A Month In Breaches: August

Introducing the first edition of our monthly issue called ‘A Month In Breaches’. This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

From Skyrim to Gta V 

Steam hosts many popular games like Doom, GTA-V, Skyrim, Dragon Ball Z etc. A researcher has disclosed a zero-day privilege-escalation vulnerability for the Steam gaming client. The flaw, disclosed Aug 7, is a privilege-escalation vulnerability that can allow an attacker to level up and run any program with the highest possible rights on any Windows computer with Steam installed. This most recent vulnerability stems from a combination of insecure permissions in Steam’s folders, Steam’s branch of registry and insufficient checks during Steam’s self-update process. With Steam saying that it has more than a billion registered users worldwide, the implications of such privilege escalation attacks are potentially massive.

After the zero-day vulnerability had been publicly disclosed, the company Valve has now officially issued fixes for the privilege escalation susceptibility. Steam client Beta was launched on August 21 which had fixes for local privilege escalation vulnerabilities. Since 96% of Steam users are Windows clients, Valve urges its customers to update to its latest versions. We also suggest implementing strong patch management to consistently look out for missing patches to keep the computers up to date. Soon after a security update is released, cybercriminals are already on the move, looking to exploit any unpatched systems. Therefore, security updates should be deployed on all systems in a timely basis.

Backdoor found in Webmin

A backdoor mechanism was found in Webmin, a popular web-based application used by system administrators to manage remote Unix-based systems, such as Linux, FreeBSD, or OpenBSD servers. The backdoor mechanism would allow a remote attacker to execute malicious commands with root privileges on the machine running Webmin. Once this machine is compromised, an attacker could then use it to launch attacks on the systems managed through Webmin. This vulnerability was not the result of a coding error but was actually “malicious code injected into compromised build infrastructure”. The source code downloaded from SourceForge was the one affected.

According to Webmin team, all versions between 1.882 to 1.921 downloaded from SourceForge contained the malicious backdoor code. A patched version 1.930 was released on August 18 to remove the backdoor. The hacker responsible for this compromise appears to have tried changing the default state of the password expiration feature. Hence, Webmin admins must make modifications to the Webmin config file to enable password expiration for all Webmin accounts. This will safeguard the accounts from future exploitations. Webmin also suggests removing the ‘passwd_mode=line’ from the miniserv.conf file in the /etc/Webmin directory for versions 1.900 to 1.920 as a fix.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYST, V – MSK