Our monthly Information Security Report includes a summary of security breaches, threats and vulnerabilities. It is designed to help you gain visibility over the latest events and to help you assess their implication on your environment.

Shearwater Security Report | January 2020

 

Each month Shearwater’s Managed Security Services Team brings you the latest Threats & Exploits, Breaches and Australian Cyber News to ensure you’re fully informed.

This month’s Security Report is essential reading so you can start the year on the right security footing:

• Current Threats and Exploits
• Recent Breaches
• Australian Cyber News

Current Threats and Exploits

❖ Start 2020 with these Top 20 Patches

Keeping up-to-date with patching is a challenge for any organisation.

Start the new year on the right foot when it comes to patching with this list of top 20 vulnerabilities that are currently being exploited by attack groups worldwide.

These 20 vulnerabilities have been ranked based on the number of times they have been exploited by sophisticated cyber-attack groups operating in the world today (from high to low).

Whilst some of these vulnerabilities are not new, it’s still important to make sure you’re protected. All too often attackers are able to exploit older vulnerabilities that people have inadvertently failed to patch.

No. CVE Products Affected by CVE CVSS Score (NVD) First-Last Seen (#Days)
1 CVE-2017-11882 Microsoft Office 7.8 713
2 CVE-2018-8174 Microsoft Windows 7.5 558
3 CVE-2017-0199 Microsoft Office, Windows 7.8 960
4 CVE-2018-4878 Adobe Flash Player, Red Hat Enterprise Linux 9.8 637
5 CVE-2017-10271 Oracle WebLogic Server 7.5 578
6 CVE-2019-0708 Microsoft Windows 9.8 175
7 CVE-2017-5638 Apache Struts 10 864
8 CVE-2017-5715 ARM, Intel 5.6 424
9 CVE-2017-8759 Microsoft .net Framework 7.8 671
10 CVE-2018-20250 RARLAB WinRAR 7.8 189
11 CVE-2018-7600 Debian, Drupal 9.8 557
12 CVE-2018-10561 DASAN Networks 9.8 385
13 CVE-2017-17215 Huawei 8.8 590
14 CVE-2012-0158 Microsoft N/A; 9.3 (according to cvedetails.com) 2690
15 CVE-2014-8361 D-Link, Realtek N/A; 10 (according to cvedetails.com) 1644
16 CVE-2017-8570 Microsoft Office 7.8 552
17 CVE-2018-0802 Microsoft Office 7.8 574
18 CVE-2017-0143 Microsoft SMB 8.1 959
19 CVE-2018-12130 Fedora 5.6 167
20 CVE-2019-2725 Oracle WebLogic Server 9.8 144
BONUS CVE-2019-3396 Atlassian Confluence 9.8 204

 

Recent Breaches

❖ Twitter for Android Patch

Twitter-for-Android-PatchTwitter has warned of a serious security vulnerability in its Android app that could have allowed an attacker to hijack an account, send tweets, access non-public account information, view private messages and location information. 

Twitter announced it recently fixed the bug in “version 7.93.4 (released Nov. 4, 2019 for KitKat) as well as version 8.18 (released Oct. 21, 2019 for Lollipop and newer).”

Twitter is urging users of its Android app to update to the latest version.

The bug didn’t affect its iOS app for iPhone users.

 


❖ Beware of Hornet’s Nest

Beware-of-Hornet’s-Nest“Hornet’s Nest” is a bundle of six types of malware including information-stealing trojans, a remote backdoor, a cryptojacker and a cryptocurrency stealer.

Whilst it’s unclear how the attack is initially delivered, it is believed to emanate from Russia and targets organisations around the world. Once delivered, it will execute PowerShell commands that enable it to begin its malicious activities.

The attack seems to be part of a cybercrime-as-a-service operation. Those who developed Hornet’s Nest apparently lease out their product to other cyber-criminals.

Attackers are able to steal vast swathes of personal data, all of which they could illicitly monetise either by committing fraud themselves, or by selling the information on to others on the dark web. It also includes a cryptocurrency stealer, allowing the attacker to raid the victim’s bitcoin wallet.

Such a multi-pronged attack can be a security nightmare for an organisation, considering all the kinds of data that could be compromised by the hackers.

However, if organisations are employing basic security measures, like applying patches and securing internet facing ports, they should go a long way to help the business avoid falling victim to this malware.

 


❖ Changes for G-Suite Users

Changes for G-Suite Users‘G-Suite’ is the name given to Google’s range of tools and apps, including Gmail, Google Calendar, Google Drive and Google Docs.

Until now, users of third-party email clients (such as Microsoft Outlook) could use their non-Google email username and password to access G-Suite products.

However, that’s about to change.

Vulnerabilities in some older third-party email clients, in which usernames and passwords were compromised, opened the way for attackers to access data from across the range of G-Suite products.

To stop this happening, Google will no longer allow users of less-secure-apps, or LSAs, from using their non-Google credentials with G-Suite products.

This change, which will commence in June 2020, won’t affect all non-Google email clients. Those that use OAuth, the authentication standard used by Google, Facebook, Microsoft, and Twitter, will continue to be able to access G-Suite products. 

 


❖ Ensure You Patch SharePoint Enterprise Servers

Ensure-You-Patch-SharePoint-Enterprise-ServersAttackers are actively scanning for enterprise servers running vulnerable Microsoft SharePoint versions that are easily exploitable with a single HTTP request to remotely run arbitrary code, security researchers warn.

A patch for the vulnerability was issued by Microsoft in February 2019 but some administrators have been slow to deploy the fix.

Researchers added support for the SharePoint vulnerability on a worldwide network of honeypots and observed multiple attacks very quickly. A significant number of enterprise SharePoint servers remain exposed to the vulnerability that is actively exploited in the wild. The seriousness of the flaw may have been underestimated as it requires no authentication on vulnerable systems and should have a high Common Vulnerabilities Scoring System (CVSS) rating of 9.8.

 


❖ WhatsApp Remote Code Execution Vulnerability

WhatsApp-Remote-Code-Execution-VulnerabilitySecurity researchers have uncovered yet another remote code execution vulnerability present in the popular instant messaging app WhatsApp.

The vulnerability is present in the library WhatsApp uses to display MP4 videos and can provide a remote malicious actor with code execution on the device in the context of the WhatsApp application.

Currently, all versions of WhatsApp for iOS and Android and even Windows Phones are known to be vulnerable. To exploit the vulnerability all a malicious actor needs to do is send a specially crafted MP4 message to their target and have them open it.

It is recommended that all users of WhatsApp update immediately. Updates can be found here.

 

 

Australian Cyber News

❖ Cybersecurity Improvements in Financial Sector

Cybersecurity-Improvements-in-Financial-SectorAccording to a new report by Australia’s corporate watchdog, ASIC, financial companies are improving their cybersecurity awareness and taking more steps to mitigate cyber risk.

In self-assessments against the National Institute of Standards in Technology (NIST) Cybersecurity Framework, the past year witnessed an average increase in cyber resilience of 15% across a range of functions.

Whilst ASIC said cyber resilience has improved, many financial companies have struggled to meet ambitious targets they set the previous year. A continually changing threat environment, limited organisational capability, and limited access to specialised skills and resources were also challenges.

 


❖ Online Safety – New Tougher Rules

Online-Safety-New-Tougher-RulesWith the community increasingly concerned about online bullying and other harmful online conduct, the Australian Government is proposing new rules that will compel digital platforms to remove inappropriate content within 24 hours following an instruction to do so from Australia’s eSafety Commissioner.

The removable content would not extend to online disputes of a personal nature, however they could include behaviour that is currently criminalised in the legal code.

Significantly, the proposals would extend current cyberbullying provisions from children to the entire population, although there would be a higher threshold for adults.

Search engines will be required to ‘de-rank offending content’, whilst digital platforms would have new transparency requirements.

The Department of Communications has published a discussion paper on the Act, with submission to close on 19 February 2020.

 


❖ Ransomware Still Rearing its Ugly Head

Ransomware-Still-Rearing-its-Ugly-HeadWith ransomware attacks continuing to rise, more organisations than ever are opting to pay cyber criminals in order to restore their networks.

A new report indicates the number of businesses agreeing to pay attackers has doubled in the past year. Malware that encrypts an organisation’s files can have devastating consequences for a business. Often, businesses conclude that the costs associated with paying the attackers will be less than the costs associated with down-time or lost data, despite law enforcement authorities recommending against giving into such extortion.

With attackers often demanding six-figure sums, and the chances of getting caught very low, it seems ransomware attacks are only going to continue to increase. Apart from the ransom money that needs to be paid, the cost of business down-time averages $208,000 in Australia.

The threat is particularly high in Australia and New Zealand, with local small-to-medium-sized enterprises (SMEs) experiencing the highest rate of ransomware attacks in the world according to new cybersecurity research.

There are some relatively simple steps you can take to help ensure your organisation remains secure:

  • Ensure all the systems and software on your network are up to date and patched with the latest security updates.
  • Make sure everyone in your organisation follows best practice password security protocols. Default passwords should not be used, and where possible, multi-factor authentication should be implemented.
  • Regularly backup all your files and ensure they are stored offline. In the event hackers block access to your systems and files, you will be able to restore operations relatively quickly if all your data is backed-up.

 


❖ Small Drop in Australian Online Fraud

Small Drop in Australian Online FraudFor only the second time, Australia saw a decline in online fraud during the 2018-2019 financial year.

Online fraud cost Australians $455 million, 5% lower than the previous year.

While the figure is heading in the right direction, it remains clear that much work needs to be done to significantly reduce instances of online fraud.

This drop comes on the back of efforts by the Reserve Bank, which continues to pressure the banking and payments industry to enhance online transaction security.

In response to the RBA, the payments industry designed a framework that sets out a tranche of compliance and security work that online merchants need to comply with, especially around how they keep card numbers and transactions secure from hackers.

Experts believe one of the biggest drivers of this drop in online fraud is the shift towards tap-and-pay technology, particularly the use of mobile handsets for payments, where consumer and bank security settings are far more robust thanks to regular software updates.

Card number tokenisation has also had a big impact in reducing online fraud, because it means the merchant doesn’t get the card number and it isn’t being input in the clear on the screen.

