Organizations in the healthcare sector continue to be the main targets of the Gatak Trojan, a piece of malware that can steal information and perform backdoor functions, Symantec researchers warn.

Also known as Stegoloader and targeting mainly enterprise networks, Gatak (Trojan.Gatak) has been around since 2011, primarily focusing on organizations in the United States. Spreading through websites that promise licensing keys for pirated software, the malware hasn’t spared international organizations either, and the healthcare sector has suffered the most.

While the majority of the machines infected by this Trojan (62%) are located in enterprise environments, 40% of the top 20 most affected organizations are from the healthcare sector, Symantec says. Previously, however, the threat actors behind the malware have focused on the insurance sector as well.

Gatak spreads bundled with product keys for pirated software, via dedicated websites. The attackers lure victims by supposedly offering product keys for software usually used in professional environments, but the keys don’t work and users end up infected. The legitimate versions of these applications aren’t compromised, since the websites used by attackers aren’t connected with their developers.

Some of the programs used by the Gatak gang as lures include SketchList3D (woodworking design), Native Instruments Drumlab (sound engineering), BobCAD-CAM (metalworking/manufacturing), BarTender Enterprise Automation (label and barcode creation), HDClone (hard disk cloning), Siemans SIMATIC STEP 7 (industrial automation), CadSoft Eagle Professional (printed circuit board design), PremiumSoft Navicat Premium (database administration), Originlab Originpro (data analysis and graphing), Manctl Skanect (3D scanning), and Symantec System Recovery (backup and data recovery).

The malware has two main components: a lightweight deployment module that gathers information on the infected machine and can install additional payloads; and the main module, a fully-fledged backdoor Trojan designed to steal information from the infected computer and achieve persistence.

Gatak authors also use steganography to hide data within image files, and the malware attempts to download a malicious PNG image immediately after installation. The image contains an encrypted message with commands for the Trojan and files to be executed.

The malware also attempts lateral movement in the compromised environments, and researchers noticed that in 62% of cases this occurs within two hours of infection. Researchers believe that this function isn’t automated but carried out manually, while also suggesting that the attackers might not have the resources to exploit all infections immediately or they could prioritize targets.

Most likely, researchers say, the attackers move across an organization’s network by exploiting weak passwords and poor security in file shares and network drives. No evidence of zero-day exploits or sophisticated hacking tools being used has emerged so far, but the attackers were seen infecting computers with other malware, including ransomware and the Shylock (Trojan.Shylock) financial Trojan.

The Gatak threat group is said to be cybercriminal in nature, given the absence of zero-day exploits or advanced malware modules, although they focus on enterprises and their malware has capabilities to support more traditional espionage operations. The attackers are opportunistic, given the distribution method, which shows that they are largely passive, lacking control over who is infected.

It’s also unclear how the attackers monetize on their attacks, but Symantec suggests that they could be selling the personally identifiable information (PII) and other data they manage to exfiltrate from the infected machine. This would also explain their focus on the healthcare, as these records are priced higher than other personal information.

“Healthcare organizations can often be pressurized, under-resourced, and many use legacy software systems that are expensive to upgrade. Consequently, workers could be more likely to take shortcuts and install pirated software. While organizations in other sectors appear to be infected less frequently, the attackers don’t appear to ignore or remove these infections when they occur,” Symantec says.

The security firm notes that Gatak represents a reminder that the use of pirated software can compromise the security of an organization in addition to creating legal issues. It is important for companies to regularly audit the software used on their networks, as well as to educate their employees about the dangers of using pirated or unapproved applications.

Related: Information-Stealing Malware “Stegoloader” Hides in Image File

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed

I recently read that HIPAA regulations require organizations to follow NIST guidelines and standards. Is this true?...

How does HIPAA incorporate NIST guidelines? Should healthcare organizations follow the NIST regardless?

Although HIPAA does not directly require that covered entities follow NIST guidelines and standards, it references many of them as strong practices. NIST guidelines provide technical information and advice to organizations trying to meet common security objectives that overlap with those of HIPAA. NIST publications can therefore be valuable resources for organizations that must comply with HIPAA, helping them better understand their HIPAA obligations and how to meet them.

