New Windows Zero Day in the Wild

Microsoft is warning users that a new critical remote code execution bug is in the wild and actively being  exploited with no patches available yet.

Located in the Windows Adobe Type Manager Library, the bug  affects Windows versions 7, 8.1, RT 8.1 and 10, which are all susceptible to the remote code executions.

This is in addition to Windows Server 2008 service pack 2 onwards, where the default Enhanced Security Configuration does not mitigate against the vulnerability.

Until patches become available, Microsoft suggests 3 possible workarounds:

1. By disabling the Preview and Details panes in Windows Explorer, you can prevent automatic display of OpenType fonts in Windows Explorer that may trigger the vulnerability.
2. By disabling the Windows WebClient service using the Services.msc Microsoft Management Console tool, you block the most likely remote attack vector, through the Web Distributed Authoring and Versioning (WebDAV) client service.
3. Rename the Windows OpenType and Type 1 font driver dynamic link library file, ATMFD.DLL. However, this could cause third-party applications that use OpenType fonts from working properly.

Cybersecurity Experts Rally to Fight COVID-19

In response to the significant increase in COVID-19 related hacking, 400 leading cybersecurity experts formed an international group: CTI League.

Hailing from more than 40 countries, the group includes senior representatives from companies including Amazon and Microsoft.

Cybersecurity for hospitals and healthcare facilities are the top priority. For some time, health data has been highly valued by hackers. With medical institutions buckling under the weight of COVID-19, there is significant concern that they will be more susceptible to ransomware attacks and other cyber-threats.

Marc Rogers, a founding member of the CTI League, stated that the group had already seen successes in fighting the spread of malicious software. This collaboration will undoubtedly help in the effort to keep organisations safe from the threat of cyber-crime.

Zoom Risks Increase

Two new Zero-Day exploits in Zoom, the popular video conferencing application, have been published.

Once again, it appears Zoom contains many vulnerabilities. Organisations should be extremely cautious about using Zoom for any teleconferencing purposes that require confidentiality. 

Former National Security Agency staffer Patrick Wardle found that the app dodges consent during installation by using an application programming interface that Apple says should not be used by developers. Zoom has therefore created a serious privilege escalation vulnerability that could be exploited by local, non-admin users to gain root access.

The second exploit allows malicious code to be injected into the process space that handles Zoom’s access to the microphone and camera on Macs. The upshot of this being that these could be accessed without users receiving warning prompts.

Zoom founder Eric Yuan revealed that this design was intended to make video conferencing easier for Mac users. However, he has admitted the need for remediation.

Whilst no timeframe has been given for the fixes, the installer and client are currently being updated to ensure that security concerns are mitigated.

The Australian Signals Directorate has issued a warning to users of video conferencing apps, suggesting that if video conferencing traffic heads offshore, as it does with Zoom, it could be intercepted and harvested by foreign spies and criminals.

Any teleconferencing service provider that claims ownership over your conversations and data should be avoided.

COVID-19 Themed Phishing Attacks on the Rise

Hackers are taking advantage of people’s fears by launching a wave of COVID-19 themed phishing attacks.

Typically, these attacks deliver malicious links or attachments to people purporting to be from trusted organisations. Sometimes they claim to be from healthcare organisations, at other times from financial institutions or even government agencies such as the Australian Taxation Office.

Delivered via email, SMS, voice message, or other communications platforms such as Zoom and Microsoft Teams, they create a sense of urgency to dupe unsuspecting people into clicking the link or opening the attachment.

Even downloadable apps aren’t always secure. Recently, a trojan was discovered in an Android app which claimed to track the global number of COVID19 cases. However, once the app was installed, it locked the mobile device and demanded $100 worth of bitcoin in order to unlock it. If the ransom was not paid, the attackers threatened to delete all the victim’s data within 24 hours.

Once the recipient a recipient clicks a malicious link or opens an attachment, malware can be installed on the computer or mobile device.

The most common purpose of these attacks is credential harvesting. Hackers seek to steal confidential login and password details to online banking platforms, email or social media accounts. This enables them to engage in identity theft and financial fraud. 