 

Sources
1. Start 2020 with these Top 20 Patches – cis.verint.com
2. Twitter for Android Patchwww.zdnet.com, www.itnews.com.au
3. Beware of Hornet’s Nest – www.zdnet.com
4. Changes for G-Suite Users – www.zdnet.com
5. Ensure You Patch SharePoint Enterprise Servers – www.itnews.com.au
6. WhatsApp Remote Code Execution Vulnerability – www.facebook.com
7. Cybersecurity Improvements in Financial Sector – www.zdnet.com
8. Online Safety – New Tougher Rules – www.zdnet.com
9. Ransomware Still Rearing its Ugly Headwww.zdnet.com, www.businessnewsaus.com.au
10. Small Drop in Australian Online Fraud – www.itnews.com.au

 

This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

 

Shearwater Security Report | December 2019

 

Each month Shearwater’s Managed Security Services Team brings you the latest Threats, Breaches and Industry News from Australia and around the world.

Read this month’s Security Report to learn about:

• Current Threats and Exploits
• Recent Breaches
• Staying Safe with IoT Devices
• Securing APIs
• A Phishy Smell in Parliament

Current Threats and Exploits

❖ New Ransomware Threat

New-Ransomware-ThreatBeware of emails claiming to be from Microsoft urging you to install a Windows 10 update.

Security researchers have discovered a new malicious campaign which spoofs Microsoft emails, but ends up infecting the user’s systems with the Cyborg ransomware. Targeted users first receive an email with either the subject line ‘Install Latest Microsoft Windows Update now!’ or ‘Critical Microsoft Windows Update!’ which is already suspicious as Microsoft pushes Windows updates through its operating system and never through emails.

The email contains just one line of text which reads: ‘Please install the latest critical update from Microsoft attached to this email’.

Unusually, the fake update attachment has .jpg file extension. However, it is not a picture but actually an executable file. Upon clicking the attachment, a file called ‘bitcoingenerator.exe’ is downloaded from a GitHub account named ‘misterbtc2020’.

Once activated, the ransomware encrypts all the files on the infected user’s system and appends their filenames with its own file extension: 777. A ransom note with the filename ‘Cyborg_DECRYPT.txt’ is then left on the desktop of the compromised machine. It also leaves a copy of itself called ‘bot.exe’ hidden at the root of the infected drive.

The fact the ransomware was hosted on GitHub is significant. It meant that others could gain access to it in order to create their own version of the Cyborg ransomware. The risk is that many variants could end up in the wild.

 


❖ Windows 10 Preview Pane Bypasses Word Protected View

Windows-10-Preview-Pane-Bypasses-Word-Protected-ViewWord Protected View is a mode in which Microsoft Word can open untrusted Word documents and prevent dynamic content such as macros and remote content from automatically executing on the user’s computer. The mode was implemented to protect users from this content which can be used to infect the host or call out to remote hosts over HTTP or SMB to request resources.

Word Protected View is enabled by default when a Word document is downloaded from an untrusted source, such as the Internet, and must be explicitly disabled by the user.  

Recently, security researchers discovered that the Windows 10 preview pane, which is used to disable a preview of the document in File Explorer, doesn’t open the document in protected mode when generating the preview. As such, simply selecting the document in File Explorer with the preview pane enabled is enough to load potentially risky external content over HTTP and SMB.

The later of the two protocols is more worrying, as the researchers were able to demonstrate that the user’s NTLM hash (the way in which Microsoft stores passwords), is automatically sent to a remote server, giving a malicious actor all the information they need to crack the user’s password.

Currently, there is no fix for this vulnerability and as such, users are recommended to disable the preview pane on their computer and as always exercise caution when downloading Word documents from untrusted sources.

 

 

Recent Breaches

❖ Web.com Suffers Major Breach

Web.com Suffers Major BreachWeb.com is an American-based company that provides domain name registration and web development services. As the fifth largest registrar in the world with almost 7 million customers, it recently made news in Australia due to its US$105 million acquisition of Dreamscape Networks. As an ASX listed company, Dreamscape Networks owns Crazy Domains, the leading Australian domain registrar with 2 million customers and 600 employees.

On October 16, the company discovered it had suffered a significant data breach back in August in which user account information was exposed. The disclosed data includes contact details such as name, address, phone numbers, email address and information about the services the account holder purchases.

Thanks to the fact that web.com encrypted all credit card information, in line with PCI-DSS standards, no credit card data was reported to be compromised. Had credit card data also been stolen, the ramifications for web.com would have been far greater. Nonetheless, the other stolen information could put customers at risk of follow-on phishing and identity fraud attempts.

This is another timely reminder of the importance of securing your data. This is true for all organisations, but particularly those that process customer credit or debit cards.

Contact Shearwater today to discuss ways you can ensure secure payments in line with standards such as PCI-DSS.

 

 

Other News

❖ Staying Safe with IoT Devices

Staying Safe with IoT Devices The Internet of Things (IoT) includes everyday devices that connect to the internet and send and receive data. This includes devices like smart TVs, smart watches and baby monitors.

Whilst these devices enhance the way we work and live, there are concerns they could be vulnerable to cyber-attacks. If a hacker is able to access your home network through such appliances, they may be able to access a range of confidential information stored on your other devices, such as computers and smart phones.

The Commonwealth Government is committed to ensuring Australians are able to enjoy the opportunities and benefits created by IoT devices, whilst still remaining secure. It has therefore launched a new initiative to develop a voluntary code of practice. It hopes to bring industry, as well as other tiers of government, on board with the code.

The highest priorities for consideration are:

  • No duplicated default or weak passwords;
  • Implementing a vulnerability disclosure policy with device manufacturers, service providers and app developers to have a public point of contact; and
  • To keep software securely updated, including firmware.

Submissions to the enquiry are required by 1 March 2020.

 


❖ Securing APIs – More Important than Ever

Securing-APIs-–-More-Important-than-EverWith APIs integral to digital transformation strategies, many organisations are shifting from running a few APIs to now running hundreds, if not thousands of them. These APIs are often transferring sensitive data. This makes them attractive targets to attackers. Any vulnerabilities in APIs could result in significant data breaches.

That’s why ensuring your APIs are secure is more important than ever.

Having the capacity to detect malicious activity across so many APIs is a significant challenge for many organisations. Common attack vectors include broken authentication mechanisms and broken function-level authorisation flaws. Some APIs inadvertently leak data while backing up files to a repository, such as GitHub, or expose information when interacted with in a manner that the developer did not anticipate.

That’s why the announcement this week that the Commonwealth, State and Territory governments have established uniform national API security standards is welcome news.

The move aims to ensure API standards are consistent between all levels of government. The standards will allow governments, as well as trusted third-parties, to securely share, re-use and enhance data in real-time.

If your organisation relies on APIs to transfer data, it’s essential you conduct regular API penetration testing to ensure any vulnerabilities are promptly identified and fixed. Contact Shearwater to find out how an API penetration test can benefit your organisation.

 


❖ A Phishy Smell in Parliament

A-Phishy-Smell-in-ParliamentWith human error now one of the leading cyber-attack vectors, phishing awareness is absolutely essential to stop malware and ransomware.

Many organisations of all sizes understand the threat and are taking steps to educate their staff about the risks and how to stay safe.

However, it seems those working in the nation’s Parliament need a bit more training.

Both politicians and their staff will begin phishing email simulation training following a state-sponsored cyber-attack against Parliament House earlier this year. With over 4,000 people working in Parliament, it’s essential to raise awareness levels about opening attachments or clicking malicious links.

Whilst Parliament is a prime target for obvious reasons, all organisations should regularly train staff in email security awareness.

Phriendly Phishing is an interactive training program that incorporates engaging modules to create long-term awareness of the risks posed by phishing emails. Contact Shearwater today to find out how your staff can learn the skills to stay safe online.

 

Sources
1. New Ransomware Threat – www.techradar.com
2. Windows 10 Preview Pane Bypasses Word Protected View – www.medium.com
3. Web.com Suffers Major Breach – www.infosecurity-magazine.com
4. Staying Safe with IoT Devices – www.zdnet.com
5. Securing APIs – More Important than Ever – www.itnews.com.au
6. A Phishy Smell in Parliament – www.itnews.com.au

 

 

This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

 

Shearwater Security Report | November 2019

 

Each month Shearwater’s Managed Security Services Team brings you the latest Threats, Exploits and Industry News from Australia and around the world.

Read this month’s Security Report to learn about:

• Current Threats and Exploits
• Addressing the Skills Shortage
• Digital Driver’s Licence
• Australians are Fatigued

Current Threats and Exploits

❖ Beware of .WAV Files with Malware

ϖ Beware of .WAV Files with Malware A file with the .WAV or .WAVE file extension is a Waveform Audio File Format. It’s an audio file that stores data in segments. It was created by Microsoft and IBM and has become the standard PC audio file format.

With attackers constantly on the lookout for new ways to infect computers with malware, they now seem to be increasingly turning their attention to .WAV files. The technique of delivering malicious files in another data type is known as steganography or ‘stego’. This delivery method is successful because it allows files hiding malicious code to bypass security software that whitelists non-executable file formats, such as .WAV or other multimedia files, such as JPG or PNG files.

Researchers have identified a campaign to secretly embed malicious content throughout audio data. The malicious code consists of three different types of components that can execute the malware.

Users are likely none the wiser: When played, the .WAV files either produce music that has no discernible quality issues or glitches, or, in some simply, generate static white noise.

Two payloads were found being delivered in the campaign: A XMRig/Monero CPU Cryptominer and Metasploit code used to establish a reverse shell. This activity suggests a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim’s network. The fact that crypto-mining authors are now deploying their cryptominers via stego methods points to a new level of sophistication on their part.

Since stego is only used as a data transfer method, companies should be focusing on detecting the point of entry/infection of the malware that abuses steganography, or the execution of the unauthorised code spawned by the stego-laced files.

 


Voicemail Not Always What it Seems

Voicemail-Not-Always-What-it-SeemsOnce again, we see the attractiveness of audio as an attack vector. Following on from the threat posed by .WAV files, we now see attackers using access to voicemail as a way to gain unauthorised access.

Whilst Office 365 users have been regular targets for phishers, because their accounts often give access to high-value company data and systems, the new methodology is particularly pernicious.

Hackers have now stepped up their game with new attacks that use audio files masquerading as voicemails to trick users into exposing their passwords. It is part of a ‘phishing’ and ‘whaling’ campaign. Whaling is a type of phishing that is aimed at senior executives, department managers and other high-value targets inside organisations by using lures they are likely to be interested in and fall for.

In this type of attack, the victim is sent rogue emails contain Microsoft’s logo and information about a missed call from a particular phone number. The messages include information such as caller ID, date, call duration, organisation name and a reference number.