In particular, NIST offers its Special Publication 800-66, a document of over 50 pages entitled "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule." Describing each HIPAA requirement in turn, this guide provides details on the administrative and technical safeguards that a HIPAA covered entity can put in place for compliance.

As NIST indicates, SP 800-66 was prepared for use by government agencies, and may be used by nongovernment agencies on a voluntary basis. The document contains a disclaimer stating that it is intended for federal organizations, and that it is not intended to be, nor should it be, construed or relied on as legal advice for any other organization or person. In other words, HIPAA is the still the law. The NIST publication is a helpful guide, but is one interpretation of the law, not the law itself. Consequently, it cannot be used as legal validation of a position or actions undertaken to comply with HIPAA.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out why HIPAA controls don't do enough for privacy and security

Learn how NIST standards can help with penetration testing

Find out how well the NIST Cybersecurity Framework is being received

This was last published in November 2016

Dig Deeper on HIPAA

  • All
  • News
  • Get Started
  • Evaluate
  • Manage
  • Problem Solve



Find more PRO+ content and other member only offers, here.

Related Q&A from Mike Chapple

Is a no-SMS 2FA policy a good idea for enterprises?

Now that NIST has deprecated the use of SMS 2FA, should nongovernment organizations follow suit? Expert Mike Chapple discusses the risks of SMS-based...continue reading

How does the Safeguards Rule pertain to SEC cybersecurity regulations?

The SEC claimed Morgan Stanley violated the Safeguards Rule, but what does that mean? Expert Mike Chapple discusses the federal regulation and what ...continue reading

Is destroying a decryption key a strong enough security practice?

Destroying a decryption key isn't the same as destroying the data, but which method is more secure? Expert Mike Chapple explains the best way to ...continue reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

SearchSecurity: Security Wire Daily News

A new Bitglass report on insider threats in the enterprise found that, in a third of organizations surveyed, careless or malicious user behavior resulted in data leakage, up slightly from a year ago. 56 percent of respondents believe insider leaks have become more frequent in the last year.

insider attack

“Adoption of cloud and BYOD are positive developments, but organizations that have limited cross-app visibility will struggle to detect anomalous behavior and need to rethink their approach to data security,” said Nat Kausik, CEO, Bitglass. “The reality is that cloud apps have made data more readily accessible and insider threats more likely – it’s up to the enterprise to put adequate data controls and policies in place to secure vital data.”

Bitglass found that 64 percent of enterprises can detect a breach within a week, up significantly from 42 percent a year ago. Only 23 percent take a month or longer to identify insider breaches, which indicates growing use of cloud-based audit and security tools. Respondents identified analytics as critical in detecting anomalous behavior.

Employee training (57 percent) and identity management solutions (52 percent) topped the list of best means for preventing insider attacks. Data leakage prevention was also included among the most effective tools in 49 percent of organizations.

insider attack

Key findings

  • One in three organizations surveyed have experienced an insider attack in the last year, while 74 percent feel vulnerable to insider threats.
  • Seventy-one percent of cybersecurity professionals are most concerned with inadvertent leaks that are the result of risky unsanctioned app usage, unintended external sharing and unsecured mobile devices. Negligence (68 percent) and malicious insiders (61 percent) were also of concern to respondents.
  • Privileged users, more than any other user group, were seen as posing the greatest security risk by 60 percent of organizations.
  • Cloud and mobile are forcing IT to rethink detection and prevention. Cybersecurity professionals agree that lack of employee training (62 percent), insufficient data protection solutions (57 percent), more devices with access to sensitive data (54 percent) and more data leaving the network perimeter (48 percent) are at the core of many insider leaks.
  • A third of organizations do not have any analytics solutions in place to detect insider threats. Fifty-six percent use some kind of analytics solution to address anomalous behavior, but only 15 percent have user behavior analytics in place.
  • Collaboration tools (44 percent) and cloud storage apps (39 percent) were perceived to be most vulnerable to insider threats, as careless users are easily able to share data externally or lose a mobile device that contains sensitive information.

Help Net Security

Kaspersky Lab researchers discovered a new wave of targeted attacks against the industrial and engineering sectors in 30 countries around the world. Dubbed Operation Ghoul, these cybercriminals use spear-phishing emails and malware based on a commercial spyware kit to hunt for valuable business-related data stored in their victims’ networks.

