Cybersecurity researcher Paul Litvak today disclosed an unpatched vulnerability in Microsoft Azure Functions that could be used by an attacker to escalate privileges and escape the Docker container used for hosting them.

The findings come as part of Intezer Lab‘s investigations into the Azure compute infrastructure.

Following disclosure to Microsoft, the Windows maker is said to have “determined that the vulnerability has no security impact on Function users, since the host itself is still protected by another defence boundary against the elevated position we reached in the container host.”

Azure Functions, analogous to Amazon AWS Lambda, is a serverless solution that allows users to run event-triggered code without having to provision or manage infrastructure explicitly while simultaneously making it possible to scale and allocate compute and resources based on demand.

By incorporating Docker into the mix, it makes it possible for developers to easily deploy and run Azure Functions either in the cloud or on-premises.

Since the trigger code is an event (e.g., an HTTP request) that is configured to call an Azure Function, the researchers first created an HTTP trigger to gain a foothold over the Function container, using it to find sockets belonging to processes with “root” privileges.

images from Hacker News

Newly discovered security vulnerabilities in ADT’s Blue (formerly LifeShield) home security cameras could have been exploited to hijack both audio and video streams.

The vulnerabilities (tracked as CVE-2020-8101) were identified in the video doorbell camera by Bitdefender researchers in February 2020 before they were eventually addressed on August 17, 2020.

LifeShield was acquired by Florida-based ADT Inc. in 2019, with Lifeshield’s DIY home security solutions rebranded as Blue as of January 2020. The company’s products had a 33.6% market share in the U.S. last year.

The security issues in the doorbell camera allow an attacker to

• Obtain the administrator password of the camera by simply knowing its MAC address, which is used to identify a device uniquely
• Inject commands locally to gain root access, and
• Access audio and video feeds using an unprotected RTSP (Real-Time Streaming Protocol) server

images from Hacker News

A newly devised variant of the NAT Slipstreaming attack can be leveraged to compromise and expose any device in an internal network, according to the latest research.

Detailed by enterprise IoT security firm Armis, the new attack (CVE-2020-16043 and CVE-2021-23961) builds on the previously disclosed technique to bypass routers and firewalls and reach any unmanaged device within the internal network from the Internet.

First disclosed by security researcher Samy Kamkar in late October 2020, the JavaScript-based attack relied on luring a user into visiting a malicious website to circumvent browser-based port restrictions and allow the attacker to remotely access TCP/UDP services on the victim’s device, even those that were protected by a firewall or NAT.

Although partial mitigations were released on November 11 to thwart the attack in Chrome 87, Firefox 84, and Safari by preventing connections on port 5060 or 5061, Armis researchers Ben Seri and Gregory Vishnipolsky revealed that “NAT Slipstreaming 2.0” puts “embedded, unmanaged, devices at greater risk, by allowing attackers to expose devices located on internal networks, directly to the Internet.”

images from Hacker News

With so much of the world transitioning to working, shopping, studying, and streaming online during the coronavirus pandemic, cybercriminals now have access to a larger base of potential victims than ever before.

“Zoombomb” became the new photobomb—hackers would gain access to a private meeting or online class hosted on Zoom and shout profanities and racial slurs or flash pornographic images. Nation-state hacker groups mounted attacks against organizations involved in the coronavirus pandemic response, including the World Health Organization and Centres for Disease Control and Prevention, some in an attempt to politicize the pandemic.

Even garden-variety cyber attacks like email phishing, social engineering, and refund theft took on a darker flavour in response to the widespread economic precarity brought on by the pandemic.

“Hackers were mostly trying to take advantage of people’s fear by offering medical equipment like thermometers and masks for cheap, low-rate loan offers and fake government emails,” said Mark Adams, a cybersecurity analyst and subject matter expert for Springboard’s new Cyber Security Career Track. “You know, the kinds of emails that say you owe X amount in back taxes and you will be arrested if you do not respond to this email today!”

Here’s a closer look at some of the biggest cyberattacks of 2020.

images from Hacker News

Creating workflows around verifying password resets can be challenging for organizations, especially since many have shifted work due to the COVID-19 global pandemic.

With the numbers of cyberattacks against businesses exploding and compromised credentials often being the culprit, companies have to bolster security around resetting passwords on user accounts.

How can organizations bolster the security of password resets for remote workers? One security workflow might involve having manager approval before IT helpdesk technicians can change a remote worker’s password. In this way, the user’s manager is involved in the process.

Additionally, some organizations might opt to allow managers themselves the ability to change end-user passwords. How can this be configured in Active Directory? Also, is there a more seamless solution for requiring manager approval for password resets?

Why password reset security is critical

This past year has undoubtedly created many IT helpdesk staff challenges, including supporting a workforce containing mainly remote workers. One of the difficulties associated with remote employees is a security challenge surrounding password resets.

Cybercriminals are increasingly using identity attacks to compromise environments. It often provides the “path of least resistance” into an environment. If valid credentials are compromised, this is often the easiest means to attack and compromise business-critical data and systems.

images from Hacker News