In the wake of the current global outages caused by a faulty software update, cybercriminals will be targeting software updates/patches evermore
In the wake of the global cyber crisis caused not by attackers but by a single faulty EDR software update rolled out globally on the eve of the weekend of 19 July, this is now a good time to warn against “frame injections/hijacking” attacks.
Such attacks can be used to modify legitimate websites to lead unsuspecting visitors to illegitimate web pages. Imagine an IT administrator visiting a software vendor’s download page to find a software patch, but a hidden frame has been inserted in the page to lead the administrator to a spoof web page containing a malicious version of the update patch.
In another scenario, by hijacking communications between a software update server and a user, cybercriminals can modify the update requests and responses. This man-in-the-middle attack can allow hackers to inject malicious code into the update package, which, when rolled out to hundreds of computers in an organization, can lead to a major outage. In targeting update servers and patch files, cyberattackers can also use a combination of phishing, DNS spoofing, binary patching, attacks on the software development supply chain; XSS and SQL injection; and frame hijacking/injections.
Spotting and preventing frame injections
Check Point Software has proffered the following tips to developers for mitigating frame injection risks effectively.
- Understand the risk
The first step in spotting and preventing frame injections is understanding the technique. As mentioned, frame injections manipulate ordinary websites by adding malicious frames, often invisible to the average user. These frames can host phishing sites, misleading information, or malware downloads. Administrators should be vigilant and ensure that their web applications are not being abused to exploit visitors. - Conduct regular code reviews
Performing regular code reviews is an effective strategy for detecting potential vulnerabilities. It involves systematically reviewing all web applications’ source code to identify where frame injection could occur. For example, keep an eye out for areas in the code where user input is incorporated directly into web page content. - Use security tools
Leveraging security tools like Intrusion Detection Systems (IDS), vulnerability scanners, and web application firewalls can spot and alert teams to potential frame injection points in the code. Security tools are invaluable, but remember, they are not a like-for-like replacement for a thorough code review, and should be used in conjunction with the latter. - Implement secure coding practices
One secure coding practice is input validation: ensuring all user data is checked for appropriateness before use. Avoid using user input directly in web pages without proper sanitization. Also, consider enforcing “least privilege” principles, where each part of an application has only the permissions it needs to function. - Escape user inputs
Escaping user inputs guarantees that characters with a special meaning in HTML and JavaScript are neutralized, such that they display as normal text and cannot be used to alter the page’s structure. Special characters such as <, >, “, ‘, and & should be replaced with their respective HTML entities. This prevents a malicious user from injecting HTML or script code into the web pages. - Use a Content Security Policy (CSP)
This security standard helps prevent frame injection attacks by allowing developers to define which content sources are trusted, thus limiting the ability of an attacker to inject malicious content. Implement a robust CSP into web applications to significantly reduce the risk of frame injection attacks. - Regularly update and patch
Applying regular updates and patches can protect against known vulnerabilities that hackers may exploit for frame injection. Just make sure that the lessons learned from the CrowdStrike outage are applied to pre-test updates thoroughly before they are rolled out (and never on a weekend)!
Stay tuned to this CybersecAsia section for future tips on staying safe from other multi-vector cyberattack techniques that could target software patches/updates to create global cyber incidents…