Operation Ghoul

In June 2016, researchers spotted a wave of spear-phishing e-mails with malicious attachments. These messages were mostly sent to the top and middle level managers of numerous companies. The e-mails sent by the attackers appeared to be coming from a bank in the UAE: they looked like payment advice from the bank with an attached SWIFT document, but in reality the attached archive contained malware.

Further investigation showed that the spear-phishing campaign has most likely been organized by a cybercriminal group which has been tracked by company researchers since March 2015. The June attacks appear to be the most recent operation conducted by this group.

The malware in the attachment is based on the HawkEye commercial spyware that is being sold openly on the Darkweb, and it provides a variety of tools for the attackers. After installation it collects interesting data from the victim’s PC, including:

  • Keystrokes
  • Clipboard data
  • FTP server credentials
  • Account data from browsers
  • Account data from messaging clients (Paltalk, Google talk, AIM)
  • Account data from email clients (Outlook, Windows Live mail)
  • Information about installed applications (Microsoft Office).

This data is then sent to the threat actor’s command and control servers. Based on information received from the sinkhole of some command and control servers, the majority of the victims are organizations working in the industrial and engineering sectors, others include shipping, pharmaceutical, manufacturing, trading companies, educational organizations and other types of entities.

These companies all hold valuable information that could be subsequently sold on the black market – financial profit is the main motivation of the attackers behind Operation Ghoul.

More campaigns around the world

Operation Ghoul is only one among several other campaigns that are supposedly controlled by the same group. The group is still active, and in total more than 130 organizations from 30 countries, including Spain, Pakistan, United Arab Emirates, India, Egypt, United Kingdom, Germany, Saudi Arabia and other countries, were successfully attacked by this group.

“In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon, and today, the term is sometimes used to describe a greedy or materialistic individual,” said Mohammad Amin Hasbini, security expert, Kaspersky Lab. “This is quite a precise description of the group behind Operation Ghoul. Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts. Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer.”

Protect your company from Operation Ghoul

In order to protect your company from Operation Ghoul and other threats like this, the researchers recommend businesses implement the following measures:

  • Educate your staff so they are able to distinguish a spear phishing email or a phishing link from real emails and links.
  • Use a proven corporate grade security solution, in combination with anti-targeted attack solutions, capable of catching attacks by analyzing network anomalies.
  • Provide your security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as indicators of compromise and YARA rules.

Help Net Security

Industrial, engineering and other types of organizations from around the world have been targeted in a profit-driven campaign dubbed by Kaspersky Lab “Operation Ghoul.”

The threat group, whose activities have been traced back to March 2015, has been trying to make money by hijacking bank accounts and stealing intellectual property that they can sell to interested parties. The cybercrime gang has targeted more than 130 organizations in over 30 countries.

According to the security firm, Operation Ghoul attacks start with a malicious email coming from a spoofed address that appears to belong to a bank. The emails typically carry a file attachment or contain links that point to phishing websites. The fake messages are mostly sent to executives, managers and other employees that could have access to valuable information.

The piece of malware delivered by the attackers is HawkEye, a commercial spyware capable of collecting keystrokes, screenshots, clipboard data, FTP credentials, app license information, and account data from browsers, messaging apps and email clients.

Kaspersky Lab has identified victims in Spain, Pakistan, UAE, India, Egypt, UK, Germany, Saudi Arabia, Portugal, Qatar and other countries. The targeted organizations are typically small and medium-sized businesses (SMBs) with 30 to 300 employees.

Roughly half of the Operation Ghoul victims are in the industrial sector, including petrochemical, naval, military, aerospace, solar energy and heavy machinery firms. The threat group has also targeted companies in the engineering, shipping, pharmaceutical, manufacturing, trade, education, IT and technology, and tourism sectors.

The latest attack waves, which Kaspersky spotted in June, focused on the Middle East, particularly the United Arab Emirates.

Operation Ghoul

“In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon, and today, the term is sometimes used to describe a greedy or materialistic individual,” said Kaspersky researcher Mohammad Amin Hasbini.

“This is quite a precise description of the group behind Operation Ghoul. Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts. Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer,” the expert added.

Attribution is often difficult, but even more so in this case as the attackers have been using off-the-shelf malware such as HawkEye. The HawkEye spyware has been used to target entities all around the world in various types of campaigns.