The emails have HTML attachments, which, if opened, redirect users to a phishing site that tells them Microsoft is fetching their voicemail and asks them to login to access it.

During this step, the page plays a short audio recording of someone speaking that is meant to trick victims into believing they’re listening to the beginning of a legitimate voicemail.

The fact that these emails incorporate audio to create a sense of urgency prompts victims to access the malicious link.

Once the recording is played, users are redirected to another rogue website that mimics the o365 login page and where the email address is automatically pre-populated to add to the attack’s credibility. If victims input their passwords, they receive a successful login message and are redirected to the legitimate office.com website.

To help prevent this type of attack, you should ensure two-factor authentication is activated for your organisation’s o365 accounts, as this makes this type of breach more difficult for attackers. 

It is also crucial to train staff on how to identify phishing emails and avoid clicking on suspicious links or opening attachments from unknown senders.

 


VPN Vulnerabilities

VPN Vulnerabilities With ISPs required to collect metadata, the potential requirement to grant backdoor access, and the concern that browsing activity could be sold to marketers, many Australians now consider Virtual Private Networks (VPNs) an essential part of being on the internet.

VPNs offer additional privacy and increased security, especially when using unknown wireless networks such as in cafes, airports, or even at work. They also provide the ability to avoid geo-locked content on services like Netflix.

However, there are increasing concerns that VPNs may not be totally secure. Recent warnings have been issued by both the Australian Cyber Security Centre (ACSC) and the UK’s National Cyber Security Centre (NCSC) about known exploits.

It is now known that vulnerabilities affecting VPN products from vendors including Pulse Secure, Fortinet and Palo Alto are being exploited by attackers. This ongoing threat targets VPN users around the world, including Australia.

Vulnerabilities exist in several SSL VPN products which allow an attacker to retrieve arbitrary files, including those containing authentication credentials. An attacker can use these stolen credentials to connect to the VPN and change configuration settings or connect to further internal infrastructure. Unauthorised connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell.

When it comes to selecting the most secure type of VPN, we recommend opting for ‘OpenVPN’. It uses open-source technologies like the OpenSSL encryption library and SSL v3/TLS v1 protocols.

OpenVPN can be configured to run on any port, so you could configure a server to work over TCP port 443. The OpenSSL VPN traffic would then be practically indistinguishable from standard HTTPS traffic that occurs when you connect to a secure website. This makes it difficult to block completely.

It’s very configurable and will be most secure if it’s set to use AES encryption instead of the weaker Blowfish encryption. OpenVPN has become a popular standard. We’ve seen no serious concerns that anyone has compromised OpenVPN connections.

OpenVPN support isn’t integrated into popular desktop or mobile operating systems. Connecting to an OpenVPN network requires a third-party application — either a desktop application or a mobile app. You can even use mobile apps to connect to OpenVPN networks on Apple’s iOS.

You should also ensure you use a VPN kill switch. This is a feature that will drop the internet connection on your device if the VPN connection fails. Without activating a VPN kill switch, if the VPN connection fails, your true IP address could be visible, potentially revealing your identity and/or location.

 


Emotet Trojan Risk

Emotet Trojan RiskThe Australian Cyber Security Centre continues to issue warnings about malware known as Emotet.

Emotet is a Trojan that is primarily spread through spam emails. The infection may arrive either via malicious script, macro-enabled document files, or a malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email and usually tries to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies. It is most commonly spread via Microsoft Office attachments, usually Microsoft Word (.doc, .docx) documents. There have also been reports of PDF attachments containing the malware.

These attached files contain macros that download and install the Emotet malware when opened.

Due to the fact that the Emotet malware is often embedded in a macro in a Microsoft Office or PDF document, the ACSC recommends implementing security controls around the use of macros to reduce the likelihood of infection.

Start by reviewing the ACSC’s Microsoft Office Macro Security recommendations. Where possible block macros from the internet and only allow macros to execute from trusted locations where write access is limited to personnel whose role is to vet and approve macros.

For additional recommendations from the ACSC on limiting your exposure to Emotet, CLICK HERE.

 

INDUSTRY NEWS

❖ Addressing the Skills Shortage

Addressing the Skills ShortageOver coming years, Australia will face a significant shortfall in the number of skilled cybersecurity personnel. By 2026, it is anticipated an additional 18,000 cybersecurity workers will be needed for the sector to harnesses its full growth potential. This shortfall has significant economic consequences. In 2017, up to $405 million in revenue was forfeited in the cybersecurity sector as a direct result of the lack of skilled workers.

To help begin addressing this shortfall, the Federal Government has launched a new ‘fast-track’ permanent residency visa program for highly skilled tech migrants, including those with cyber security skills.

The ‘Global Talent Independent Program’ aims to lure up to 5000 high-income earners working “at the top of their field” to Australia over the coming year with the offer of a “fast tracked process to permanent residency”.

The program has been welcomed as a “great initiative” by CyberCX.

 


Digital Drivers Licences

Digital Drivers Licenses NSW motorists can now ditch their physical driver’s licence for a digital alternative and use it as a form of ID after the state government finally pressed go on its state-wide rollout.

The opt-in digital pass is available to both iPhone and Android users via the Service NSW app.

A range of security features such as holograms and scannable QR codes are offered to ensure the ‘liveness’ of the identity document and protect citizens against identity fraud. But, are these security measures enough?

The Government says the digital license is safer than its physical predecessor, although privacy is still a concern for some.

Service NSW recently created the state government’s first bug bounty program, in part to ensure the digital license platform is secure. The Government admitted the goal of the bug bounty program is to weed out security vulnerabilities in the opt-in electronic vehicle licence.

 


Australians are Fatigued

Australians are FatiguedUp to 65% of Australian businesses are suffering from cybersecurity fatigue according to the 2019 Cisco Asia Pacific CISO Benchmark Study. Whilst the figure is an improvement on last year’s figure of 69%, it is still far higher than the global average of 30%.

The report speculates that one of the reasons for this fatigue is that Australian businesses may receive too many daily security alerts. This may overwhelm their ability to investigate alerts and remediate legitimate ones.

The three greatest obstacles to adopting more advanced security processes and technology are budget constraints, organisational attitudes and competing priorities.

There’s no doubt many organisations are challenged when it comes to fulfilling a wide range of cybersecurity functions. Building a dedicated in-house Managed Security Services team, with all the skillsets that entails, can be a major expense.

That’s where engaging a professional cybersecurity service provider can be a cost-effective alternative. Shearwater has the skills and experience to handle all your cybersecurity needs, including staff-training to achieve the right organisational attitudes.

Contact us  today to achieve all your organisation’s cybersecurity requirements.

 

 

· Beware of .WAV Files with Malware : https://threatpost.com/wavs-hide-malware/149240/ and https://www.zdnet.com/article/wav-audio-files-are-now-being-used-to-hide-malicious-code/
· Voicemail Not Always What it Seems : https://www.computerworld.com.au/article/668107/attackers-phish-office-365-users-fake-voicemail-messages/
· VPN Vulnerabilities : https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities
· Addressing the Skills Shortage : https://www.itnews.com.au/news/australia-to-fast-track-permanent-residency-for-highly-skilled-tech-migrants-533419
· Digital Drivers Licences : https://www.itnews.com.au/news/nsw-govts-first-bug-bounty-program-driven-by-digital-licensing-push-533535
· Australians are Fatigued : https://www.cisco.com/c/m/en_au/products/security/offers/benchmark-reports-2019.html


This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

 

Shearwater Security Report | October 2019


Each month Shearwater’s Managed Security Services Team brings you the latest Threats, Exploits and Industry News from Australia and around the world.

Read this month’s Security Report to learn about:

• Current Threats and Exploits
• Revised Information Security Manual (ISM)
• Notifiable Data Breach (NDB) Quarterly Report
• Australia’s 2020 Cyber Security Strategy

Current Threats and Exploits

❖ Emergency Microsoft IE Patch

On September 23, Microsoft issued an emergency security update for Internet Explorer.(1)

The patch addresses a critical vulnerability in IE that is currently being exploited by attackers in the wild. If not fixed, the memory corruption bug would allow a scripting-engine to be abused by a malicious web page or email to achieve remote code execution.

The result would mean Windows PCs could be hijacked by viewing a suitably booby-trapped web site, or message, when using IE. Malware, spyware, and other software could then be injected to run on the computer.

Microsoft considers this vulnerability so risky, that it wasn’t prepared to wait to release the patch with its monthly ‘Patch Tuesday’ bundle. Due to the severity of the bug, combined with the fact that it is being actively targeted, Microsoft chose to issue an emergency release.

ACTION: Ensure your patches are updated here.


Multiple Apple Patches

Releasing one patch in a week – OK
Releasing two patches in a week – Hmmmm
Releasing three patches in a week – OUCH!

To top it off, such a rapid release of so many updates within a few short weeks following iOS13’s initial release isn’t a good look. The patches affect iOS, macOS, iPadOS, and watchOS.(2)

Between September 24 and 30, Apple dropped the following patches: 

13.1: Fixes include faulty app icons, sign-in failures, Mail problems, Siri not working with CarPlay properly, and stability issues. It also addresses an out-of-bounds memory read that might allow an attacker to execute arbitrary code on the target machine. This update affects a number of operating systems across several Apple platforms. Apple released updates designated macOS Mojave 10.14.6 Supplemental Update 2, Security Update 2019-005 High Sierra, and Security Update 2019-005 Sierra; watchOS 5.3.2; and iOS 12.4.2.

13.1.1: Fixes include a security update to stop third-party keyboards operating as if they’d been given user permissions when they hadn’t been. This update also addresses errors in the “sandbox” that iOS and iPadOS use to limit the permissions and resources available to an app. Because of the error, third-party app extensions could run with the wrong permissions, gaining access to resources they should not have been able to reach.

13.1.2: Fixes include plugging security bugs and addressing problems associated with the flashlight and camera. This update also addresses a bug where the progress bar for iCloud Backup could continue to show after a successful backup, a bug that could result in a loss of display calibration data and an issue where shortcuts could not be run from HomePod.

If you’re already running iOS13, then it would be recommended to upgrade to 13.1.2.

However, if you’re still running iOS12 or below, probably best to wait a while to see if additional patches are released in coming weeks.

ACTION: A full list of Apple updates can be found here.


Exim Mail Patches

With potentially tens of thousands of Australian networks hosting Exim mail servers, the risks are high each time a vulnerability is discovered.

