SECURITY REPORT
FEBRUARY 2020
SECURITY REPORT
FEBRUARY 2020
Shearwater keeps you up to date with some of the most important exploits currently in the wild.
Here are some of the notable vulnerabilities published in the last month that you should patch if you use the affected systems.
For a comprehensive list of vulnerabilities, check the NIST Database regularly.
CVE | Product Affected | Description | CVSS Score (Version 3.1) |
CVE-2019-15975 and CVE-2019-15976 | Cisco | Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. | 9.8 CRITICAL |
CVE-2020-0601 | Microsoft | While only listed as ‘High’ in severity, this vulnerability has attracted a lot of concern since it was reported by the American National Security Agency. A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka ‘Windows CryptoAPI Spoofing Vulnerability’. | 8.1 HIGH |
CVE-2020-0609 and CVE-2020-0610 | Microsoft | A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway). If an unauthenticated attacker exploits either of these bugs, they can get code executed on affected Gateway Servers. This code execution occurs at the level of the server and does not require further user interaction, meaning it is wormable. While not as widespread as systems affected by Bluekeep, it certainly presents an attractive target for attackers. | 9.8 CRITICAL |
CVE-2020-3716 and CVE-2020-3718 | Adobe Magento | Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier are all affected by these vulnerabilities. They have a deserialisation of untrusted data vulnerability and a security bypass vulnerability. Exploitation of either vulnerability could lead to arbitrary code execution. | 9.8 CRITICAL |
CVE-2019-19781 | Citrix | A vulnerability has been identified in Citrix Application Delivery Controller (ADC). It could allow an unauthenticated attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication. | 9.8 CRITICAL |
Researchers have discovered a vulnerability, codenamed ‘Cable Haunt’, that affects ‘spectrum analyser’ components in Broadcom chips that are used in many modems. This vulnerability puts millions of modems worldwide at risk.
‘Spectrum analyser’ is a hardware and software component that protects the modem from signal surges and disturbances coming via the coax cable. It is often used by internet service providers (ISPs) in debugging connection quality. Access to this component is usually limited for connections from the internal network.
However, the researchers say this component lacks protection against DNS rebinding attacks, uses default credentials, and also contains a programming error in its firmware.
Whilst a hacker would need to be on your local network to exploit it, if this occurs, the hacker could take control, send you to malicious websites, perform a man-in-the-middle attack, or even change the modem’s firmware. Users could be tricked into accessing a malicious page via their browser, which could be used to relay an exploit to the vulnerable component and thereby execute commands on the device.
Find out further information and mitigation strategies here: https://cablehaunt.com/
Source
www.zdnet.com
In a reminder of just how persistent some hackers can be, Google announced it has been waging a three-year campaign against a group known as the ‘Bread’ or ‘Joker’ malware operation.
During the course of that time, Google has removed over 1,700 applications from its Play Store that were infected with the malware. Yet each time Google detected and removed one of the infected applications, the hackers would churn out a new one.
It is believed the hackers were able to circumvent Google’s processes for vetting applications by uploading a clean version of the application to the Play Store and then adding malicious functions at later points via updates.
The goal of the hackers was thought to be WAP fraud. WAP billing is a way of paying for items via a mobile device, whereby the cost is added to the user’s mobile phone bill. It is primarily used for purchasing mobile entertainment content like ringtones, mobile games and wallpapers.
In WAP fraud, hackers use infected devices to initiate payments, often with the victim unaware until they notice the payments with their next phone bill.
To ensure you’re not a victim, check if your mobile network operator has a self-service portal where you can see and discontinue WAP subscriptions. Some mobile operators let subscribers disable WAP-billing services completely.
Source
www.zdnet.com
In January Mozilla launched Firefox 72. The updated browser expanded picture-in-picture video mode to macOS. It also blocked “fingerprinting,” an advanced tracking method practiced by some sites and advertisers.
However, within one day of the launch, Mozilla was forced to issue an update with a patch to fix the vulnerability identified as CVE-2019-17026.
Mozilla characterised the zero-day vulnerability as ‘critical’. Unfixed, it could lead to a ‘type confusion’ or logical bug in the ‘IonMonkey’ JavaScript JIT (Just-in-Time) compiler of ‘SpiderMonkey’, the browser’s JavaScript engine.
Visit Mozilla for updates to fix this vulnerability: https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
Source
www.computerworld.com
Make sure you update the following two WordPress plugins to ensure you’re not exposed to serious security vulnerabilities:
These two plugins are used by an estimated 320,000 websites.
Source
www.zdnet.com
Microsoft has released details on a potentially serious vulnerability in both Windows 10 and Server that could be exploited to spoof certificates to sign executable files, making malicious code appear as if it comes from a trusted provider.
In its advisory for CVE-2020-0601, Microsoft explained the flaw in the Windows cryptographic application programming interface as provided by the crypt32.dll dynamic link library is due to incomplete validation of elliptic curve cryptography (ECC) certificates.
