Shearwater Security Report June

Shearwater Security Report | July 2019


Our monthly Security Report highlights some of the recent cybersecurity threats making headlines around the world.

Compiled by Shearwater’s experienced cybersecurity professionals, this report identifies new attack vectors used by cybercriminals, and helps you stay one step ahead of the attackers.

In this report we feature:

· Firefox – critical vulnerability uncovered by targeted attacks

· BlueKeep – could it be the next WannaCry?

· Up to 57% of email at risk 

· Cisco patch to stop online forgery

· Not so sunny in the Sunshine State

· Threats from within can be devastating too

· LooCipher – doing the work of the devil 

· Now criminals adopt security measures too 

Current Threats and Exploits

· Firefox critical vulnerability uncovered by targeted attacks

firefoxUncovering a bug that can be exploited to provide attackers with remote code execution, Mozilla moved quickly to address the critical vulnerability by issuing a patch. The bug, which would still require a separate sandbox escape, could also be exploited for universal cross site scripting.

According to Mozilla, the vulnerability (CVE-2019-11707) “can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.”

The vulnerability has been fixed in Firefox 67.0.3 and Firefox ESR 60.7.1.(1)

· BlueKeep – could it be the next WannaCry?

bluekeepIt’s been two years since WannaCry. The indiscriminate virus spread like wildfire, infecting almost one quarter million computers globally back in 2017. It all started when someone unwittingly opened an infected email attachment.

Now there’s the potential for an even more devastating attack.

A vulnerability, known as BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows operating system. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system.

While Microsoft has already issued a patch to repair the vulnerability, it is believed many systems are still at risk.

According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled. After successfully sending the packets, the attacker would have the ability to perform a number of actions including:

    • Adding accounts with full user rights;
    • Viewing, changing, or deleting data; or
    • Installing programs.

This exploit, which requires no user interaction, must occur before authentication to be successful.

BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems. Thus, there’s a very real risk a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.(2)

· Up to 57% of email at risk 

email“Return of the WIZard” is a vulnerability allowing hackers to send malicious email to Exim software. Exim is a popular email server software, or message transfer agent (MTA), used to send and receive email. With an estimated 57% of email servers operating Exim software, there is an acute risk to email disruption from the vulnerability.

According to Microsoft, an active Linux worm is targeting Exim. The worm allows attackers to remotely execute commands on a vulnerable server.

It is known there are at least two groups of hackers seeking to exploit the vulnerability to run malicious code. Hackers have also downloaded and installed a cryptocurrency miner on compromised servers.

While a mitigation is already in place to block the worm, Microsoft states that Azure servers with Exim software can still be infected or hacked.

The vulnerability (CVE-2019-10149) was discovered in Exim 4.87 to 4.91.

If not stopped, the worm would use the infected server to search for other vulnerable hosts to infect. Anyone using an email server with Exim software should install the latest patches as soon as possible.(3)

· Cisco patch to stop online forgery

ciscoWe all login to a variety of online accounts daily.

Whether it’s email, online banking, e-commerce, or any other type of online account we access through a web page or app, we expect that once we enter our username and password, we can transact safely.

However, hackers can leverage a “cross-site request forgery” (CSRF) flaw to force the execution of unwanted actions in web pages or apps, even once we have already been authenticated by logging in.

These attacks can be deployed via a malicious link and the action is executed with the same privileges of the logged in user.

Cisco recently identified a vulnerability (CVE-2019-1904) that affects outdated versions of Cisco IOS XE. The vulnerability exists in the web-based user interface of the product and exists due to insufficient CSRF protections on an affected device.

To rectify the problem, Cisco released an updated version of its IOS XE software to patch the CSRF vulnerability.(4)

 


Recent Breaches

· Not so sunny in the Sunshine State

floridaFlorida may be America’s Sunshine State, but recently things have been looking pretty gloomy.

Lake City, Florida is finally recovering from a devastating Triple Threat ransomware attack that knocked out its email and online payment systems on June 10, according to City Manager, Joe Helfenberger.

Cloud cybersecurity company, AppRiver, initially reported the Triple Threat back in January.  However, at the time they only mentioned it was a phishing scheme designed to gather credentials and did not indicate there was a ransomware component to it.

Lake City updated its status on June 12, saying that while most systems were still down, progress was being made to restore the network and regain access to the locked data.

Luckily, systems used by the city’s police, fire and other emergency services were not impacted.