Exim administrators have been warned to patch their installations following the discovery of a string expansion bug that could be used for denial of service (DoS) attacks and remote code execution.(3)

A new patch has been released with version 4.92.3 of the mail server. Those using versions 4.92, 4.92.1 or 4.92.2 should update their systems.

ACTION: Updates to Exim 4.92.3 can be found here.


D-Link Firmware Update

D-Link makes some of the most widely used routers in Australia.

Researches recently discovered vulnerabilities in an older version of the router whereby passwords were being leaked through its web-based management interface.

The model in question is the DSL-2875AL wireless ADSL2+ modem. Although it’s now been discontinued, many Australians could still be using it.(4)

It has been claimed that anyone with local network access could simply use a web browser to view the romfile.cfg file stored on the router, without any authentication required. The file contains the password to the device in clear text.

Such vulnerabilities are serious as they would allow attackers to control the routers over which all user data travels to their internet providers.

D-Link strenuously states that these vulnerabilities are not present in current products available in the Australian market, and that patches for the vulnerabilities on older models were released some time ago.

In case you are using an older D-Link model and need to update it, D-Link firmware updates are available.

ACTION: D-Link firmware updates can be found here.


❖ OnApp Cloud Vulnerability

With cloud computing now ubiquitous, a whole new world of possible vulnerabilities has opened up.

Most cloud computing risks stem from poor user management. However, Australian researches discovered a flaw in OnApp’s Cloud Management Platform. OnApp powers thousands of cloud systems around the world. The Cloud Management Platform is designed to take the complexity out of building and managing cloud infrastructure.

In many cases, an organisation with multiple servers will manage all of them from the same Cloud Management Platform. The Australian researchers discovered that the access keys used to launch an SSH connection to one of the servers would grant access any of the other servers hosted on the same Cloud Management Platform.

This design flaw could let an attacker access, steal, change, or eliminate data on a server through no fault of the user.

Attackers could do this even if they didn’t have the private key, since many cloud providers offer free trial accounts that only require an email address to sign up. An attacker wouldn’t have to provide any identifying details to gain access to the first server in order to launch an attack on the other servers.

The flaw has the potential to affect hundreds of thousands of production servers and organisations around the world.(5)

ACTION: Updates to mitigate this treat can be found here.

 

 

INDUSTRY NEWS

❖ Revised ISM

In line with their ongoing efforts to transition from a compliance-based approach to a principles-based framework, the Australian Signals Directorate has issued an updated Information Security Manual (ISM).

This shift comes on the back of an extensive 12-month review.

The ISM now incorporates four Cyber Security Principles that will help guide organisations:

  • Govern: Identifying and managing security risks.
  • Protect: Implementing security controls to reduce security risks.
  • Detect: Detecting and understanding cyber security events.
  • Respond: Responding to and recovering from cyber security incidents.

Using their corporate risk-management frameworks to apply these four principles, organisations should be better placed to protect their systems and information from cyber threats.

The purpose of the ISM is to assist Australian government agencies apply a risk-based approach to protecting their information and systems. Updated monthly, it is designed primarily for Chief Information Security Officers and cyber security professionals. It aims to keep them up to date with current cyber security risks and appropriate mitigation strategies. (6)

With the ISM being updated on a regular basis, it’s important to conduct ongoing reviews to verify that your organisation’s systems remain in alignment. Speak to Shearwater’s team of ISM experts for further advice.


❖ NDB Quarterly Report

The Office of the Australian Information Commissioner (OAIC) has released its latest Notifiable Data Breaches (NDB) quarterly report.(7)

While notified data breaches were up 14% in the most recent quarter (April to June 2019), the figure is still in-line with longer term trends:

Quarter Total number of notifications
July to September 2018 245
October to December 2018 262
January to March 2019 215
April to June 2019 245

The NDB scheme came into effect in February 2018. It requires disclosure and reporting of data breaches when a breach is likely to result in serious harm to those whose information was impacted.

The causes of this quarter’s 245 breaches include:
• Malicious or Criminal Attacks: 151 breaches
• Human Error: 84 breaches
• System Faults: 10 breaches
Source-of-data-breaches-by-percentage-All-sectors
This serves as a timely reminder of just how important it is to ensure the employees within your organisation have ongoing cyber security training. Attack vectors such as phishing emails deliberately target people, as busy staff are all too often tricked into clicking dangerous links or opening malicious attachments.

To find out how Shearwater’s “Phriendly Phishing” training program can significantly enhance your staff’s cybersecurity preparedness, request a free trial today


❖ Australia’s 2020 Cyber Security Strategy

Back in 2016, the Australian Government released a 4-year National Cybersecurity Strategy.

Since then, the entire cybersecurity landscape has changed. So, with 2020 just around the corner, an update is well and truly warranted.

To kick things off, the government has released a discussion paper. The new strategy will aim to position Australia to meet the rapidly evolving cyber threat environment.

“The magnitude of the threats faced by Australian businesses and families has increased. They will become more acute as our society and economy become increasingly connected. As the threat evolves, so too must our response”.(8)

Topics under discussion include:
• Government’s role in a changing world
• Enterprise, innovation and cyber security
• A trusted marketplace with skilled professionals
• A hostile environment for malicious cyber actors
• A cyber-aware community

Submissions close 1 November 2019 and can be SUBMITTED HERE.

 

 

 

(1) https://www.theregister.co.uk/2019/09/23/microsoft_internet_explorer_cve_2019_1367/
(2) https://www.darkreading.com/vulnerabilities—threats/apple-patches-multiple-vulnerabilities-across-platforms/d/d-id/1335941
(3) https://www.itnews.com.au/news/scads-of-aussie-exim-mail-servers-need-patching-again-531695
(4) https://www.itnews.com.au/news/d-link-wireless-modems-found-to-leak-passwords-530800
(5) https://www.vice.com/en_in/article/ywanev/thousands-of-cloud-computing-servers-could-be-owned-with-very-simple-attack-researchers-say
(6) https://www.cyber.gov.au/news/australian-government-information-security-manual-updated
(7) https://www.oaic.gov.au/assets/privacy/notifiable-data-breaches-scheme/statistics/notifiable-data-breaches-statistics-report-1-april-to-30-june-2019.pdf
(8) https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/cyber-security-strategy-2020


This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

 

Shearwater Security Report | September 2019


Current Threats and Exploits

· WordPress Plugin Vulnerabilities

WordPress Plugin-Vulnerabilities 

Vulnerable plugins are one of the top methods used by attackers to gain access to WordPress sites. 

Once again we’ve seen evidence of a malicious WordPress plugin that encrypts user blog posts with AES (Advanced Encryption Standard). AES is a method for encrypting text, often used by the US Government. It offers a way to protect classified information and is implemented in both software and hardware throughout the world to encrypt sensitive data by rendering it unreadable.

This latest malicious plugin, known as “WP Security”, uses AES to encrypt the contents of blog posts. Only the body of the post is encrypted, with all other attributes left unaltered.

As we go to press, there is no evidence of ransom demands being made to decrypt the content. However, the attackers could potentially demand ransoms in the future.

Shearwater recommends improving your WordPress plugin security by following these best-practice steps:

  1. Use Plugins Sparingly – The fewer Plugins you have, the less chance one of them could have vulnerabilities that pose a risk to your site.
  2. Download Plugins from Reputable Sites – Try to restrict the Plugins you use to those available from the official WordPress.org directory. These Plugins have been widely used, so it is more likely that any vulnerabilities have already been identified and patched.
  3. Remove any Unused Plugins – When you make updates to your site and no longer require certain Plugins, make sure you delete them.
  4. Update Plugins Regularly – In our experience, many attackers target sites that are not updated with the latest versions of a Plugin. In fact, it is often the case that attackers seek to exploit old vulnerabilities that have been known for some time. Ensuring you update your Plugins on a regular basis to protect yourself with the latest security fixes is one of the easiest ways to stop attackers.
  5. Consider a WordPress Firewall – A Web Application Firewall or WAF can help protect you from zero-day exploits in which an attacker has discovered a new vulnerability that doesn’t yet have a patch available. A WAF can examine traffic to your site, helping you identify and filter out malicious requests.

 

· Beware of Worms 

Beware-of-Worms 

A “wormable” exploit not only breaks into, and infects, one computer. It subsequently spreads itself onwards to infect other vulnerable computers as well. That’s why they have the potential to be so pernicious.

Wormable exploits, such as WannaCry (2017) and BlueKeep (2019), have the potential to inflict devastating damage because once introduced, they can propagate and spread without any further human interaction.

So, when Microsoft recently identified two potentially wormable vulnerabilities in its software, alarm bells began ringing loudly.

Remote Desktop Services (RDS) is the Microsoft software that enables a user, such as a network administrator, to take control of a remote computer (i.e. a computer they don’t have physical access to) via a network connection. This is made possible through Remote Desktop Protocol (RDP) messaging.

It was while hardening RDS software last month, that Microsoft discovered the two vulnerabilities.

These could be exploited without any user interaction, simply by sending specially crafted RDP messages to computers running RDS software.

Once in, an attacker could install programs, change or delete data, create new accounts with full user rights, and more.

Identified as CVE-2019-1181 and 1182, Microsoft warned these vulnerabilities affect more Windows versions than BlueKeep, including:

· Windows 7 SP1
· Windows 8.1
· Windows 10
· Windows Server 2008 R2 SP1
· Windows Server 2012
· Windows Server 2012 R2
· Windows Server 2016
· Windows 2019

According to Microsoft, these vulnerabilities haven’t yet been exploited in the wild, but urged customers to get ahead of the game by patching quickly.

CVE-2019-1181 Patch can be found here

CVE-2019-1182 Patch can be found here

 

· Password Security 

password-security

For many people, keeping up to date with dozens of passwords, across multiple devices, can be a real headache. Passwords need updating on a regular basis, and we’re told using the same password for all our logins is a major security risk.

That’s why password management software has become increasingly popular in recent years.

Products like Trend Micro’s “Password Manager” offers users the ability to sync passwords across Windows, macOS, iOS, and Android devices. It captures and replays login credentials, can identify weak and duplicate passwords and auto-complete web forms.

But, what happens when the password management software is found to be vulnerable? The risk of significant data breach is enormous.

Two serious security flaws were recently discovered in the 2019 version of Trend Micro’s “Password Manager” product, as well as its anti-malware products “Maximum Security” and “Premium Security” for Windows devices.

These vulnerabilities would allow an attacker to load an arbitrary file with malicious code into the software and have it executed on the host.

As Trend Micro products operate with the highest available privileges on a device, once the software has been exploited, a low privileged user could run malicious code as a system administrator, giving them complete control over the host.