The vulnerability was discovered by the United States National Security Agency (NSA) intelligence service and reported to Microsoft late last year.
Threat scenarios beyond bogus signing of malicious code include exploiting the flaw in man-in-the-middle attacks to decrypt victim communications, Microsoft said.
Microsoft has issued a security update for the flaw as part of its regular Patch Wednesday set of fixes. While Microsoft rates the severity of the flaw as “important” rather than critical and has not yet found exploitation or prior disclosure of the vulnerability, it notes that it is more likely to be abused by hackers. The NSA, however, “assesses the vulnerability to be severe”.
Source
www.itnews.com.au
A targeted attack is targeting a previously unknown vulnerability in Internet Explorer to corrupt memory and exploit victims’ Windows systems, Microsoft warned in an advisory published on January 17.
The flaw, described as a scripting engine memory corruption vulnerability and designated CVE-2020-0674, allows an attacker to take control of a Windows system by forcing it to use an older version of Microsoft’s JavaScript that is only present for backward compatibility.
By default, Internet Explorer does not use the vulnerable dynamic library, Microsoft stated. “The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft stated in Advisory 200001. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.”
Source
www.darkreading.com
Microsoft has ended support for Windows 7, more than a decade after the ageing operating system first arrived on PCs.
From the 14th of January, devices running the OS will no longer receive important patches for any new security vulnerabilities, as well other software updates and technical support. Users and organisations still using Windows 7 have been urged to move to a newer operating system like Windows 10 to avoid future viruses or malware.
Almost a quarter of Windows users worldwide are still thought to be running Windows 7. The Australian Cyber Security Centre (ACSC) warned in October that adversaries could use “unpatched security vulnerabilities” in Windows 7 to target users. It has recommended that organisations yet to upgrade should “review their risk assessments and begin planning for the implementation of mitigation strategies to reduce their risk exposure”.
The UK’s cyber security agency has similarly advised that devices still running the OS should not be used for internet banking or emails from January 14, 2020.
Source
www.darkreading.com
The government is urging businesses not to cover up cyber-attacks. In the interests of securing critical national infrastructure, such as banks and energy grids, the private sector is being urged to cooperate with cyber-security officials in the event of a breach.
This comes as the government develops new laws enabling it to intervene in private enterprises in order to protect assets that are crucial to the economy and wider community.
Whilst businesses are usually co-operative in such circumstances, sometimes companies push back against assistance due to concerns about government meddling in their systems or the exposure of sensitive commercial information and customer data.
Reputational damage is another concern that may lead to companies keeping quiet.
Under the current law, the government’s cyber agencies can usually only intervene on cyber security incidents with the permission of private network owners.
Source
www.afr.com
53 organisations, including the Australian Privacy Foundation, are asking Google to stop Android smartphone vendors who sell devices with unremovable pre-installed applications, also known as bloatware.
Bloatware has a detrimental effect on user privacy, leaving users exposed to having their data collected by unscrupulous phone vendors and application makers without their knowledge or consent.
Most bloatware applications don’t go through Google’s screening process and have privileged custom permissions, letting them operate outside the Android security model. This means permissions can be defined by the application – including access to the microphone, camera and location – without triggering the standard Android security prompts.
Source
www.zdnet.com
A website gathering donations for the victims of the bushfires in Australia has been hit by a credential-skimming attack, placing the payment information of donors at risk.
The attack, identified as the work of Magecart, injected the ATMZOW skimmer into the charity’s website code, grabbed payment information, and forwarded it to a third-party destination with an obfuscated web address.
According to the research team at MalwareBytes, which discovered the compromise, the destination server has now been taken offline, though the skimmer code is still present on the site. A researcher from Bad Packets Report noted that the same skimmer code is currently in place on 39 additional websites.
Source
www.darkreading.com
P&N Bank in Western Australia (WA) is informing its customers that hackers may have accessed personal information stored on its systems following a cyberattack.
The data, some of it sensitive in nature, was stored on the bank’s customer relationship management (CRM) platform that is completely separated from the core banking system.
The financial organisation says in the breach notification sent to customers that the compromised system contained the following information: names, addresses, emails, age, customer and account numbers, as well as the account balance.
All this counts as personally identifiable information that is protected under the Privacy Act in Australia.
Funds, social security numbers, and data in identification documents (driver’s license, passport) were stored on a different system and are safe.
As many as 100,000 individuals may be impacted by the incident, which was labelled as “sophisticated” where the attack did not target P&N Bank directly. It occurred during a server upgrade around December 12, 2019, at a third-party that was offering hosting services to the organization.
Source
www.bleepingcomputer.com
This Information Security Report is brought to you by Shearwater Solutions.
The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.
Whatever your Information Security challenge, we’re here to help you find the right solution.