SECURITY REPORT
MARCH 2020
SECURITY REPORT
MARCH 2020
Stay up to date with some of the most dangerous exploits currently in the wild.
These are our TOP 10 recent vulnerabilities for priority patching.
For a comprehensive list of vulnerabilities, check the NIST Database regularly.
CVE | Product Affected | Description | CVSS Score (Version 3.1) |
CVE-2020-10189 | ZOHO | A zero day vulnerability has been found in cloud software provider Zoho. A remote code execution vulnerability exists in Zoho’s ManageEngine Desktop Central in versions released before 10.0.474. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system. | V3.1:9.8 CRITICAL |
CVE-2020-3127 and CVE-2020-3128 | CISCO | A series of vulnerabilities that could allow attackers to gain a targeted user’s privileges and then execute arbitrary code via the Cisco Webex Network Recording Player for Microsoft Windows or the Cisco Webex Player for Microsoft Windows. To exploit these flaws, an adversary could send users a malicious ARF or WRF file via a link or email attachment and socially engineer the potential victim into opening the file on the local system. | V3.1: 7.8 HIGH |
CVE-2019-0090 | INTEL | Insufficient access control vulnerability in subsystem for Intel(R) CSME before version 12.0.35, Intel(R) SPS before version SPS_E3_05.00.04.027.0 may allow unauthenticated user to potentially enable escalation of privilege via physical access. After an attacker gains access, they would need to invest additional effort in preparation or execution of the vulnerable component in order to use this vulnerability. | V3.1: 7.1 HIGH |
CVE-2019-15126 | BROADCOM and CYPRESS | “KrØØk” is a vulnerability found in more than one billion WiFi-enabled devices and access points that could allow an attacker to partially read encrypted data being transmitted. It can cause vulnerable devices to use an all-zero encryption key to encrypt part of the user’s communication. If successfully exploited an attacker could decrypt some wireless network packets transmitted by the device. Despite a low CVSS, the large number of potentially affected devices could result in widespread impact. | V3.1: 3.1 LOW |
CVE-2020-6418 | A zero-day exploit that is a confusion vulnerability in V8, Google Chrome’s open-source JavaScript and WebAssembly engine and rated as a “high” threat by Google. | V3.1: 6.5 MEDIUM | |
CVE-2020-0674 | MICROSOFT | Microsoft issued a patch for an Internet Explorer scripting engine memory corruption vulnerability that could lead remote code execution and that has been detected in the wild. | V3.1: 7.5 HIGH |
CVE-2020-3765 | ADOBE | Adobe and VMWare pushed out a critical out-of-band updates for After Effects and vRealize Operations for Horizon Adapter which if exploited could lead to arbitrary code execution. It is an out-of-bounds write vulnerability affecting After Effects version 16.1.2 and earlier versions for Windows. Adobe is recommending that Admin’s update to version 17.0.3 through its Creative Cloud desktop app’s update mechanism. | V3.1: 9.8 CRITICAL |
CVE-2020-6796, CVE-2020-6800 and CVE-2020-6801 | MOZILLA | The first is a missing bounds check that could cause a memory corruption and a potentially exploitable crash. The second and third are a memory safety bug that could potentially be exploited to run arbitrary code. | V3.1: 8.8 HIGH |
CVE-2020-5316 | DELL | Dell is reporting a high-rated vulnerability in its SupportAssist for business and home PCs that could result in remote code execution. affects business PC versions 2.0 through 2.1.3 and home PC versions 2.0 through 3.4. Each contain an uncontrolled search path vulnerability that can be exploited by a locally authenticated low-privileged user to cause the loading of arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of arbitrary code. | V3.1: 7.8 HIGH |
CVE-2020-0022 | ANDROID | Google has issued a critical security update for Android that affects the Bluetooth functionality on about two-thirds of all Android devices now in use. It affects devices running Android Oreo (8.0 and 8.1) and Pie (9.0) and can allow remote code execution without any user interaction. | V3.1: 8.8 HIGH |
Australian transport and logistics giant, Toll Group, was forced to shut down a number of IT systems for approximately one month due to a targeted ransomware attack.