If you use Trend Micro products, it’s essential to ensure your systems are updated with the latest patches. Users who have signed up for automatic updates will already be patched. For others, the patch can be accessed manually by clicking here.

 

· Google Calendar Phishing

Where would we be without the G-Suite? Gmail, Google Docs and Google Calendar have become almost ubiquitous. They offer tremendous convenience. But with such widespread usage comes increased risk. If a vulnerability can be detected in these popular apps, attackers could cause widespread havoc.

Recently, just such a vulnerability was discovered in Google Calendar. The intuitive app scans a user’s Gmail account for upcoming events, such as booked flights, restaurant reservations or movie tickets. It then automatically adds these to the user’s Google Calendar.

A vulnerability was uncovered when one person forwarded an email to a colleague containing details of an upcoming flight they’d booked for themselves. Google Calendar erroneously thought the booking was for the colleague and added the flights to the colleague’s schedule. The colleague did not have to do anything to approve the addition of these flights to their Calendar.

This opens all kinds of potential phishing vulnerabilities. If ways can be found to automatically add events to users’ Google Calendars, these events could conceivably contain malicious links to further details about the supposed event.

Busy people will be more likely to click on such a link to obtain further information. Once the link is clicked, dangerous malware could easily be installed.

Furthermore, with the G-Suite products all linked, an attacker could easily gain access to sensitive documents stored in Google Docs, along with full access to the user’s Gmail account.

While many people have become accustomed to identifying phishing emails, they are unlikely to have observed phishing within their Google Calendar before. They are therefore more likely to be successfully phished.

When training people in your organisation regarding the risks of phishing, it is important to raise awareness that phishing attacks can come in a variety of formats. Certainly, email phishing is a major concern, but malware can also be delivered via SMS and now even through Google Calendar events.

 

Recent Breaches

· Web Hosting Breach 

Web-Hosting-Breach 

Hostinger is a web hosting company that is owned by its employees. Founded in 2004, it now boasts more than 25 million users worldwide, located in more than 178 countries. The company offers shared web hosting in which multiple websites live on a shared server. This results in cheaper web hosting solutions.

During August, millions of Hostinger customers started receiving emails bearing bad news: their passwords required resetting following a major data breach.

According to Hostinger, 14 million customers were affected by the reset. This follows attackers gaining access to an API server on 23 August 2019. The database contained details of customer accounts, including usernames, email addresses, first names, IP addresses, and hashed passwords. 

While Hostinger is adamant that account passwords were hashed, they did not specify how this was done. It was subsequently discovered that Hostinger hashed the passwords using “Secure Hash Algorithm 1” (SHA-1). This is a cryptographic function which takes an input (in this case a password) and produces a 160-bit hash value known as a message digest. The password is then rendered as a 40-digit long number.

The problem with SHA-1 encryption is that it has been subject to many collision attacks in recent years. A collision attack is an attempt to find two input strings of a hash function that produce the same hash result. When two separate inputs produce the same hash output, it is called a collision. This collision can then be exploited by any application that compares two hashes together. As computational power increases, SHA-1 encryption will become even more vulnerable to cracking.

This is why big internet companies have readied SHA-1 for the scrapheap.

Belatedly, Hostinger announced plans to investigate the origins of the latest incident with a view to improving security. The lesson for users is to check that service providers use stronger encryption methods, such as SHA-256, which offer far more security.

 

Other News

· Cryptomining Worm 

cryptomining-worm

Cryptocurrency mining, or cryptomining, is the legitimate way cryptocurrencies are generated. It involves the use of computational processing power to solve complex mathematical problems. Those who successfully resolve the complex problems are rewarded with a small amount of the cryptocurrency.

It is an essential step in ensuring the validity of the currency, with no one able to use the same money twice.

However, cryptomining is a long process, requiring large amounts of computational processing power, for relatively little reward. Unscrupulous individuals try to find ways to turn cryptomining into a much more profitable enterprise by hacking into other people’s computers, infecting them with malware and using their computers’ processing power without their knowledge. This is when cryptomining becomes illegal.

Retadup was one such malware. First seen in 2017, it is believed it had infected over 850,000 computers, mostly in Latin America. The cryptomining worm could self-propagate without the need for human involvement. Apart from being able to collect data from infected computers, Retadup was also running the Monero cryptocurrency miner. 

An investigation by antivirus maker Avast, discovered a vulnerability in Retadup’s communications protocol that could allow them to instruct the malware to delete itself. This paved the way for French law-enforcement to take down the backend infrastructure of the Retadup malware gang. It also enabled them to disinfect over 850,000 Windows systems without users having to do anything.

Remember, protecting yourself from malware, including worms such as Retadup, you need to be vigilant with file-sharing networks and avoid clicking on any suspicious attachments or links. You should also maintain up-to-date antivirus protection, preferably with a firewall.

 

To stay secure, you need to be proactive.

Cybercriminals are constantly looking for ways to exploit vulnerabilities and will use any opportunity to circumvent your security systems.

Keep on top of the latest advances in cybersecurity and ensure your organisation stays ahead of the threats with Shearwater’s team of expert consultants.

Together, we’ll develop a comprehensive security roadmap for your organisation that takes into account your specific needs and circumstances.

Take the first step towards enhancing your security and speak with us today.

 

· WordPress Plugin Vulnerabilities – https://securityboulevard.com/2019/08/malicious-plugin-used-to-encrypt-wordpress-posts/
· Beware of Worms – https://nakedsecurity.sophos.com/2019/08/14/microsoft-warns-of-new-worm-ready-rdp-bugs/
· Password Security – https://www.darkreading.com/vulnerabilities—threats/trend-micro-patches-privilege-escalation-bug-in-its-password-manager/d/d-id/1335525
· Google Calendar Phishing – https://www.blackhillsinfosec.com/google-calendar-event-injection-mailsniper/
· Web Hosting Breach – https://nakedsecurity.sophos.com/2019/08/27/hostinger-upgrades-password-security-after-14m-accounts-breached/
· Cryptomining Worm – https://threatpost.com/cryptomining-worm-infections-self-destructs/147767/

 


This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

 

Shearwater Security Report | August 2019


Current Threats and Exploits

· Getting Zoomed

Getting-ZoomedA flaw in leading online meeting and video conferencing platform Zoom, forces users onto video and audio calls without their consent.

The popular application can be misused to forcibly join people onto calls. It does this by activating microphones and video cameras on Mac computers without user permission.

Security researcher Jonathan Leitschuh, from software development automation company Gradle, was curious how clicking on a sent meeting link would start up users’ Zoom clients from a web browser. Leitschuh thought it was an “amazing bit of functionality” and wondered how it had been implemented securely by Zoom.

His curiosity led to the discovery of two serious vulnerabilities that are very simple to exploit, and which Leitschuh said exposes up to 750,000 companies around the world with over four million webcams being activated by malicious websites.(1)

Zoom has released a patch to remedy the vulnerability which can be found HERE. By installing the patch, malicious third parties will no longer be able to automatically activate webcams using a Zoom link. 

 

· Watching the WatchBog

Watching-the-WatchBog-A new version of WatchBog – a cryptocurrency-mining botnet operational since late 2018 – has been discovered to have compromised more than 4,500 Linux machines since early June.

This version of WatchBog has the ability to scan Windows computers and implements a BlueKeep Remote Desktop Protocol (RDP) vulnerability scanner. It is believed that the presence of this scanner indicates that WatchBog is preparing a list of vulnerable systems to target in the future, or possibly intends to sell a list of vulnerable systems to third party vendors for profit.

The malware is currently undetected by all security vendors

BlueKeep is a remote code execution vulnerability present in the Windows Remote Desktop Services and enables remote unauthenticated attackers to run arbitrary code, conduct denial of service attacks and potentially take control of vulnerable systems.

In May, Microsoft patched the Remote Code Execution (RCE) flaw that impacts several versions, from Windows XP, Vista, and 7 to Windows Server 2003 and 2008, including all versions with installed Service Packs.(2)

According to Microsoft, customers who use an in-support version of Windows (i.e. Windows 7, Windows Server 2008 R2, and Windows Server 2008) and have automatic updates enabled are automatically protected from the released patch.

However, out-of-support operating systems such as Windows XP and Windows 2003 are also affected by the critical CVE-2019-0708 flaw, with users of these Windows versions having to either upgrade to newer releases or to apply the security updates available via KB4500705.

Windows 8 and Windows 10 users are not impacted by the vulnerability because of the strengthened security provided by Redmond with the latest Windows releases.

 

· Astaroth – The Great Duke of Hell

Astaroth-The-Great-Duke-of-Hell-Astaroth is the Great Duke of Hell in demonology. Along with Beelzebub and Lucifer, they make up the evil trinity. 

So it was appropriate that when researchers from Microsoft detected a fileless malware campaign that uses legitimate services to deliver its payload, it was dubbed Astaroth.

The malware was detected while looking into a recent spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool. 

When Astaroth is executed, the LNK file causes the execution of the WMIC tool with the ‘/Format’ parameter, which allows the download and execution of a JavaScript code. The JavaScript code in turn downloads payloads by abusing the Bitsadmin tool.

All the payloads are Base64-encoded and decoded using the Certutil tool. The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process. During the entire process, all files run are legitimate system tools, which could make it difficult for legacy security solutions to detect.(3)

Manual removal might be a lengthy and complicated process that requires advanced computer skills. It is preferable that you rely on your antivirus software. However, if you do need to remove Astaroth manually, CLICK HERE.

 

· Office 365 Licence Expiration Phishing

Office-365-Licence-Expiration-Phishing-A new phishing campaign has been detected which targets Office 365 administrators, rather than standard users.

The phishing emails indicate there is something wrong with an organisation’s Office 365 instance and the administrator should log in to fix the problem.

A common method is to send an email claiming the licence for Office 365 is about to expire. If the administrator clicks on the provided link, they will be taken to a fake Office 365 login page, hosted in Azure. As such, this allows the malicious actor to host the page with a *windows.net URL and even allows a legitimate certificate for the site.

The seemingly legitimate domain and valid certificate may convince the administrator to enter their credentials.

As with other phishing attempts, user training and the use of multi-factor authentication will often be sufficient to protect against such attacks.(4)

With Shearwater’s ‘Phriendly Phishing’ training modules, your staff will receive ongoing, targeted education to enable them to identify and handle dangerous emails containing malware or ransomware. CLICK HERE for further information about ‘Phriendly Phishing’.

