus will be supported on devices with active Windows 7 (ESU) through January 2023. This means that customers who purchase Windows 7 ESU will be able to continue to run Office 365 ProPlus.” Will be able to run it? You wouldn't be able to run it? Oh, well, who knows what they're going to do. I mean, you know, they're switching this whole thing over to OS as a service, rather than an operating system as an operating system, because they can. So anyway, for what it's worth…
JASON: When did it initially launch? This was, what, seven, eight years ago?
JASON: So talking 2023, I mean, man, that's 13 years old. Hopefully by that point [crosstalk].
STEVE: And the problem is people, I mean, the problem is it works just fine.
STEVE: You know? It's like it's not - you don't have…
JASON: They made it too good.
STEVE: Well, actually, I would argue that at the time Windows 2000 worked just well. Windows XP worked just fine. I mean, this whole idea of needing 64 bits, 64, come on. If they had designed the 32-bit OS correctly so that it could use virtual memory - but again, they didn't want to. Anyway, I guess I'll end up just on FreeBSD Unix at some point and then just say, well, good luck to the rest of you.
JASON: But you're an individual user. Would you qualify for it because…
JASON: So you wouldn't even qualify for it if you wanted to pay and get some of that tech support.
STEVE: And that will not bother me because, after all, I wasn't getting Windows XP updates for quite some time. And once again, everything just continued to work fine.
JASON: Hey, what do you know.
STEVE: So, well, because the browsers really are our portal to the world. I mean, yes, you need to download software. But if you're careful, if you're not hanging out in sketchy areas of the Internet, if you're behaving yourself, and if you've got something watching your back, I mean, I guess now, well, I'm sure that Security Essentials will stop working for me also because it'll be like, agh, you're still here? You're still using that Windows 7? What's wrong with you?
Anyway, yes. I don't think, I mean, I have some Windows 10 machines. I'm talking to you over a Windows 10 machine. And there are some places where I have had recently to use updated chipsets and couldn't use 7, so I had to use 10. I did manage to scrape all of that other junk off of it. I mean, there's, like, there's HoloLens is built into Windows 10. It's like, I don't want a HoloLens on my operating system. Or Xbox anything, live or dead. So anyway…
JASON: Yeah, but you will. HoloLens is going to change the world, Steve. You're going to be right there with it. You're going to be podcasting from HoloLens in a couple of years. You just don't realize it yet.
STEVE: God help me. Well, we are talking over Skype, so maybe that's true, I don't know.
JASON: That's totally possible, actually.
STEVE: We'll have HoloSkype, with no choice.
JASON: I wouldn't be surprised.
STEVE: Okay. So MikroTik is the way you're supposed to pronounce this. But I really did like pronouncing it mi-CROT-ic because it sounds so awful. And I know that they're very popular routers. There are a lot of people who like them. I mean, they're also very powerful. I mean, they've got a nice UI. They are feature packed. But here's where features come to bite you. I mean, this is just exactly like xkcd's cartoon. The MikroTik routers are back in the news, and not in a good way.
As we know, they're been suffering all year as a consequence of a problem that was first found in their SMB handling, and then their handling of Winbox authentication, which allowed for unauthenticated remote access. Winbox is a Windows-hosted UI which allows for administration of the router. The problem is, and for the life of me I don't understand how this could happen, the Winbox access is by default available on the WAN interface in addition to the LAN interface. In other words, exposed to the public. And it's a router. So of course it's going to be on the edge of your network, half of it looking out to the rest of the Internet, and the other half looking into your modest little network.
Anyway, back on April 23rd, MikroTik explained in their vulnerability disclosure, they said: “We have discovered a new RouterOS vulnerability affecting all RouterOS versions since v6.29. The vulnerability,” they wrote, “allowed a special tool to connect to the Winbox port and request the system user database file.” Of course the Winbox port should have never been available to connect to from the Internet. But they didn't mention that. They said the attacker would then use the user details found in the exfiltrated user database file to log into the MikroTik router remotely. And of course then the party begins.
