Last year was eventful (again!) in information security. Honestly, is there ever a “boring or quiet” year in infosec? Lots of research, security talks, and vulnerabilities caught our attention this past year. In this quick recap, we’ll provide an overview of some of the research we found most interesting, some of the talks we found the most compelling, and some of the vulnerabilities we won’t (or can’t) forget anytime soon.
A Few of Our Favorite… Pieces of Security Research
This sort of technical challenge with this level of depth is often seen in CTF competitions but rarely in published, true-to-life exploits. If you haven’t read this write-up yet, do so ASAP.
What We Love: It’s rare to see a write-up of a real-world exploit as complex as this one. In this incredibly powerful exploit, it’s possible to take over someone’s phone and gain access to their photos, call history, and messages – simply by sending them a text.
The title may make you think of a used car commercial, but trust us, this piece of research is more interesting than that. Will Schroeder and Lee Christensen investigated an area that receives infrequent attention (Microsoft Active Directory Certificate Services, aka AD CS) and called out several troubling security flaws.
What We Love: The excellent work the researchers did with providing an analysis of all possible attacks on AD CS as well as creating detections for them.
In this write-up, Kevin Backhouse details his exploit for the high-risk vulnerability CVE-2021-3939 found in the Ubuntu operating system. The exploit mystified Backhouse himself, who by his own admission, “spent the next two weeks trying to figure out how my own exploit worked.”
What We Love: It’s a solid example of exploiting a double-free vulnerability that does not involve memory corruption since it's a data-driven exploit.
Security Research from the Bishop Fox Labs
The Fox Den had no shortage of interesting research releases, either. Below are some pieces of research that are well worth revisiting due to their novel techniques and impressive implications.
Earlier this year, former Bishop Fox Lead Researcher Jake Miller shared his findings on how the same JSON document can be parsed with different values across microservices. Unsurprisingly, this results in various potential security risks.
Here, Chris Davis shows how you can achieve cross-site scripting (XSS) via HTML tags that leverage HTML parsing logic even in instances where lexical parsers are used to nullify dangerous content.
Finally, Zach Julian delves into how misconfigured XMPP servers can yield great dividends to pen testers who encounter them during engagements. XMPP (short for eXtensible Messaging and Presence Protocol) is the backbone of countless instant messaging servers found in organizations across the world, so the impact of this research is vast. (For anyone on the defensive side reading this, you might want to ensure that if you use XMPP servers in your environment, they are configured correctly.)
3 Vulnerabilities that Kept Us Up at Night
We could not do a proper recap without recalling some of the noteworthy – and, well, frankly terrifying – vulnerabilities that were discovered this year. 2021 was another record-breaking year for CVEs, so we could have easily included a few more bugs. But we will focus on three particularly dangerous ones.
Log4J (critical remote code execution vulnerability)
CVE-2021-44228 (which also goes by the shorthand moniker “Log4j” for the software it affects) has already been deemed “bug of the decade” by some folks, and with good reason. As a few Bishop Fox researchers indicated during a recent webcast, this critical security bug will likely have reverberations that are felt for months to come.
ProxyLogon (critical unauthenticated server-side request forgery vulnerability)
We originally called ProxyLogon – aka CVE-2021-26855 – a contender for top vulnerability of the year. And we weren’t wrong, even if Log4J happened as the year came to an end. We wrote about this bug in tandem with several other vulnerabilities that could be used in an attack chain against the Microsoft Exchange Server, which you can read here.
PrintNightmare (high-risk remote code execution vulnerability)
Although “PrintNightmare” was used to offhandedly refer to a few separate bugs, according to Microsoft, it means CVE-2021-34527. If exploited by an attacker, this bug could be used to run arbitrary code with system privileges. From there, they could install programs, manipulate data, or create new accounts with full user rights. This issue has since been patched, so hopefully, by now most affected users have updated their systems.
3 Security Talks That Made Us Think
We already shared some of our favorite DEF CON 29 talks (here as well as here), but those weren’t the only security-focused talks that happened this past year. Here are a few other talks we found insightful.
This was certainly a banner year for Kubernetes security resources (like our own Bad Pods from Seth Art). Use this SANS Cloud Security talk from Madhu Akula to get started with his creation Kubernetes Goat, which allows you to practice your Kubernetes security skills in a vulnerable-by-design environment.
For anyone who is starting out with cloud security (or simply would like to be better acquainted with the subject), this SANS Cloud Security talk serves as a great primer for the foundational concepts you need to be successful. Roger O’Farrill covers Azure as well as AWS, giving you a comprehensive lowdown on the most widespread cloud computing environments.
This talk by Alyssa Miller, from this year’s Diana Initiative, is a must watch for anyone who might be new to cybersecurity, or even those who might be interested in a career in cybersecurity but haven’t made the jump yet. She also provides practical advice for areas that many security professionals struggle with, like dealing with imposter syndrome and responding to job postings.
Some Bishop Fox Talks (and a Podcast!)
Of course, a few Bishop Foxes presented in 2021, too – and one was interviewed by the team at the Offensive Security Podcast. Here’s a brief overview of these talks and podcast, which we highly recommend streaming (we might be a little biased).
At this CactusCon presentation, Dan Petro combined two of his favorite things: video games and hacking. Unfortunately, he didn’t do any interpretative dancing – but it’s still a fun (and informative) presentation.
The presentation’s title says it all; Andrew Wilson reviews some of his tried-and-true best practices for using reverse engineering to get source code from a web application. It’s great viewing for any pen tester, regardless of skill level.
Petro and Allan Cecil showed how random number generators (RNGs) in IoT devices present an unprecedented security problem. They also have suggestions for workarounds to mitigate this issue, but their talk may make you rethink the smart toaster you received for the holidays.
This episode of the Offensive Security Podcast presents a well-rounded look into life as a security consultant. Seth Art sat down with the Offensive Security Podcast team to talk cloud security, Kubernetes, Bishop Fox, work-life balance, and more.
A Look Ahead to the Future
There’s no doubt in our minds that 2022 will prove even less boring and more eventful than its predecessor. Security threats we have faced these past few years – like combatting ransomware and securing a remote workforce – will likely remain challenges. But there will be no shortage of knowledge, research, and resources to help arm ourselves in the coming months.
Thank you to the Bishop Fox consultants who contributed to this recap!
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.