 

· Up the Wind River Without a Paddle

Up-the-Wind-River-Without-a-Paddle-Researchers at Armis Labs have discovered 11 potentially serious security flaws affecting the Wind River VxWorks Real-Time Operating System (RTOS), described by the company as “the most widely used operating system you may never have heard about”. 

Collectively named ‘Urgent/11’ by Armis Labs, the flaws affect an estimated 200 million devices going back to an earlier version of VxWorks in 2006. Susceptible devices include routers, modems, firewalls, printers, VoIP phones, SCADA systems, IoT, and even MRI machines and elevators. 

Reported on some time ago, the list of 11 CVEs comprises six critical RCE flaws, plus five less serious issues that could lead to denial of service, information leaks, or logic errors. Exploiting the flaws would be relatively easy on devices accessible from the internet, or locally, however the exploit detection would be difficult. 

All versions of VxWorks since 6.5, released in 2006 are affected, as are some older versions where the software was used as a standalone TCP/IP stack and discontinued versions of Wind River Advanced Networking Technologies.(5)

To ensure you’re Wind River VxWorks Real-Time Operating System is updated with the latest patches, CLICK HERE.

 


Other News

· VPN Flaws Affect Widely Used Products

VPN-Flaws-Affect-Widely-Used-Products-Critical flaws in popular Virtual Private Networks (VPNs) could be exploited to gain access to corporate networks and steal data. The flaws are easily remotely exploitable; they affect VPNs from Palo Alto Networks, Pulse Secure, and Fortinet.

All three have released advisories and updates to address the issues. 

While the patches have been out for a while, scans found many devices online still running the vulnerable code. Organisations should ensure that boundary protections, including VPN, Firewalls, IDS/IPS are in maintenance schedules with priority for updates.(6)

 

· BlueKeep Exploit Instructions Posted Online

bluekeepOn the back of the recent BlueKeep exploit, information has been posted to GitHub which offers directions for exploiting the BlueKeep vulnerability.

A security researcher has published a detailed guide that shows how to execute malicious code on Windows computers still vulnerable to the critical BlueKeep vulnerability.

The move significantly lowers the bar for writing exploits that wreak the kinds of destructive attacks, not seen since the WannaCry and NotPetya attacks of 2017.(7)

To protect against BlueKeep, we strongly recommend you apply the Windows Update, which includes a patch for the vulnerability.

If you use Remote Desktop in your environment, it’s very important to apply all the updates. If you have Remote Desktop Protocol (RDP) listening on the internet, we also strongly encourage you to move the RDP listener behind some type of second factor authentication, such as VPN, SSL Tunnel, or RDP gateway.

You also want to enable Network Level Authentication (NLA), which is a mitigation to prevent un-authenticated access to the RDP tunnel. NLA forces users to authenticate before connecting to remote systems, which dramatically decreases the chance of success for RDP-based worms. The DART team highly recommends you enable NLA regardless of this patch, as it mitigates a whole slew of other attacks against RDP.

 

· Firefox Support for DNS over HTTPS

firefox

Mozilla has recently implemented support for the new protocol DNS over HTTPS into their Firefox web browser. The protocol will allow the browser to issue its own DNS queries to a remote server, with the whole session being both authenticated and encrypted using TLS.

Enabling this feature will improve privacy by disallowing anyone intercepting the users DNS traffic from having visibility of where the user is going. However, this same benefit can also make it more difficult for legitimate parties, observing the traffic, to log users’ actions and even block access to potentially harmful sites. In addition, as the DNS queries are tunnelled over HTTPS, it will likely be very difficult for an enterprise to prevent DNS without stopping traditional HTTPS from operating correctly.(8)

 

 

To stay secure, you need to be proactive.

Cybercriminals are constantly looking for ways to exploit vulnerabilities and will use any opportunity to circumvent your security systems.

Keep on top of the latest advances in cybersecurity and ensure your organisation stays ahead of the threats with Shearwater’s team of expert consultants.

Together, we’ll develop a comprehensive security roadmap for your organisation that takes into account your specific needs and circumstances.

Take the first step towards enhancing your security and speak with us today.

 

(1) http://www.itnews.com.au/news/zoomus-flaw-forces-users-onto-video-and-audio-calls-527917
(2) https://www.bleepingcomputer.com/news/security/bluekeep-scanner-discovered-in-watchbog-cryptomining-malware/
(3) https://www.infosecurity-magazine.com/news/microsoft-warns-of-fileless/
(4) https://www.bleepingcomputer.com/news/security/phishers-target-office-365-admins-with-fake-admin-alerts/
(5) https://nakedsecurity.sophos.com/2019/07/31/urgent-11-flaws-affect-200-million-devices-from-routers-to-elevators/
(6) https://techcrunch.com/2019/07/23/corporate-vpn-flaws-risk/
(7) https://nakedsecurity.sophos.com/2019/07/26/bluekeep-guides-make-imminent-public-exploit-more-likely/
(8) https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/


 

This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

Shearwater Security Report | July 2019


Our monthly Security Report highlights some of the recent cybersecurity threats making headlines around the world.

Compiled by Shearwater’s experienced cybersecurity professionals, this report identifies new attack vectors used by cybercriminals, and helps you stay one step ahead of the attackers.

In this report we feature:

· Firefox – critical vulnerability uncovered by targeted attacks

· BlueKeep – could it be the next WannaCry?

· Up to 57% of email at risk 

· Cisco patch to stop online forgery

· Not so sunny in the Sunshine State

· Threats from within can be devastating too

· LooCipher – doing the work of the devil 

· Now criminals adopt security measures too 

Current Threats and Exploits

· Firefox critical vulnerability uncovered by targeted attacks

firefoxUncovering a bug that can be exploited to provide attackers with remote code execution, Mozilla moved quickly to address the critical vulnerability by issuing a patch. The bug, which would still require a separate sandbox escape, could also be exploited for universal cross site scripting.

According to Mozilla, the vulnerability (CVE-2019-11707) “can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.”

The vulnerability has been fixed in Firefox 67.0.3 and Firefox ESR 60.7.1.(1)

· BlueKeep – could it be the next WannaCry?

bluekeepIt’s been two years since WannaCry. The indiscriminate virus spread like wildfire, infecting almost one quarter million computers globally back in 2017. It all started when someone unwittingly opened an infected email attachment.

Now there’s the potential for an even more devastating attack.

A vulnerability, known as BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows operating system. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system.

While Microsoft has already issued a patch to repair the vulnerability, it is believed many systems are still at risk.

According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled. After successfully sending the packets, the attacker would have the ability to perform a number of actions including:

    • Adding accounts with full user rights;
    • Viewing, changing, or deleting data; or
    • Installing programs.

This exploit, which requires no user interaction, must occur before authentication to be successful.

BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems. Thus, there’s a very real risk a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.(2)

· Up to 57% of email at risk 

email“Return of the WIZard” is a vulnerability allowing hackers to send malicious email to Exim software. Exim is a popular email server software, or message transfer agent (MTA), used to send and receive email. With an estimated 57% of email servers operating Exim software, there is an acute risk to email disruption from the vulnerability.

According to Microsoft, an active Linux worm is targeting Exim. The worm allows attackers to remotely execute commands on a vulnerable server.

It is known there are at least two groups of hackers seeking to exploit the vulnerability to run malicious code. Hackers have also downloaded and installed a cryptocurrency miner on compromised servers.

While a mitigation is already in place to block the worm, Microsoft states that Azure servers with Exim software can still be infected or hacked.

The vulnerability (CVE-2019-10149) was discovered in Exim 4.87 to 4.91.

If not stopped, the worm would use the infected server to search for other vulnerable hosts to infect. Anyone using an email server with Exim software should install the latest patches as soon as possible.(3)

· Cisco patch to stop online forgery

ciscoWe all login to a variety of online accounts daily.

Whether it’s email, online banking, e-commerce, or any other type of online account we access through a web page or app, we expect that once we enter our username and password, we can transact safely.

However, hackers can leverage a “cross-site request forgery” (CSRF) flaw to force the execution of unwanted actions in web pages or apps, even once we have already been authenticated by logging in.

These attacks can be deployed via a malicious link and the action is executed with the same privileges of the logged in user.

Cisco recently identified a vulnerability (CVE-2019-1904) that affects outdated versions of Cisco IOS XE. The vulnerability exists in the web-based user interface of the product and exists due to insufficient CSRF protections on an affected device.

To rectify the problem, Cisco released an updated version of its IOS XE software to patch the CSRF vulnerability.(4)

 


Recent Breaches

· Not so sunny in the Sunshine State

floridaFlorida may be America’s Sunshine State, but recently things have been looking pretty gloomy.

Lake City, Florida is finally recovering from a devastating Triple Threat ransomware attack that knocked out its email and online payment systems on June 10, according to City Manager, Joe Helfenberger.

Cloud cybersecurity company, AppRiver, initially reported the Triple Threat back in January.  However, at the time they only mentioned it was a phishing scheme designed to gather credentials and did not indicate there was a ransomware component to it.

Lake City updated its status on June 12, saying that while most systems were still down, progress was being made to restore the network and regain access to the locked data.

Luckily, systems used by the city’s police, fire and other emergency services were not impacted.

Eventually, city authorities reportedly paid $460,000 in Bitcoin to the attackers to recover their data and systems. This attack serves as yet another warning why backups are so important for recovery after a ransomware attack.(5)

· Threats from within can be devastating too

Desjardins-GroupDesjardins Group is the largest federation of credit unions in North America.

As custodians for so much confidential information, including the personal and financial records of roughly 2.9 million Desjardins Group members, data security is paramount.

Yet despite systems in place to prevent unauthorised intrusions, data was leaked by an employee who disclosed it to people outside the organisation without permission.

According to a statement by Desjardins, the information disclosed includes:

  • First and last names;
  • Dates of birth;
  • Social insurance numbers;
  • Addresses;
  • Phone numbers;
  • Email addresses; and
  • Details of banking habits and Desjardins products.

Awareness of the data leak emerged on June 14, when local police “provided Desjardins with information confirming that the personal information of more than 2.9 million members (including 2.7 million personal members and 173,000 business members) had been disclosed to individuals outside the organization.”

This is a timely warning that measures to prevent outside intrusion may not do anything to protect you from malicious actions undertaken by those inside your organisation.(6)

 


Other News

· LooCipher – doing the work of the devil 

loocipherLooCipher, the newly discovered ransomware that encrypts all files on an infected computer and demands a ransom payment of 300 Euros within five days, is pure evil.

The ransomware is spread by a spam campaign that delivers a Word document called Info_BSV_2019.docm. Opening the document causes macros to be enabled, links to a Tor server and downloads an .exe file.

During this time, all the computer’s files are encrypted and cannot be read, but they are not deleted. If the ransom is not paid via Bitcoin within five days, all your documents will be permanently destroyed.

This is another reminder that you should never open attachments in emails that you do not recognise.(7)

· Now criminals adopt security measures too 

httpsThe “S” in “HTTPS” stands for “SECURE”.

That letter signals to visitors that the site is secure for communications and that the privacy and integrity of data exchanged on the site is protected. It helps prevent “man-in-the-middle” attacks.

However, as attackers become more sophisticated, they too are beginning to use HTTPS sites for their malicious activities.

With the adoption of cryptographic protocols for secure website communications, cybercriminals are moving to HTTPS to keep their operations afloat.

Over half of phishing websites detected in the first quarter of this year used digital certificates to encrypt the connections from the visitor. This is a trend that has been growing since mid-2016.

HTTPS is designed to protect user privacy by encrypting the traffic between a server and the browser. This prevents third parties from viewing the data that’s exchanged. As web browsers began warning users that their connection was not secure if the site wasn’t HTTPS, phishing scammers began following the HTTPS trend.

Nowadays, impersonating an HTTPS website is virtually impossible without a Transport Layer Security (TLS) certificate, a cryptographic protocol designed to provide communications security over a computer network. While obtaining a TLS certificate was complicated and expensive in the past, these days they can be obtained for free.

With TLS certificates now more easily accessible, scammers are accessing them to give their websites the appearance of being secure.

It’s another reminder that when transacting online, all is not what it seems.(8)

 

To stay secure, you need to be proactive.

Cybercriminals are constantly looking for ways to exploit vulnerabilities and will use any opportunity to circumvent your security systems.

Keep on top of the latest advances in cybersecurity and ensure your organisation stays ahead of the threats with Shearwater’s team of expert consultants.

Together, we’ll develop a comprehensive security roadmap for your organisation that takes into account your specific needs and circumstances.

Take the first step towards enhancing your security and speak with us today.

 

(1) https://www.darkreading.com/attacks-breaches/critical-firefox-vuln-used-in-targeted-attacks/d/d-id/1335011
(2) https://www.us-cert.gov/ncas/alerts/AA19-168A
(3) https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-about-worm-attacking-exim-servers-on-azure/
(4) https://www.bleepingcomputer.com/news/security/cisco-ios-xe-software-receives-fix-against-high-severity-flaw/
(5) http://www.scmagazine.com/home/security-news/ransomware/lake-city-recovering-from-ransomware-attack/
(6) https://www.bleepingcomputer.com/news/security/desjardins-group-data-leak-exposes-info-of-29-million-members/
(7) https://www.bleepingcomputer.com/news/security/new-loocipher-ransomware-spreads-its-evil-through-spam/
(8) https://www.bleepingcomputer.com/news/security/phishing-websites-increase-adoption-of-https/


 

This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

April 2019 Security Report | Shearwater Solutions


Featured this security report: ASUS release a critical software update to combat “ShadowHammer” Trojan Malware, CISCO’s RV320 and RV325 small business routers are vulnerable to attack, Zero-day vulnerabilities found in Google Chrome and Microsoft Windows are being exploited simultaneously, the recent WinRaR vulnerability is being abused en-masse by threat actors, Adobe patches Cold Fusion to alleviate vulnerability and Apple also patches up a number of serious vulnerabilities in its iOS platform. The latest data breach news includes; between 6TB and 10TB of data extracted from Citrix’s internal network and a second Toyota data breach has leaked up to 3.1 million pieces of customer data. In other news, Windows 7 and Windows Server 2008 R2 support will cease in January 2020.

Current Threats and Exploits


  • ASUS malware software update:
    A critical software update has been released from ASUS to combat a known Trojan malware attack called “ShadowHammer,” the attack itself was disguised as a “critical” software update. Although ASUS stated that “only a small number of a specific user group was found to be targeted,” Kaspersky Labs predicts that the attack could have been distributed to nearly 1 million machines and installed on hundreds of thousands. Along with the software patch, ASUS also introduced a “Live Security” program that users can use to scan their device to see if it has been involved in any known malware attacks. (1)
  • CISCO vulnerability patching:
    Cisco Systems issued 24 patches tied to vulnerabilities in its IOS XE operating system and warned customers that two small business routers (RV320 and RV325) are vulnerable to attack and that no patches are available for either. A total of 19 of the bugs were rated as “high severity” by Cisco, with the others rated as medium. The two router vulnerabilities are rated as “high severity” and are part of Cisco’s Dual Gigabit WAN VPN RV320 and RV325 line of small business routers. Both router flaws were first patched in January, however Cisco said that both patches were “incomplete” and that both routers were still vulnerable to attack. Firmware updates that address these vulnerabilities are not currently available. Cisco also says that there are no workarounds that address either vulnerability. (2)
  • Google Chrome Zero Day Exploit:
    Google has reportedly patched two previously publicly-unknown vulnerabilities – one affecting Google Chrome and another in Microsoft Windows, both were being exploited together. Google released an update for all Chrome platforms that was delivered through the auto-update feature. This vulnerability leverages a memory mismanagement bug that could allow an attacker Remote Code Execution, allowing unauthorized users to inject malicious code. Google has encouraged all Chrome users to verify that Chrome auto-update has applied the 72.0.3626.121 update. (3)
  • WinRaR ACE file extension:
    WinRAR is a file archival tool that is widely used. Users should update to the latest version of WinRAR, or remove it from their computer, as there is no automatic update feature in the software. Shearwater recommends checking if WinRAR is installed on devices in the network. If WinRAR is discovered and it’s verified that it is required, it is critical that the latest version is installed. If WinRAR Is not required, the software should be removed. (4)
  • Adobe Cold Fusion Exploits:
    Adobe’s “Cold Fusion” website development platform has released a patch to remove a vulnerability that could allow a remote attacker to execute arbitrary code. The vulnerability allows a malicious attacker to upload a file of their own choosing and then cause any code within the file to be executed by issuing a HTTP request. All previous versions of Cold Fusion are reported to be vulnerable to the attack and it is recommended that anyone using Cold Fusion updates to the latest version as soon as possible. Additionally, it has also been observed that attacks against the vulnerability are already being conducted. (5)
  • Apple Patches a Number of Serious Vulnerabilities in iOS
    Apple recently released a patch to fix a number of serious vulnerabilities that were discovered in its WebKit framework, which is used by browsers on the iOS platform. The vulnerabilities range in severity, however at their worst they allow for a specially crafted web page to execute arbitrary code. It is recommended that all users of iOS devices update to the latest version of iOS as soon as possible. (6)


It is important that all users install the latest updates to stay protected from security threats.

Recent Breaches


  • Major Citrix Data Breach:
    Citrix recently released information indicating that they had undergone a major data breach where malicious actors were able to gain access to their internal network. After forensic analysis, the breach was determined to have been performed by a sophisticated attacker and it is thought they were able to extract between 6TB and 10TB of data from the internal Citrix network. Furthermore, this data included business documents with details of several of Citrix’s clients. It was also revealed that the attackers likely gained access into the environment by brute force, several employee’s accounts secured with weak passwords were compromised. This breach, like a number of other recent breaches, re-enforces the need to ensure all users have strong passwords and two factor authentication enabled on their accounts. (7)
  • Second Toyota Data Breach:
    Toyota has apologized to customers after a large data breach at its Tokyo area sales network was discovered on 21st March. Toyota said unauthorized network access to a server used by sales subsidiaries may have leaked up to 3.1 million pieces of customer data outside the company. Toyota is still investigating the extent of the data breach, and whether or not the information was exfiltrated. In late February this year, Toyota Australia suffered a cyber-attack that took out its email service and other systems. Toyota has not attributed either of these hacks to any particular actor or group, or advised whether the two are connected. (8)

Other News


  • End of Windows 7 and Windows Server 2008 R2 support:
    Starting on 18th April 2019, users running Windows 7 will start seeing pop-ups reminding them that support for the aging operating system will end in mid-January 2020. Reasons users may have for not upgrading to Windows 10 include concerns about applications not working and computers that cannot run Windows 10. Users with an enterprise license can arrange continued support for some business Windows 7 installations, and users with embedded Windows 7 may have different life cycle dates. (9)

References

  1. Asus software updates were used to spread malware, security group says
  2. Cisco Releases Flood of Patches for IOS XE, But Leaves Some Routers Open to Attack
  3. Disclosing vulnerabilities to protect users across platforms
  4. ‘100 unique exploits and counting’ for latest WinRAR security bug
  5. Security updates available for ColdFusion | APSB19-14
  6. Latest iOS 12.2 Update Patches Some Serious Security Vulnerabilities
  7. Citrix discloses security breach of internal network
  8. Millions of customers’ data accessed in second Toyota hack
  9. Windows 7 Update Support Ends One Year From Today

This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

December 2018 Security Report | Shearwater Solutions


Featured this month: Exposed Remote Desktop connections create a soft target for attackers, email distribution platforms are increasingly being hijacked to facilitate mass phishing campaigns, several Self Encrypting Drives have multiple vulnerabilities, a VirtualBox Zero Day vulnerability, breaches that caused inconvenience for Dell, created danger and disruption for an Ohio hospital and exposed over 500,000 guests’ data in a breach dating back to 2014 for the Marriott hotel chain. In other news, a Windows 10 (1703 and newer) update allows Windows Defender to operate in a sandboxed environment and Google’s Quic protocol will replace TCP, to offer both compression and encryption, in the next revision of the HTTP protocol.