Related Reading: MONSOON Cyber-Espionage Campaign Linked to Patchwork APT

Related Reading: "Strider" Espionage Group Targets China, Russia, Europe

Related Reading: Cyber Espionage Targets Interests in South China Sea

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Organizations globally believe they are their own worst enemy when it comes to cybersecurity, with 45 percent saying they are ill-equipped to cope with the threat of malicious insiders and twice as many, 90 percent, calling malicious insiders a major threat to the organizations’ security, according to Mimecast.

malicious insiders

“Companies’ IT security priorities usually change depending on different factors, among which the budget and the threat vectors are the most important for most. If last week Oracle’s POS breach was the most debated, most surely retailers using POS devices and all organizations working with financial data have started to check their own systems and to see how they can strengthen their security for that specific threat. In the light of such incidents, insiders threats are left out, so it is no wonder that 45 percent are ill-equipped to cope with malicious insiders,” Roman Foeckl, CEO at CoSoSys, told Help Net Security.

“It is also realistic that 90 percent of organizations see malicious insiders a major threat, but I would include here also negligent insiders. From our encounters with CSOs from organizations in different verticals, we noticed their fear is directed towards insiders in general, not necessarily malicious ones. In case of human error, there is the risk of people uploading sensitive files on unsanctioned applications, copying confidential information on cloud file sharing apps or making print screens of critical data and publishing it on unauthorized online services. Regardless if we’re talking about malicious or careless employees, to prevent data losses or thefts, businesses should define what data should be allowed or not to be transferred and through what channels, if it’s e-mail, instant messaging, cloud file sharing apps, or portable storage devices,” explains Foeckl.

Is your email security up to par?

Mimecast uncovered that 65 percent of IT security decision makers globally feel their email security systems are inadequately equipped to handle cyber threats.

By concentrating predominately on perimeter defense and outside threats, organizations around the world struggle with the risk that comes from their own people, emphasizing the need for organizations to implement employee awareness and education as well as creating a cyber resilience strategy that includes both technology- and human-based defenses. This is evident especially considering this study revealed that nearly half of the organizations polled felt exposed to malicious insider attacks.

The research also uncovered that:

  • Over half (53 percent) of IT security decision makers view malicious insiders as a moderate or high threat to their organization.
  • One in seven IT security decision makers view malicious insiders as their number one threat.
  • Those who say they’re very equipped on cybersecurity feel virtually just as vulnerable to insider
    threats as those who believe they aren’t equipped at all (16 percent vs. 17 percent), indicating that the risk of malicious insiders trumps perceptions of security confidence.

“It’s no surprise that even the most cyber-ready companies are terrified of insider threats. It was always possible for employees to steal or misplace valuable corporate data, but never this easy. Cloud services have facilitated the movement of data into and out of the enterprise like never before – which is both a great asset and risk to businesses,” says Andreas Zengel, EMEA CTO at Skyhigh Networks.

“Cloud services have vastly expanded the scope of insider threat. The most common insider threat scenarios – such as a salesperson jumping ship, rogue sys admins or simply employees committing security missteps in the process of doing their job – are all enabled by cloud computing, and much more difficult to detect due to the nature of modern business operations. With the vast amount of interactions with cloud services by each user every day, it is essential that enterprises put in controls and intelligent monitoring solutions that can filter out the noise of day-to-day usage from the activities performed by a malicious insider and pro-actively warn security operations and prevent actions when an anomaly or threat was detected,” Zengel concluded.

malicious insiders

Mimecast tips for safeguarding against malicious insiders

1. Assign role-based permissions to administrators to better control access to key systems and limit the ability of a malicious insider to act.

2. Implement internal safeguards and data exfiltration control to detect and mitigate the risk of malicious insiders when they do strike, to cut off their ability to send confidential data outside the network.

3. Offer creative employee security training programs that deter potential malicious insiders in the first place and help others to spot the signs so they can report inappropriate activity to their managers. Then, back that up with effective processes to police and act swiftly in the event of an attack.

4. Nurture a culture of communication within teams to help employees watch out for each other and step in when someone seems like they’ve become disenchanted or are at risk of turning against the company.