Okay. So the vulnerability in question was titled “Winbox Any Directory File Read,” and it's got a CVE of 2018-14847. And it turns out that it was found exploited by the CIA Vault 7 hacking tool called “Chimay Red,” along with another MikroTik WebFig remote code execution vulnerability. So they're feature rich. These routers are popular. And to their credit, I absolutely give them credit for patching that vulnerability within hours of hearing of it.
But we know that without the ability to push the vulnerability fix out to devices somehow, or probably by devices automatically periodically phoning home to check for an auto update, and then autonomously doing it because I'm sure that those of us with routers who are security conscious, we've looked. You log into your router, and you tell it to check for updates. And it's like, oh, yes, I got a flashing exclamation point. There's an update. Well, how long as it been available? Is it crucial? Is it critical? You know, the router doesn't tell you. It just needs to do it. You need to - part of setting it up has to, you know, like you give it permission to maintain itself, and then it just does this for you. But as we've said often, probably too often, we're not there yet.
Okay. So now, today, this exploit code which affects all not-yet-patched MikroTik routers, is available from at least three different online sources. So it is hardly surprising when, at the beginning of last month, we reported, as we have been, that somewhere around 200,000 - 200,000 - MikroTik routers were enlisted in a massive Coinhive mal-mining operation. And since the beginning of these various attacks on consumer and corporate routers, of course, I've been observing how fortunate it is that the bad guys seem uninterested in the details of the networks lying behind these infected and infested routers. I've often commented that it's like let's just hope that's the way things remain, that all they want to do is stick mining malware on the routers and not care about the fact that they've established presence on the device through which all of your local network traffic transits.
Well, it turns out that's changed. Last week researchers at 360 Netlab posted their article titled “7,500+ MikroTik Routers Are Forwarding Owners' Traffic to Attackers.” And they ask then rhetorically: “How Is Yours?” They wrote: “We understand that user devices come and go on the Internet all the time, so the data used in this blog reflects what we saw between August 23rd and August 24th. From our own scan result, we logged more than 5,000,000 devices with open port TCP 8291.” That's this web API that the MikroTik routers support. This Winbox port is 8291. They said more than five million devices with that port open, and 1.2 million of them were identified as MikroTik devices, within which 370,000, which is to say 30%, are vulnerable to this CVE-2018-14847. In other words, 370,000 MikroTik routers can be remotely accessed today over this Winbox port and are vulnerable to this non-authenticated access.
Now, you're showing on the screen the chart from the show notes, which shows the distribution in the first column of the top 20 nations. Brazil, for example, has 42,376 vulnerable routers. Russia, in number two, at 40,742. Indonesia, 22,441. And onwards, downwards, all the way through the top 20 nations. This middle column shows the top attackers who have been observed attacking these routers by IP address. And the list of ports being eavesdropped on. I'll get to how that's happening next.
So on these routers is still Coinhive mining code injection, so they're generating revenue at some pace using the coin mining script. And remember we talked about this before where they use the opportunity of displaying a nonencrypted error page to inject the mining script into the user's browser. All the browsers that are being serviced behind that router will receive the error page unencrypted with Coinhive mining. So that's how they're getting around the HTTPS and TLS encryption, which otherwise would not allow them to inject their code into an encrypted connection.
Okay. Additionally, at the moment, right now, a total of 239,000 MikroTik routers are confirmed to have a Socks4 proxy enabled maliciously. The Socks4 port is mostly configured to 4153. And, interestingly, it only allows access from one single netblock, which is 126.96.36.199/25. So it looks like there's one perp behind all of this. In order for the attacker to gain control after device reboot, and the possibility that the public IP might change, the device is configured to run a scheduled task to periodically report its current IP by accessing a specific attacker URL. And the attacker is continuing to scan the Internet because of course it's a rich source of vulnerable MikroTik routers.