The company is finally reintegrating with its clients’ IT systems.
Toll customers experienced major disruptions to shipment tracking, particularly those relying on the ‘MyToll’ portal application. Drivers reverted back to manual receipts.
Toll responded to the attack by immediately isolating and disabling a range of its IT systems. This quick action helped stop the malware spreading. The ransomware, known as Mailto or Kokoklock, is believed to have infected as many as 1000 servers.
The company refused to pay the ransom, a move that was praised by a number of public officials. (see Australian News below).
Source
www.itnews.com
Talman Software is the IT company that manages approximately 75% of wool sales across Australia and New Zealand. So, when the company was hit by a savage ransomware attack, the impact was felt by sheep farmers on both sides of the Tasman.
The attack resulted in all of Talman’s files being encrypted, with the attackers demanding an $8m payment to reinstate access to the data. Refusing to pay the ransom, Talman rushed to rebuild its IT systems.
While systems were reinstated, wool sales came to a grinding halt. Farmers are concerned that the pause in sales, while relatively short-lived, will nonetheless lead to a glut of product hitting the market once business comes back online. This could push wool prices down for some time.
A ransomware attack on such an important sector of Australia’s economy shows how vital it is for authorities to defend markets against cyber threats.
Source
www.smartcompany.com.au
With many organisations now relying on hundreds of APIs, the range of threats has escalated accordingly.
Last month Twitter disclosed a security incident during which a large network of fake accounts abused the company’s API to match phone numbers to users’ accounts.
The API endpoint being targeted was designed to allow the owners of new Twitter accounts to easily discover their friends on the platform. The API does this by matching phone numbers to accounts that have enabled the setting. By utilising a large network of fake accounts, it is believed that the suspected attackers were able to take advantage of this feature and aggregate a significant amount of phone numbers (and associated account information).
When the company became aware of the situation, it claims it immediately suspended the accounts associated with the attack. In addition, the API has been modified so that it could no longer return specific account names in response to queries. Twitter believes this will prevent any future manipulation of the API’s intended usage.
Source
www.programmableweb.com
These days, most website URLs start with https. It indicates the website has an SSL Certificate and any data it transmits is encrypted.
However, in order to force website administrators to keep up to date with the latest security features, Apple has just announced that its Safari browser will only allow access to sites that have SSL Certificates with an expiration date shorter than 13 months.
This will force website administrators to renew SSL Certificates approximately once each year – ensuring they have updated cryptographic standards.
The move aims to reduce the number of old, neglected certificates that could potentially be stolen and re-used for phishing and drive-by malware attacks.
Once implemented, certificates with expiration dates longer than 13 months will show a certificate error in the browser.
Older certificates however, which were created before the implementation of this rule will not be affected.
Source
www.theregister.co.uk
Two Factor Authentication, or 2FA, is recognised as one of the best ways to safeguard against password compromise attacks.
However, even 2FA isn’t totally immune from attack.
A new trojan, named Cerberus, is in the wild and targeting Android banking applications. Specifically, it captures the login credentials of a user logging into their banking application. It then extracts any one-time password issued by ‘Google Authenticator’ – one of the most widely used 2FA verification systems.
The trojan then sends the login credentials with the one-time password to a malicious actor who can gain access the user’s online banking application.
It is strongly recommended that Android users exercise caution when installing applications onto their mobile devices.
Source
www.geeksgyaan.com
The Notifiable Data Breaches (NDB) scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information.
Its latest report, covering July through December 2019, shows a 19% increase in the number of reported data breaches compared to the previous six months.
22% of all reported breaches were in the health sector, higher than any other industry.
For the health sector, email security remains a significant challenge.
Phishing constitutes the single largest type of ‘Malicious or Criminal Attack’ (17 out of 63 reported incidents). Meanwhile, incorrectly sending private data via email to the wrong recipient, is the largest single type of ‘Human Error’ (12 out of 51 reported incidents).