5. Train your organization’s leadership to communicate with employees to ensure open communication and awareness.

Help Net Security

Apple's cautious foray into the wild and wooly world of bug bounties has proved there is more than one way to run a program. Organizations unsure about setting up a bug bounty program should take a look at Apple's model.

At the Black Hat conference in Las Vegas last week, Ivan Krstic, Apple's head of security engineering and architecture, announced the company will pay rewards of up to $ 200,000 for five classes of bugs in iOS and iCloud. Apple will pay $ 100,000 to researchers who can extract confidential data from the iOS Secure Enclave Processor, $ 50,000 to researchers who report code execution flaws that provide kernel privileges or unauthorized access to iCloud account information, and $ 25,000 to researchers with vulnerabilities that allow a sandboxed process to "break out" and gain access to user data outside the sandbox. The $ 200,000 maximum reward is reserved for vulnerabilities and proof-of-concept code in the company's secure boot firmware.

[ InfoWorld's Mobile Security Deep Dive. Download it today in your choice of PDF or ePub editions! | Keep up on key mobile developments and insights with the Mobile Tech Report newsletter. ]

"The Apple bounty program will reward researchers who share critical vulnerabilities with Apple and we will make it a top priority to resolve those and provide public recognition," Krstic said at the conference.

There is a key difference between what Krstic announced and how other programs -- such as those run by Google, Microsoft, and Facebook -- work. Apple's invitation-only program limits participation to specific researchers and would be considered a private bug bounty program.

The public programs tend to be free-for-alls, where anyone can submit a bug, leaving the companies to analyze the report to determine whether or not to pay the bounty. This can get overwhelming, especially at the beginning, since there has to be someone -- preferably a team -- dedicated to sifting through those reports to screen out low-quality reports and out-of-scope vulnerabilities. For example, if Facebook is interested in cross-scripting flaws, reporting an authentication-related vulnerability is not within the program guidelines and would require a different response.

That is a time commitment many organizations may not be able to make, and it can pose an operational challenge for organizations starting out with the vulnerability disclosure lifecycle. Excessively high submission volumes would slow down the response process and result in communications delays, which could easily sour the researcher-company relationship.

"Private bounty programs are a prudent stepping stone to launching a public program, allowing companies to 'proof of concept' test their bounty processes," said Kymberlee Price, senior director of operations at Bugcrowd, which runs crowdsourced bug bounty programs for other companies.

If Apple had started off with a public bounty program, it would likely be inundated in short order with a high volume of reports of varying quality. Starting off with an invite-only bounty program makes sense as it lets Apple limit the "noise" of lower-quality submissions that typically accompanies a fresh bug bounty program, as well as giving "hacker allies a head start in collecting these bounties," said Katie Moussouris, founder and CEO of penetration testing consultancy Luta Security.

Apple is initially inviting only the security researchers it knows have the right skills and would submit quality reports, and it is basing its selections on those who have found serious issues and reported them to Apple in the past. It's not a closed program: If someone discloses a vulnerability to Apple and the report is of sufficiently high enough quality, Apple can invite those new researchers to join the program. LinkedIn, Riot Games, and even Tor take this approach to manage their vulnerability disclosure programs and invitation-only bug bounty programs.

"Think of it like a CTF with a prequalification round before your team gets to play in the big competition, or qualifying for a marathon before you get to run," Moussouris said. "Anyone can go for it, but they must prove their skills to be invited into the league that collects bug bounties."

A private program lets organizations experiment with the kind of reward incentives they want to offer, as well as figure out what kind of reporting process they want to have in place. Bounty programs extend the "many eyeballs" concept that is well-known in open source software development, but focuses researcher energies on areas that are high-risk. Rewards are good incentives and channel natural human curiosity into the areas companies are most concerned about.

Apple could have launched its programs on platforms from HackerOne and Bugcrowd to help screen out issues that aren't vulnerabilities or out-of-scope reports. It could have also tapped into the researcher communities associated with those platforms. But being Apple, it's not like the company is hurting for access to qualified researchers.

At first glance, the private bug program sounds similar to the consulting engagements many companies have had in the past (Microsoft famously worked with security guru Dan Kaminsky to look for vulnerabilities in Windows Vista and Windows 7). Apple's program is not a consulting program because researchers will receive rewards per bug, and the amount vary by vulnerability severity. A consultant would typically be paid a rate to find bugs, regardless of the number or severity.