Current Threats and Exploits


  • Exposed Remote Desktop connections create soft target for attackers:
    Remote Desktop provides a convenient tool for remote administration and for users to access internal resources. It’s also commonly scanned for, and targeted by, attackers attempting to gain unauthorized access to internal networks. Typically (via brute forcing of accounts or through the use of known credentials harvested via phishing or breach data) an attacker will look to gain access to the remote desktop host before launching subsequent attacks internal to the network (e.g. ransomware, cryptomining or data exfiltration).
    In order to avoid falling victim, it’s important that exposed Remote Desktop Protocol (RDP), and other services are appropriately hardened. Simple steps such as geoblocking, good password practices and monitoring of external facing hosts can significantly increase the difficulty of entry for attackers trying to take over your RDP host this holiday season.
  • Marketing email campaign hijacking leads to mass distribution of phishing:
    Shearwater has identified a number of incidents where a company’s marketing or email distribution platforms have been compromised in order to facilitate mass phishing campaigns. Through the use of Business Email Compromise (BEC attack), attackers are frequently looking to gain access to platforms such as MailChimp, that are prepopulated with recipient lists. This provides an easy opportunity to further phish unsuspecting victims.
    If you are unsure of the source of an email, a simple phone call to the sender or your IT security team can help validate the contents in a timely fashion. And if you identify a phishing campaign of this nature, contacting the mail platform and sender to alert them to the incident is also recommended.
  • Self-Encrypting Drives have multiple vulnerabilities:
    There are multiple vulnerabilities in implementations of ATA Security or TCG Opal Standards in Self-Encrypting Disks (SEDs), which can allow an attacker to decrypt contents of an encrypted drive. There is no cryptographic relation between the password provided by the end user and the key used for the encryption of user data. This allows an attacker to access the key without knowing the password provided by the end user, allowing the attacker to decrypt information encrypted with that key. According to the National Cyber Security Centre – The Netherlands (NCSC-NL), the following products are affected by CVE-2018-12037:

    • Crucial (Micron) MX100, MX200 and MX300 drives
    • Samsung T3 and T5 portable drives
    • Samsung 840 EVO and 850 EVO drives (In ATA high mode these devices are vulnerable, in TCG or ATA max mode these devices are not vulnerable.)

The vendors have issued patches to address the vulnerabilities. We recommend that you update to the latest patches as soon as possible.

  • VirtualBox Zero Day vulnerability:
    A new vulnerability has been discovered in VirtualBox’s Intel E1000 NIC driver code when it is operating in NAT mode. The vulnerability, which affects all versions of VirtualBox up to and including 5.2.20, allows malicious code running in a guest VM to gain application level control over the host. To make matters worse, the vulnerable code is shared between a number of different guest operating systems, meaning that it can be exploited from almost any guest. The vulnerability was not responsibly disclosed, and therefore there is currently no patch available.
    We recommended that users of VirtualBox change the type of virtual network adapter to something other than the Intel E1000 or place it into a mode other than NAT. (1)

Recent Breaches



A data breach at Marriott hotel chain has exposed personal details of up to 500,000 guests.

  • Dell resets all customer passwords after cyberattack:
    Dell suffered a security breach on November 9, 2018. Hackers succeeded in breaching the company’s network but were detected and stopped. Investigators found no evidence that the hackers succeeded, but they have not ruled out the possibility that some data was stolen. Analysis of the attack concluded the attackers were seeking customer names, email addresses and scrambled passwords.
    We recommend that Dell customers are vigilant for suspicious emails or account activity. (2)
  • Ransomware attack forced Ohio hospital system to divert ER patients:
    A malware infection and ransomware attack that hit computer systems at the East Ohio Regional Hospital and Ohio Valley Medical Centre over the Thanksgiving weekend reportedly disrupted the hospitals’ emergency rooms causing ambulances to be diverted to other area hospital emergency rooms. The attack hit on the evening of Friday, Nov. 23, leaving the hospitals temporarily unable to accept ER patients via emergency responders.
    A spokesperson for the hospitals said that there has been no patient information breach. (3)
  • Marriott’s massive data breach:
    The Marriott hotel chain has reported a massive data breach that was discovered to be related to a cyberattack dating back to 2014. The breach affected personal details of up to 500,000 guests of its Starwood branch, such as Westin, Sheraton, Le Meridien, St Gegis and W Hotels. It’s believed that personal information for around 327,000 reservations was exposed, including name, address, phone number, passport number, details of the stays, etc. Credit card numbers and expiry dates of some guests may also have been taken. (4)

Other News


  • Windows Defender sandboxed:
    Current versions of Windows 10 (1703 and newer) have received an update which will allow Windows Defender to operate in a sandboxed environment. As anti-malware software requires complete visibility over the whole system to provide effective protection, they need to run with very high privileges. As a result of these high privileges, they have become a common target for malware and malicious actors, as a successful compromise could give them control over the system. To reduce the risk, Microsoft have isolated Windows Defender in a sandboxed environment, making it harder for a compromise in Windows Defender to take over the system.
    Sandboxing is not currently enabled by default in Windows. However, if users wish to enable it on their system, they can issue the following command from an administrator command prompt and restart their system “setx /M MP_FORCE_USE_SANDBOX 1”. (5)
  • HTTP 3 using UDP:
    The Internet Engineering Task Force (IETF) has stated that the next revision of the HTTP protocol will not use Transmission Control Protocol (TCP) for its transport layer connections, but Google’s QUIC (Quick UDP Internet Connections) protocol instead. QUIC, which itself operates using UDP, was originally designed by Google and provides both compression and encryption.
    When the new protocol becomes more widely used, firewall rules will need to be permitted to allow UDP 443 connections. (6)

References

  1. Zero-Day Exploit Published for VM Escape Flaw in VirtualBox
  2. Dell.com resets all customer passwords after cyber attack: statement
  3. Ransomware Attack Forced Ohio Hospital System to Divert ER Patients
  4. Massive data breach at Marriott’s hotels exposes private data of 500,000 guests
  5. Windows Defender Antivirus can now run in a sandbox
  6. HTTP-over-QUIC to be renamed HTTP/3

 


This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

WebEx, LibSSH Authentication & D-Link Router Vulnerabilities | Shearwater InfoSec Report


The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Featured this month: A WebEx vulnerability that allows a remote attacker to execute code on the machine, a LibSSH authentication vulnerability that allows a remote attacker to authenticate without valid credentials, 3 vulnerabilities in a number of D-Link routers which combine to allow a remote attacker to take over a device, a number of new Drupal code execution vulnerabilities and a Windows zero-day vulnerability. Recent breaches include Cathay Pacific and iNet and in security news, the Californian government has passed a bill to mandate manufacturers improve passwords on IoT devices.

Current Threats and Exploits


  • WebEx Remote Code Execution Vulnerability:
    A vulnerability with Cisco Software’s Web meeting/presentation client, WebEx Client, has been discovered that would allow a remote attacker to execute code remotely on the machine.
    We recommend that users patch their WebEx Client Software to version 33.6.0 to prevent the usage of this vulnerability. (1)
  • LibSSH Authentication Vulnerability:
    A new vulnerability has been discovered in the LibSSH package, which is used to add support for SSH to devices. The vulnerability, assigned CVE 2018-10933, allows a remote attacker to present the server with a successful authentication message (SSH2_MSG_USERAUTH_SUCCESS) upon connecting and the server will accept the message. As a result, the attacker can easily become authenticated to the device without needing to present valid credentials. The vulnerability is reported to exist in all versions of LibSSH after 0.6.
    Users of LibSSH are advised to upgrade to the latest versions, 0.8.4 and 0.7.6, which have been fixed to remove the authentication flaw.(2)
  • D-Link Routers Vulnerable External Control:
    Security researchers have identified three vulnerabilities in a number of D-Link routers which, when combined, allow a remote attacker to take control of the device. The first vulnerability allows an unauthenticated attacker to browse the file system of the router to obtain the password file. The second vulnerability results in the password file they obtain being stored in cleartext, giving them access to the raw passwords. Finally, the authenticated attacker can execute arbitrary code on the device, through the Web interface. As an attacker can obtain the raw passwords using the first two vulnerabilities, they can take over the device. D-Link was informed of the vulnerability back in May this year, however they have failed to release any patches.
    It is strongly advised that anyone using D-Link routers ensures they are not configured to allow access to their Web interface from the Internet. (3)
  • More Drupal Code Execution Vulnerabilities:
    A number of new remote code execution vulnerabilities have been discovered in the Drupal content management system. One of the most critical vulnerabilities exists in the default mail backend, which does not check for shell arguments when processing emails, allowing them to be executed on the server.
    Users should ensure that Drupal 7 is updated to version 7.60, Drupal 8.5 is updated to version 8.5.2 and Drupal 8.6 is updated to version 8.6.2. Additionally, any versions of Drupal 8 before version 8.5 are no longer supported and, therefore, will not receive the security updates. (4)
  • Windows 10/Server 2016/Server 2019 Microsoft Data Sharing Zero-day Vulnerability:
    A security researcher has disclosed a Windows zero-day vulnerability on Twitter for the second time in the span of two months. Proof of Concept (PoC) code for this vulnerability was also published on GitHub, which can be used to delete crucial Windows files and cause the operation system to crash. The vulnerability affects the local Microsoft Data Sharing service (dssvc.dll), present in recent versions of Windows OS, such as Windows 10 (all versions patched with latest October 2018 update), Windows Server 2016 and Windows Server 2019. An attacker, who already has access to the system, can exploit this vulnerability to elevate their privileges allowing them to delete files that normally can only be deleted by admins and take further actions with appropriate modification on the PoC.
    Microsoft is currently working on a fix for this vulnerability. In the meantime, we recommend following best practice security practices and to be vigilant for anomalous activity. (5)

Recent Breaches



A data breach at Cathay Pacific Airways has prompted calls to review Hong Kong’s breach disclosure rules.

  • Cathay Pacific Major Data Breach:
    The Hong Kong flight carrier Cathay Pacific has suffered a major data breach, in which cybercriminals had accessed the personal data of over 9.4 million passengers. The breach exposed private details, including passenger names, nationalities, dates of birth, phone numbers and email addresses. Cybercriminals have also compromised 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).
    Hong Kong’s Privacy Commissioner, Stephen Wong Kai-yi, has pledged legal help for affected customers. Cathay Pacific and IT experts have recommended that passengers are vigilant for suspicious emails or account activity, as they anticipate phishing activities following the leak. (6)
  • Leaky Amazon S3 Bucket causes Washington ISP Customer data to be Exposed:
    Washington Internet Service Provider Pocket iNet has had over 73GB’s of data publicly exposed due to a misconfigured Amazon S3 Bucket. The exposed data includes plaintext passwords and AWS secret keys for Pocket iNet employees, internal diagrams of their infrastructure, details of configuration, inventory lists and photographs of their equipment. It also exposed priority customer details using the service.
    This type of breach can be mitigated by setting up a policy to check Amazon S3 Bucket configurations, as well as making sure buckets aren’t public facing. (7)

Other News


  • California passes Bill on IoT Device Security:
    The Californian government has passed legislation that bans the use of default weak passwords on IoT devices. Device manufacturers must ensure that IoT devices have a unique default password or a password that changes on the first authentication attempt.
    This should assist in device security, preventing these devices from being compromised by the use of hardcoded and default credentials. (8)

References