News broke over the weekend that German hosting provider Domain Factory has experienced a data breach which has exposed customer data. The company said an unknown threat actor posted claims on the Domain Factory forum which suggested they had managed to compromise the firm’s systems and access information. The company found the claims to be true and says that customer data “was accessed by an outside party without authorization” on 28 January 2018.
Some thoughts from John Truex, Senior Threat Analyst, Cyxtera:
“Dirty COW (CVE-2016-5195) is a vulnerability in the Linux kernel memory subsystem that could allow an unprivileged local attacker to gain write access to read-only memory mappings. This can result in privilege escalation and may allow an attacker to bypass standard permission mechanisms to modify on-disk binaries on unpatched systems. The vulnerability was patched on October 18th, 2016 in the Linux Kernel, but existed in the Linux for more than a decade before it was identified. Variations of the Dirty COW vulnerability have been seen exploited on regular Linux systems, as well as, mobile and smart devices that utilize the Linux kernel such as Android.
“In order to exploit the vulnerability, an attacker must first gain local access to the system either via an existing local user account on the system, the previous exploitation of a different vulnerability that leads to local access of the system, or through a malicious file that was downloaded and subsequently run on the system by a local user. Vulnerabilities like Dirty COW, which require local system access, are often exploited by embedding the payload within software which may appear to be legitimate and may function precisely as the user may expect.
“Mitigating against the Dirty COW vulnerability requires patching the kernel on Linux systems which are vulnerable to the bug. Updating your operating system software and other software on the system regularly as security patches are made available and having a sound patch management plan in place are vital to successfully reducing the risk of exploitation from vulnerabilities that have been fixed in the software present on your systems.
“On mobile devices, keeping the system firmware up-to-date should prevent exploitation of known vulnerabilities. Downloading mobile-apps from untrusted vendors, untrusted websites, or from alternative app stores that may not audit nor remove the malicious software will increase the risk of a vulnerability being exploited on the device.
“User interaction is required to both download and then launch the malicious software for the vulnerability to be exploited on the system. It is important to be cognizant of the websites you are visiting especially when you are downloading software to your system. Software should only be downloaded from websites and from vendors that you trust.
“Local privilege escalation exploits, such as Dirty COW, are not typically first stage attack methods and will generally be accompanied by other malicious activities. Additional defense against privilege escalations begins with a strong and multi-faceted defense. The initial attack which allows an attacker to leverage Dirty COW could be detected or prevented by traditional security platforms such as IDS/IPS or anti-malware protection. “