"Despite starting private, Apple has for the first time publicly acknowledged the value of a vulnerability reward program which commits them to its growth and maturation over time," Price said. "This is a big step for them."

InfoWorld Security

Black Hat USA 2016 – Ruckus Wireless, a global company that specializes in wireless networking equipment for enterprises and service providers, is working on developing patches for several vulnerabilities identified by an expert in its access point (AP) products.

Tripwire researcher Craig Young discovered that Ruckus wireless APs are plagued by various types of security holes that can be exploited to gain complete access to the device and its underlying operating system. While the expert only tested the Ruckus ZoneFlex H500 model, the vendor has determined that all its APs are vulnerable, except for the “unleashed” product line.

Young quickly identified several vulnerabilities in the product’s web-based user interface. He first uncovered a command injection flaw that allowed him to get a root shell on the device. The researcher also found an authentication bypass issue that can be leveraged to process requests that should normally be possible only for authenticated users.

According to Young, Ruckus APs are also plagued by a weakness that allows attackers to cause the management interface to become unavailable (i.e. cause a denial-of-service condition) by accessing a certain page over HTTPS. The said page is normally accessible over HTTP without authentication.

A DoS condition can also be triggered by sending authenticated requests to a certain page, which causes the HTTP server to reload – and possibly disrupts other services – due to excessive memory consumption.Ruckus ZoneFlex AP vulnerabilities

The expert also noticed that the HTTP server leaks the device’s serial number, which he believes could be used in social engineering attacks.

Many of these vulnerabilities can be exploited via cross-site request forgery (CSRF) attacks, which, according to Young, are possible due to the general lack of CSRF tokens.

The security holes were uncovered in the first part of 2015, but Tripwire and the CERT Coordination Center (CERT/CC) had experienced difficulties in reporting the issues to the vendor. Ruckus only acknowledged the problem late last month after one of the company’s executives was contacted over LinkedIn by Tripwire’s chief research officer David Meltzer.

In an advisory shared with SecurityWeek, Ruckus pointed out that the flaws found by Tripwire are only exploitable if the APs web interface and IP are accessible from external hosts.

“Most of Ruckus APs are deployed in managed environment where there is WLAN controller that is managing the APs. In this mode of operation the Web interface is not enabled and in most cases even the IP address of the AP is not reachable from external sources. This prevents from these vulnerabilities from getting exploited,” Ruckus said in its advisory.

Until patches are made available – Ruckus expects to release firmware updates in the next 3-6 months – the company has advised customers to disable access to the AP’s web interface from the command line interface (CLI) or limit access to the internal network. For scenarios where the AP needs to be accessed over the Internet, firewall policies should be used to limit access to authorized IP addresses.

“Unleashed AP models are not vulnerable to un-authenticated command injection issue on the Web interface,” Ruckus said. “SZ/SCG and ZD product line are only vulnerable to CSRF. They are not vulnerable to un-authenticated command injection issue on the Web interface.”

Young agrees that most network administrators would have no reason to expose the vulnerable web interface to the Internet, but he believes remote attacks are still possible.

“The more likely attack vector as I see it would be from users connected directly to the access point or via cross-site request forgery through phishing, malvertising, or XSS flaws on popular web sites,” Young told SecurityWeek.

The researcher said the goal of this research has been to test if enterprise-grade networking products are more secure than the highly vulnerable SOHO devices.

“My experience auditing Ruckus equipment is very similar to some of the experiences I’ve had auditing the wireless routers you might find in a local computer store. In fact, the authentication bypass and command injection are essentially the same problems I have found on SOHO devices in the $ 100-$ 200 range,” Young said in a blog post.

“Organizations using Ruckus devices may be at risk for compromise, particularly when the access points are used to provide customers with Wi-Fi access,” the expert added. “An intruder to one of these systems could potentially become man-in-the-middle to all other users of the wireless network allowing a wide range of exploitation opportunities.”

Related: Cisco, Juniper Patch Operating System Flaws

Related: Critical Flaws Found in Cisco Networking Products

Related: Critical Flaw Exposes Mobile Devices, Networks to Attacks

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed