Shearwater Security Report | January 2020

Shearwater Security Report | January 2020

 

Each month Shearwater’s Managed Security Services Team brings you the latest Threats & Exploits, Breaches and Australian Cyber News to ensure you’re fully informed.

This month’s Security Report is essential reading so you can start the year on the right security footing:

• Current Threats and Exploits
• Recent Breaches
• Australian Cyber News

Current Threats and Exploits

❖ Start 2020 with these Top 20 Patches

Keeping up-to-date with patching is a challenge for any organisation.

Start the new year on the right foot when it comes to patching with this list of top 20 vulnerabilities that are currently being exploited by attack groups worldwide.

These 20 vulnerabilities have been ranked based on the number of times they have been exploited by sophisticated cyber-attack groups operating in the world today (from high to low).

Whilst some of these vulnerabilities are not new, it’s still important to make sure you’re protected. All too often attackers are able to exploit older vulnerabilities that people have inadvertently failed to patch.

No. CVE Products Affected by CVE CVSS Score (NVD) First-Last Seen (#Days)
1 CVE-2017-11882 Microsoft Office 7.8 713
2 CVE-2018-8174 Microsoft Windows 7.5 558
3 CVE-2017-0199 Microsoft Office, Windows 7.8 960
4 CVE-2018-4878 Adobe Flash Player, Red Hat Enterprise Linux 9.8 637
5 CVE-2017-10271 Oracle WebLogic Server 7.5 578
6 CVE-2019-0708 Microsoft Windows 9.8 175
7 CVE-2017-5638 Apache Struts 10 864
8 CVE-2017-5715 ARM, Intel 5.6 424
9 CVE-2017-8759 Microsoft .net Framework 7.8 671
10 CVE-2018-20250 RARLAB WinRAR 7.8 189
11 CVE-2018-7600 Debian, Drupal 9.8 557
12 CVE-2018-10561 DASAN Networks 9.8 385
13 CVE-2017-17215 Huawei 8.8 590
14 CVE-2012-0158 Microsoft N/A; 9.3 (according to cvedetails.com) 2690
15 CVE-2014-8361 D-Link, Realtek N/A; 10 (according to cvedetails.com) 1644
16 CVE-2017-8570 Microsoft Office 7.8 552
17 CVE-2018-0802 Microsoft Office 7.8 574
18 CVE-2017-0143 Microsoft SMB 8.1 959
19 CVE-2018-12130 Fedora 5.6 167
20 CVE-2019-2725 Oracle WebLogic Server 9.8 144
BONUS CVE-2019-3396 Atlassian Confluence 9.8 204

 

Recent Breaches

❖ Twitter for Android Patch

Twitter-for-Android-PatchTwitter has warned of a serious security vulnerability in its Android app that could have allowed an attacker to hijack an account, send tweets, access non-public account information, view private messages and location information. 

Twitter announced it recently fixed the bug in “version 7.93.4 (released Nov. 4, 2019 for KitKat) as well as version 8.18 (released Oct. 21, 2019 for Lollipop and newer).”

Twitter is urging users of its Android app to update to the latest version.

The bug didn’t affect its iOS app for iPhone users.

 


❖ Beware of Hornet’s Nest

Beware-of-Hornet’s-Nest“Hornet’s Nest” is a bundle of six types of malware including information-stealing trojans, a remote backdoor, a cryptojacker and a cryptocurrency stealer.

Whilst it’s unclear how the attack is initially delivered, it is believed to emanate from Russia and targets organisations around the world. Once delivered, it will execute PowerShell commands that enable it to begin its malicious activities.

The attack seems to be part of a cybercrime-as-a-service operation. Those who developed Hornet’s Nest apparently lease out their product to other cyber-criminals.

Attackers are able to steal vast swathes of personal data, all of which they could illicitly monetise either by committing fraud themselves, or by selling the information on to others on the dark web. It also includes a cryptocurrency stealer, allowing the attacker to raid the victim’s bitcoin wallet.

Such a multi-pronged attack can be a security nightmare for an organisation, considering all the kinds of data that could be compromised by the hackers.

However, if organisations are employing basic security measures, like applying patches and securing internet facing ports, they should go a long way to help the business avoid falling victim to this malware.

 


❖ Changes for G-Suite Users

Changes for G-Suite Users‘G-Suite’ is the name given to Google’s range of tools and apps, including Gmail, Google Calendar, Google Drive and Google Docs.

Until now, users of third-party email clients (such as Microsoft Outlook) could use their non-Google email username and password to access G-Suite products.

However, that’s about to change.

Vulnerabilities in some older third-party email clients, in which usernames and passwords were compromised, opened the way for attackers to access data from across the range of G-Suite products.

To stop this happening, Google will no longer allow users of less-secure-apps, or LSAs, from using their non-Google credentials with G-Suite products.

This change, which will commence in June 2020, won’t affect all non-Google email clients. Those that use OAuth, the authentication standard used by Google, Facebook, Microsoft, and Twitter, will continue to be able to access G-Suite products. 

 


❖ Ensure You Patch SharePoint Enterprise Servers

Ensure-You-Patch-SharePoint-Enterprise-ServersAttackers are actively scanning for enterprise servers running vulnerable Microsoft SharePoint versions that are easily exploitable with a single HTTP request to remotely run arbitrary code, security researchers warn.

A patch for the vulnerability was issued by Microsoft in February 2019 but some administrators have been slow to deploy the fix.

