April 2019 Security Report | Shearwater Solutions

April 2019 Security Report | Shearwater Solutions


Featured this security report: ASUS release a critical software update to combat “ShadowHammer” Trojan Malware, CISCO’s RV320 and RV325 small business routers are vulnerable to attack, Zero-day vulnerabilities found in Google Chrome and Microsoft Windows are being exploited simultaneously, the recent WinRaR vulnerability is being abused en-masse by threat actors, Adobe patches Cold Fusion to alleviate vulnerability and Apple also patches up a number of serious vulnerabilities in its iOS platform. The latest data breach news includes; between 6TB and 10TB of data extracted from Citrix’s internal network and a second Toyota data breach has leaked up to 3.1 million pieces of customer data. In other news, Windows 7 and Windows Server 2008 R2 support will cease in January 2020.

Current Threats and Exploits


  • ASUS malware software update:
    A critical software update has been released from ASUS to combat a known Trojan malware attack called “ShadowHammer,” the attack itself was disguised as a “critical” software update. Although ASUS stated that “only a small number of a specific user group was found to be targeted,” Kaspersky Labs predicts that the attack could have been distributed to nearly 1 million machines and installed on hundreds of thousands. Along with the software patch, ASUS also introduced a “Live Security” program that users can use to scan their device to see if it has been involved in any known malware attacks. (1)
  • CISCO vulnerability patching:
    Cisco Systems issued 24 patches tied to vulnerabilities in its IOS XE operating system and warned customers that two small business routers (RV320 and RV325) are vulnerable to attack and that no patches are available for either. A total of 19 of the bugs were rated as “high severity” by Cisco, with the others rated as medium. The two router vulnerabilities are rated as “high severity” and are part of Cisco’s Dual Gigabit WAN VPN RV320 and RV325 line of small business routers. Both router flaws were first patched in January, however Cisco said that both patches were “incomplete” and that both routers were still vulnerable to attack. Firmware updates that address these vulnerabilities are not currently available. Cisco also says that there are no workarounds that address either vulnerability. (2)
  • Google Chrome Zero Day Exploit:
    Google has reportedly patched two previously publicly-unknown vulnerabilities – one affecting Google Chrome and another in Microsoft Windows, both were being exploited together. Google released an update for all Chrome platforms that was delivered through the auto-update feature. This vulnerability leverages a memory mismanagement bug that could allow an attacker Remote Code Execution, allowing unauthorized users to inject malicious code. Google has encouraged all Chrome users to verify that Chrome auto-update has applied the 72.0.3626.121 update. (3)
  • WinRaR ACE file extension:
    WinRAR is a file archival tool that is widely used. Users should update to the latest version of WinRAR, or remove it from their computer, as there is no automatic update feature in the software. Shearwater recommends checking if WinRAR is installed on devices in the network. If WinRAR is discovered and it’s verified that it is required, it is critical that the latest version is installed. If WinRAR Is not required, the software should be removed. (4)
  • Adobe Cold Fusion Exploits:
    Adobe’s “Cold Fusion” website development platform has released a patch to remove a vulnerability that could allow a remote attacker to execute arbitrary code. The vulnerability allows a malicious attacker to upload a file of their own choosing and then cause any code within the file to be executed by issuing a HTTP request. All previous versions of Cold Fusion are reported to be vulnerable to the attack and it is recommended that anyone using Cold Fusion updates to the latest version as soon as possible. Additionally, it has also been observed that attacks against the vulnerability are already being conducted. (5)
  • Apple Patches a Number of Serious Vulnerabilities in iOS
    Apple recently released a patch to fix a number of serious vulnerabilities that were discovered in its WebKit framework, which is used by browsers on the iOS platform. The vulnerabilities range in severity, however at their worst they allow for a specially crafted web page to execute arbitrary code. It is recommended that all users of iOS devices update to the latest version of iOS as soon as possible. (6)


It is important that all users install the latest updates to stay protected from security threats.

Recent Breaches


  • Major Citrix Data Breach:
    Citrix recently released information indicating that they had undergone a major data breach where malicious actors were able to gain access to their internal network. After forensic analysis, the breach was determined to have been performed by a sophisticated attacker and it is thought they were able to extract between 6TB and 10TB of data from the internal Citrix network. Furthermore, this data included business documents with details of several of Citrix’s clients. It was also revealed that the attackers likely gained access into the environment by brute force, several employee’s accounts secured with weak passwords were compromised. This breach, like a number of other recent breaches, re-enforces the need to ensure all users have strong passwords and two factor authentication enabled on their accounts. (7)
  • Second Toyota Data Breach:
    Toyota has apologized to customers after a large data breach at its Tokyo area sales network was discovered on 21st March. Toyota said unauthorized network access to a server used by sales subsidiaries may have leaked up to 3.1 million pieces of customer data outside the company. Toyota is still investigating the extent of the data breach, and whether or not the information was exfiltrated. In late February this year, Toyota Australia suffered a cyber-attack that took out its email service and other systems. Toyota has not attributed either of these hacks to any particular actor or group, or advised whether the two are connected. (8)

Other News


  • End of Windows 7 and Windows Server 2008 R2 support:
    Starting on 18th April 2019, users running Windows 7 will start seeing pop-ups reminding them that support for the aging operating system will end in mid-January 2020. Reasons users may have for not upgrading to Windows 10 include concerns about applications not working and computers that cannot run Windows 10. Users with an enterprise license can arrange continued support for some business Windows 7 installations, and users with embedded Windows 7 may have different life cycle dates. (9)

References

  1. Asus software updates were used to spread malware, security group says
  2. Cisco Releases Flood of Patches for IOS XE, But Leaves Some Routers Open to Attack
  3. Disclosing vulnerabilities to protect users across platforms
  4. ‘100 unique exploits and counting’ for latest WinRAR security bug
  5. Security updates available for ColdFusion | APSB19-14
  6. Latest iOS 12.2 Update Patches Some Serious Security Vulnerabilities
  7. Citrix discloses security breach of internal network
  8. Millions of customers’ data accessed in second Toyota hack
  9. Windows 7 Update Support Ends One Year From Today

This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.