Okay. So, finally the MikroTik RouterOS device allows, as I said, it's very feature rich. It allows its users to configure the router to capture and forward packets using a protocol known as TZSP, which is the TaZmen Sniffer Protocol, which we've never talked about before, but it's an encapsulation protocol used for sniffing and forwarding packets. Intrusion detection systems use it, and it's supported by Wireshark that knows how to look inside that protocol and look at the packets inside. So it's well known. So they did a standards-based sniffer. Unfortunately, and again, I guess this is a feature, but the forwarding of the packet capture and sniffing is not restricted to the LAN. It can be set over the WAN.
So using first the fact that we have this Winbox vulnerability on 370,000 MikroTik routers, more than 7,500 of those have been configured with this sniffer actively capturing the traffic that is transiting the router. And you might say, okay, fine, but it's encrypted; right? Well, no. The number one port being captured is port 21, which is one of the two ports used for FTP, which is typically itself not encrypted. Second up is 143, which is IMAP, which of course is email, also, as we've often said, unencrypted. Next up, 110, which is the POP3 protocol. Not encrypted. Fifth up is port 25, SMTP, which is used for submitting mail as opposed to getting mail. Unencrypted.
So what these guys are doing is they've taken advantage of the Winbox vulnerability, which is widespread on MikroTik routers, and have used a feature in the router to essentially forward all of the FTP traffic, of which there's probably not that much, but maybe FTP uploads would be of some interest to them, you know, like people putting stuff up on a server somewhere. But essentially intercepting all of the email, unencrypted, in and out of that network.
So that's, again, as I said, MikroTik in the news. In their disclosure of this, at the end of their explanation of the counts they saw, the ports, posting that chart of everything, they said, that is, the 360 Netlab folks said: “We recommend that MikroTik RouterOS users update the software system in a timely manner and check whether the HTTP proxy, Socks4 proxy, and network traffic capture functions are being maliciously exploited by attackers.” Yes. I think that's good advice.
They said: “We recommend that MikroTik denies inbound access to the WebFig and Winbox ports from the Internet [uh-huh] and improve the software security update mechanism.” Oh, I completely concur. So, you know, we know that anyone can make a mistake. And I do congratulate the MikroTik folks for quickly creating a patch for their mistake. It was within hours of finding out about it. I mean, yeah, anyone responsible would do that. But this disaster - and this is what you'd have to call this. This is a disaster. For there to be currently 370,000 routers more than six months after a critical vulnerability was publicly disclosed, I mean, it's not like nobody knows about this. Everybody knows about this. And people are not fixing their routers, leaving them open to people who want to exploit them.
So the point is this disaster is not the result of a mistake. It's the consequence of a deliberately and misguided policy of enabling WAN-side remote access and management by default. These routers default to making this access available. They should default to it being off. And then only if a given user actually needs or wants remote admin over this originally insecure, now secured service, should they turn it on with cautions about strong passwords and so forth in the router.
So I know everybody likes the routers. They're popular. They're feature-rich. But there is a serious policy problem. And if you happen to own a MikroTik router, absolutely make sure that you've got this WAN-side admin stuff off. There's no way there could be 370,000 of these exposed publicly if it weren't for the fact that they were exposed by default. So I don't know whether the firmware change closed it by default. They're probably worried that they're losing a feature. Well, it ought to be manually enabled, rather than automatic. There's just no way around that.
JASON: Absolutely. And maybe it'd take a scenario like this to teach them that lesson. One thing I'm curious about as far as the cryptomining aspect of this, which it sounds like is something that you've talked about in weeks past. But when you're talking about this number of routers, all focused on cryptomining to this degree, what does that actually translate to in crypto terms on the other end?
JASON: Absolutely. Wow. Big-time.
STEVE: So we're now at Chrome, Google Chrome 69.
JASON: Yes. I upgraded on my desktop in the other room just this morning, actually.