Researchers added support for the SharePoint vulnerability on a worldwide network of honeypots and observed multiple attacks very quickly. A significant number of enterprise SharePoint servers remain exposed to the vulnerability that is actively exploited in the wild. The seriousness of the flaw may have been underestimated as it requires no authentication on vulnerable systems and should have a high Common Vulnerabilities Scoring System (CVSS) rating of 9.8.

 


❖ WhatsApp Remote Code Execution Vulnerability

WhatsApp-Remote-Code-Execution-VulnerabilitySecurity researchers have uncovered yet another remote code execution vulnerability present in the popular instant messaging app WhatsApp.

The vulnerability is present in the library WhatsApp uses to display MP4 videos and can provide a remote malicious actor with code execution on the device in the context of the WhatsApp application.

Currently, all versions of WhatsApp for iOS and Android and even Windows Phones are known to be vulnerable. To exploit the vulnerability all a malicious actor needs to do is send a specially crafted MP4 message to their target and have them open it.

It is recommended that all users of WhatsApp update immediately. Updates can be found here.

 

 

Australian Cyber News

❖ Cybersecurity Improvements in Financial Sector

Cybersecurity-Improvements-in-Financial-SectorAccording to a new report by Australia’s corporate watchdog, ASIC, financial companies are improving their cybersecurity awareness and taking more steps to mitigate cyber risk.

In self-assessments against the National Institute of Standards in Technology (NIST) Cybersecurity Framework, the past year witnessed an average increase in cyber resilience of 15% across a range of functions.

Whilst ASIC said cyber resilience has improved, many financial companies have struggled to meet ambitious targets they set the previous year. A continually changing threat environment, limited organisational capability, and limited access to specialised skills and resources were also challenges.

 


❖ Online Safety – New Tougher Rules

Online-Safety-New-Tougher-RulesWith the community increasingly concerned about online bullying and other harmful online conduct, the Australian Government is proposing new rules that will compel digital platforms to remove inappropriate content within 24 hours following an instruction to do so from Australia’s eSafety Commissioner.

The removable content would not extend to online disputes of a personal nature, however they could include behaviour that is currently criminalised in the legal code.

Significantly, the proposals would extend current cyberbullying provisions from children to the entire population, although there would be a higher threshold for adults.

Search engines will be required to ‘de-rank offending content’, whilst digital platforms would have new transparency requirements.

The Department of Communications has published a discussion paper on the Act, with submission to close on 19 February 2020.

 


❖ Ransomware Still Rearing its Ugly Head

Ransomware-Still-Rearing-its-Ugly-HeadWith ransomware attacks continuing to rise, more organisations than ever are opting to pay cyber criminals in order to restore their networks.

A new report indicates the number of businesses agreeing to pay attackers has doubled in the past year. Malware that encrypts an organisation’s files can have devastating consequences for a business. Often, businesses conclude that the costs associated with paying the attackers will be less than the costs associated with down-time or lost data, despite law enforcement authorities recommending against giving into such extortion.

With attackers often demanding six-figure sums, and the chances of getting caught very low, it seems ransomware attacks are only going to continue to increase. Apart from the ransom money that needs to be paid, the cost of business down-time averages $208,000 in Australia.

The threat is particularly high in Australia and New Zealand, with local small-to-medium-sized enterprises (SMEs) experiencing the highest rate of ransomware attacks in the world according to new cybersecurity research.

There are some relatively simple steps you can take to help ensure your organisation remains secure:

  • Ensure all the systems and software on your network are up to date and patched with the latest security updates.
  • Make sure everyone in your organisation follows best practice password security protocols. Default passwords should not be used, and where possible, multi-factor authentication should be implemented.
  • Regularly backup all your files and ensure they are stored offline. In the event hackers block access to your systems and files, you will be able to restore operations relatively quickly if all your data is backed-up.

 


❖ Small Drop in Australian Online Fraud

Small Drop in Australian Online FraudFor only the second time, Australia saw a decline in online fraud during the 2018-2019 financial year.

Online fraud cost Australians $455 million, 5% lower than the previous year.

While the figure is heading in the right direction, it remains clear that much work needs to be done to significantly reduce instances of online fraud.

This drop comes on the back of efforts by the Reserve Bank, which continues to pressure the banking and payments industry to enhance online transaction security.

In response to the RBA, the payments industry designed a framework that sets out a tranche of compliance and security work that online merchants need to comply with, especially around how they keep card numbers and transactions secure from hackers.

Experts believe one of the biggest drivers of this drop in online fraud is the shift towards tap-and-pay technology, particularly the use of mobile handsets for payments, where consumer and bank security settings are far more robust thanks to regular software updates.

Card number tokenisation has also had a big impact in reducing online fraud, because it means the merchant doesn’t get the card number and it isn’t being input in the clear on the screen.

 

Sources
1. Start 2020 with these Top 20 Patches – cis.verint.com
2. Twitter for Android Patchwww.zdnet.com, www.itnews.com.au
3. Beware of Hornet’s Nest – www.zdnet.com
4. Changes for G-Suite Users – www.zdnet.com
5. Ensure You Patch SharePoint Enterprise Servers – www.itnews.com.au
6. WhatsApp Remote Code Execution Vulnerability – www.facebook.com
7. Cybersecurity Improvements in Financial Sector – www.zdnet.com
8. Online Safety – New Tougher Rules – www.zdnet.com
9. Ransomware Still Rearing its Ugly Headwww.zdnet.com, www.businessnewsaus.com.au
10. Small Drop in Australian Online Fraud – www.itnews.com.au

 

This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.