Eventually, city authorities reportedly paid $460,000 in Bitcoin to the attackers to recover their data and systems. This attack serves as yet another warning why backups are so important for recovery after a ransomware attack.(5)

· Threats from within can be devastating too

Desjardins-GroupDesjardins Group is the largest federation of credit unions in North America.

As custodians for so much confidential information, including the personal and financial records of roughly 2.9 million Desjardins Group members, data security is paramount.

Yet despite systems in place to prevent unauthorised intrusions, data was leaked by an employee who disclosed it to people outside the organisation without permission.

According to a statement by Desjardins, the information disclosed includes:

  • First and last names;
  • Dates of birth;
  • Social insurance numbers;
  • Addresses;
  • Phone numbers;
  • Email addresses; and
  • Details of banking habits and Desjardins products.

Awareness of the data leak emerged on June 14, when local police “provided Desjardins with information confirming that the personal information of more than 2.9 million members (including 2.7 million personal members and 173,000 business members) had been disclosed to individuals outside the organization.”

This is a timely warning that measures to prevent outside intrusion may not do anything to protect you from malicious actions undertaken by those inside your organisation.(6)

 


Other News

· LooCipher – doing the work of the devil 

loocipherLooCipher, the newly discovered ransomware that encrypts all files on an infected computer and demands a ransom payment of 300 Euros within five days, is pure evil.

The ransomware is spread by a spam campaign that delivers a Word document called Info_BSV_2019.docm. Opening the document causes macros to be enabled, links to a Tor server and downloads an .exe file.

During this time, all the computer’s files are encrypted and cannot be read, but they are not deleted. If the ransom is not paid via Bitcoin within five days, all your documents will be permanently destroyed.

This is another reminder that you should never open attachments in emails that you do not recognise.(7)

· Now criminals adopt security measures too 

httpsThe “S” in “HTTPS” stands for “SECURE”.

That letter signals to visitors that the site is secure for communications and that the privacy and integrity of data exchanged on the site is protected. It helps prevent “man-in-the-middle” attacks.

However, as attackers become more sophisticated, they too are beginning to use HTTPS sites for their malicious activities.

With the adoption of cryptographic protocols for secure website communications, cybercriminals are moving to HTTPS to keep their operations afloat.

Over half of phishing websites detected in the first quarter of this year used digital certificates to encrypt the connections from the visitor. This is a trend that has been growing since mid-2016.

HTTPS is designed to protect user privacy by encrypting the traffic between a server and the browser. This prevents third parties from viewing the data that’s exchanged. As web browsers began warning users that their connection was not secure if the site wasn’t HTTPS, phishing scammers began following the HTTPS trend.

Nowadays, impersonating an HTTPS website is virtually impossible without a Transport Layer Security (TLS) certificate, a cryptographic protocol designed to provide communications security over a computer network. While obtaining a TLS certificate was complicated and expensive in the past, these days they can be obtained for free.

With TLS certificates now more easily accessible, scammers are accessing them to give their websites the appearance of being secure.

It’s another reminder that when transacting online, all is not what it seems.(8)

 

To stay secure, you need to be proactive.

Cybercriminals are constantly looking for ways to exploit vulnerabilities and will use any opportunity to circumvent your security systems.

Keep on top of the latest advances in cybersecurity and ensure your organisation stays ahead of the threats with Shearwater’s team of expert consultants.

Together, we’ll develop a comprehensive security roadmap for your organisation that takes into account your specific needs and circumstances.

Take the first step towards enhancing your security and speak with us today.

 

(1) https://www.darkreading.com/attacks-breaches/critical-firefox-vuln-used-in-targeted-attacks/d/d-id/1335011
(2) https://www.us-cert.gov/ncas/alerts/AA19-168A
(3) https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-about-worm-attacking-exim-servers-on-azure/
(4) https://www.bleepingcomputer.com/news/security/cisco-ios-xe-software-receives-fix-against-high-severity-flaw/
(5) http://www.scmagazine.com/home/security-news/ransomware/lake-city-recovering-from-ransomware-attack/
(6) https://www.bleepingcomputer.com/news/security/desjardins-group-data-leak-exposes-info-of-29-million-members/
(7) https://www.bleepingcomputer.com/news/security/new-loocipher-ransomware-spreads-its-evil-through-spam/
(8) https://www.bleepingcomputer.com/news/security/phishing-websites-increase-adoption-of-https/


 

This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.