In an age of remote working, people are particularly vulnerable. When working from home, the sorts of security measures within the corporate environment don’t exist. People use weaker home wi-fi networks, whilst remotely accessing the enterprise network from outside heightens the risks to an organisation’s valuable corporate, financial, customer and staff data.

Users are strongly advised to take additional precautions when receiving files from unknown senders, when opening attachments and clicking on links, particularly where they contain special urgent news or safety information, as well as lookalike domains containing spelling errors.

Heightened awareness is key given the scale of threats and the increased possibility that one click could lead to your system’s compromise.

Privacy Must Not be a COVID-19 Casualty

A national public health crisis, such as the current COVID-19 pandemic, makes coordination between a range of government departments and agencies more urgent than ever.

This necessitates the exchange of personal information in ways that wouldn’t be required under normal circumstances.

It’s a reality that has been recognised by the Office of the Australian Information Commissioner (OAIC).

Whist privacy laws at the Federal, State and Territory levels contain mechanisms to permit the exchange of critical data in such circumstances, it is essential to ensure that personal information is “protected and handled in a way that is reasonable, necessary and proportionate”.

As such, a National Covid-19 Privacy Team has been set-up to coordinate the response of privacy regulators across Australia.

The new body maintains that, even under present conditions, an individual’s privacy remains a key consideration.  They are therefore emphasising the importance of conducting short-term Privacy Impact Assessments to manage, minimise or eliminate privacy impacts.

You can learn more about conducting Privacy Impact Assessments here.

The OAIC is also reminding Australian organisations that the Australian Privacy Principles must continue to be adhered to, even under conditions where remote working is occurring.

Working from Home Opens-Up Hacking Opportunities

With the mass move to remote working, an unprecedented amount of employers’ data is moving from professionally managed corporate networks to home Wi-Fi setups, often protected with basic passwords. Hackers are already looking to take advantage of this reduced security to infiltrate corporate networks.

Cybersecurity professionals are warning about the implications of making access to critical corporate data easier.

The Australian Cyber Security Centre (ACSC) is encouraging Australian organisations to remain vigilant and ensure their Virtual Private Networks (VPNs) and firewalls are up to date with the most recent security patches

Hackers are seizing this new opportunity to increase the sophistication of phishing attacks with coronavirus themed alerts, warnings or apps. Australian organisations should be wary of a surge in malicious emails, such as health advice from hackers masquerading as trusted bodies like the World Health Organisation, or the Australian Medical Association.

Screen Scraping Doubles Odds of Fraud

At a time when all responsible bodies should be seeking to increase community awareness around the importance of password security, the practice of Screen Scraping is sending precisely the wrong message.

The Commonwealth Bank is the latest organisation to publicly repudiate the controversial practice, which involves individuals handing over their login and password credentials to 3^rd party financial organisations when applying for financial products from them.

The practice allows a financial organisation to login to a potential customer’s existing bank accounts with other institutions, in order to investigate their credit-worthiness. The practice puts the customer at all kinds of risk and may invalidate their ability to receive compensation in the event that they are subjected to financial fraud. 

In its submission to a Senate Committee review of Consumer Data Rights, the CBA argued that customers engaging in this practice could double their chance of experiencing digital fraud.

Concerns surrounding Screen Scraping are shared by many mainstream financial institutions, as well as cybersecurity experts, including CyberCX.

Australia: 15th in Global Rankings

Australia rose 12 places, up to 15^th in the latest Comparitech cybersecurity ranking.

Comprising 76 countries, the rankings evaluate susceptibility to a number of cyber-threats, including the percentage of devices infected with malware and the prevalence of financial cyber-attacks.

Despite Australia’s stronger position, room for improvement exists. The report found over confidence in security readiness amongst Australian businesses.

Chubb’s latest SME cyber preparedness report reveals that 32 per cent of senior business leaders believe their companies will never experience a cyber incident, whilst 79 per cent expressed confidence they could overcome a breach by sophisticated hackers within 24 hours.