These figures point to the fact that with proper email security training for health care professionals, a significant decline in the number of breaches is achievable.
Contact Shearwater to learn about our Phriendly Phishing training modules. It’s the perfect way to train your staff about email security and reduce the chances of data breaches occurring.
Source
www.oaic.gov.au
Providing cloud-computing services to the Australian Government is about the get easier.
The Australian Signals Directorate (ASD) and the Digital Transformation Agency (DTA) announced changes affecting cloud service providers. Those wishing to provide cloud services to Australian Government departments and agencies are no longer required to pass the Cloud Services Certification Program (CSCP) assessment. Furthermore, they will no longer be listed on the Certified Cloud Services List (CCSL).
These changes mean that cloud providers will be treated in the same way as other ICT providers. It is still recommended to undergo an IRAP assessment, as once you achieve certification with one Government department or agency, it can be leveraged to open the way for you to work with other departments and agencies.
For ICT or cloud providers considering undergoing IRAP assessment, the Government has announced extra resources to boost the number of IRAP assessors. This should facilitate a more efficient IRAP assessment process.
Contact us for further information on the IRAP assessment process and how Shearwater can guide you through the process.
Source
www.cyber.gov.au
The new Director-General of the Australian Signals Directorate (ASD), Rachel Noble, has warned business to bolster cyber defence capabilities. She argues that both business and government must make data security a top priority, whilst developing a deeper understanding of cyber threats and defences.
“Organisations must back up their data regularly, know how and where their data is stored and make sure it is kept up to date,” she said.
When it comes to ransomware, Noble warns against paying ransoms. Recently, Toll Group was subjected to a major attack and decided not to pay a ransom demand. Whilst some believe the extended period of disruption for customers could have been avoided, the message from the ASD head is that ransom payments should be avoided.
“We strongly recommend organisations don’t pay ransoms,” Noble said. “There is a risk you just lose your money or you end up being used as a cash cow and the cyber criminals come back again.”
Source
www.afr.com
IoT, or Internet of Things, is the term used to describe a broad range of internet-connected devices. From household appliances to industrial machinery, IoT devices are increasingly being exploited by attackers in order to gain unauthorised access to networks and compromise data.
The interconnected nature of IoT devices means that exploitation can have widespread consequences.
At present, manufacturers of consumer IoT devices have no rules that require their products meet minimum cyber security standards. With internet-connected devices becoming increasingly common in Australian homes, from smart TVs to baby-monitors, the time has come to establish standards so consumers have confidence they are purchasing secure products.
The Australian Government has launched an initiative to develop a voluntary code of practice for consumer-oriented IoT devices. The hope is that a voluntary industry code will be sufficient to uplift cybersecurity, but if necessary, the Government could move to mandatory standards.
According to Damien Manuel, chairman of the Australian Information Security Association (ASIA), the trend towards greater consumer protections is clear. “It is inevitable that connected devices will have cyber security ratings within five years…A device’s cyber security rating will become a key part of the consumer decision-making process.”
For manufacturers of IoT devices, contact Shearwater to learn how you can ensure your products meet your customers’ cybersecurity expectations.
Source
www.afr.com
A 31-year-old South Australian man has been charged with allegedly defrauding individuals to the tune of $11 million. According to police, the man allegedly engaged in identity theft which was used to modify payroll data, superannuation details and credit card records.
According to NSW Police Cybercrime Squad Commander, Detective Superintendent Mathew Craft, “Cybercrime presents a unique challenge for law enforcement, and the only way we can tackle these national issues, is through the collaboration of our law enforcement and industry partners.”
Identity information is a valuable commodity on the black market and dark web. It is essential that all organisations have strong cyber security measures in place to ensure data is protected.
Contact Shearwater to learn how we can assist your organisation develop information security policies to keep data secure.
Source
www.itnews.com.au
This Information Security Report is brought to you by Shearwater Solutions.
The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.
Whatever your Information Security challenge, we’re here to help you find the right solution.