Weekly podcast: Skype/Spyke, Android MilkyDoor malware and Linksys router vulnerabilities

This week, we discuss a Skype vulnerability called Spyke, new Android malware that gives attackers access to networks via infected devices, and vulnerabilities affecting 25 models of Linksys router.

Hello and welcome to the IT Governance podcast for Friday, 28 April 2017. Here are this week’s stories. Vulnerabilities galore!

Microsoft has issued a patch for a vulnerability in Skype that allowed attackers to execute code, phish for credentials and crash the application. Security researcher Zacharis Alexandros, who discovered the bug in January, dubbed it ‘Spyke’.

According to Alexandros, Spyke exploits the fact that Skype “contains an embedded Internet Explorer browser used for authentication purposes”.

An attacker with “local access to the login screen of a running SKYPE instance” could “circumvent the normal authentication process and abuse the login via the Facebook function”. They could then fingerprint the internal browser, execute code, phish for credentials and cover their communication traces.

The vulnerability “primarily affects Windows OS clients” but “Any system using SKYPE Client and older versions that allow Facebook Login as an option are vulnerable.” “The most interesting targets are publicly accessible machines running the SKYPE service, like info kiosks in airports or rail stations and smart TVs or other similar appliances.”

A spokesperson for Skype told Kaspersky’s Threatpost blog: “We addressed this with an update in March. Customers will have automatically received the update when they logged in to Skype. If they haven’t logged in recently, we encourage them to upgrade when they next use Skype.”

Researchers from Trend Micro have discovered a backdoor in 200 unique Android apps that could give attackers access to internal networks via infected devices without their owners’ knowledge. The attackers could then scan for vulnerable servers and exfiltrate data – or worse.

The Trojanised apps, “one of which had installs ranging between 500,000 and a million on Google Play”, masquerade as “recreational applications ranging from style guides and books for children to Doodle applications”.

Dubbed MilkyDoor, the malware could, according to Trend Micro, “covertly grant attackers direct access to a variety of an enterprise’s services—from web and FTP to SMTP in the internal network.” (For those that don’t know, FTP is File Transfer Protocol – a standard network protocol used to transfer files from servers to clients – and SMTP is Simple Mail Transfer Protocol – an Internet standard for email transmission.)

Like the DressCode malware family, MilkyDoor builds a proxy using the Socket Secure (or SOCKS) protocol on Android devices to access internal networks, but MilkyDoor is more clandestine, “using remote port forwarding via Secure Shell (SSH) tunnel through the commonly used Port 22” to “bypass security restrictions and conceal its malicious activities within normal network traffic.”

Concerned enterprises should implement a suitable bring-your-own-device (or BYOD) policy and admins should ensure firewall settings restrict how users interact with the network on their own devices. As ever, it’s also worth having a robust patch management process to ensure updates are installed as they are issued by vendors, so that vulnerabilities are addressed as and when they are disclosed.

Tau Sauvage of IOActive Labs and his friend Antide Petit have discovered ten vulnerabilities affecting 25 models of Linksys Smart Wi-Fi router by reverse-engineering the firmware. The vulnerabilities range “from low- to high-risk issues, six of which can be exploited remotely by unauthenticated attackers.”

Two of the vulnerabilities “allow unauthenticated attackers to create a Denial-of-Service (DoS) condition … [by] sending a few requests or abusing a specific API”.

Attackers can “bypass the authentication protecting the CGI scripts to collect technical and sensitive information about the router, such as the firmware version and Linux kernel version, the list of running processes, the list of connected USB devices, or the WPS pin for the Wi-Fi connection”.

They can also “harvest sensitive information, […] access the firewall configuration, read the FTP configuration settings, or extract the SMB server settings”, as well as “inject and execute commands on the operating system of the router with root privileges”.

According to a Linksys security advisory, the company is working on a firmware update for all affected devices. Until this is released, users are recommended to enable automatic updates so that the new firmware versions are automatically installed, disable the Wi-Fi Guest Network if it’s not being used, and change the default administrator password – something everyone should do, irrespective of the manufacturer. A full list of affected routers is available on the Linksys and IOActive sites.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.