Update Microsoft Windows Systems to Patch 99 New Security Flaws
A few hours after Adobe today released security updates for five of its widely-distributed software, Microsoft also issued its February 2020 Patch Tuesday edition with patches for a total of 99 new vulnerabilities. According to the advisories, 12 of the total issues patched by the tech giant this month are critical in severity, and the remaining 87 have been listed as important. Included in this release is a security update for the CVE-2020-0674 Internet Explorer zero-day vulnerability that was being actively exploited in the wild.
Source: The hacker news / Bleeping computer / Krebs on security / Dark reading / Threatpost / Security week / TALOS Intelligence Blog / Infosecurity magazine / SANS Internet storm center
Link: https://thehackernews.com/2020/02/microsoft-windows-updates.html
Link: https://krebsonsecurity.com/2020/02/microsoft-patch-tuesday-february-2020-edition/
Link: https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/
Link: https://www.securityweek.com/microsoft-patches-ie-zero-day-98-other-vulnerabilities
Link: https://blog.talosintelligence.com/2020/02/microsoft-patch-tuesday-feb-2020.html
Link: https://www.infosecurity-magazine.com/news/microsoft-fixes-99-problems-this/
Link: https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+for+February+2020/25790/
Adobe Releases Patches for Dozens of Critical Flaws in 5 Software
Here comes the second ‚Patch Tuesday‘ of this year. Adobe today released the latest security updates for five of its widely used software that patch a total of 42 newly discovered vulnerabilities, 35 of which are critical in severity.
Source: The hacker news / Bleeping computer / Security week
Link: https://thehackernews.com/2020/02/adobe-software-update.html
Link: https://www.bleepingcomputer.com/news/security/adobe-releases-the-february-2020-security-updates/
Link: https://threatpost.com/adobe-security-update-critical-flash-framemaker-flaws/152782/
Link: https://www.securityweek.com/adobe-patches-42-vulnerabilities-across-five-products
Link: https://helpx.adobe.com/security.html
Emotet Malware Now Hacks Nearby Wi-Fi Networks to Infect New Victims
Emotet, the notorious trojan behind a number of botnet-driven spam campaigns and ransomware attacks, has found a new attack vector: using already infected devices to identify new victims that are connected to nearby Wi-Fi networks. According to researchers at Binary Defense, the newly discovered Emotet sample leverages a „Wi-Fi spreader“ module to scan Wi-Fi networks, and then attempts to infect devices that are connected to them.
The cybersecurity firm said the Wi-Fi spreader has a timestamp of April 16, 2018, indicating the spreading behavior has been running „unnoticed“ for close to two years until it was detected for the first time last month. The development marks an escalation of Emotet’s capabilities, as networks in close physical proximity to the original victim are now susceptible to infection.
Source: The hacker news / Bleeping computer / Threatpost
Link: https://thehackernews.com/2020/02/emotet-malware-wifi-hacking.html
Link: https://threatpost.com/emotet-now-hacks-nearby-wi-fi-networks-to-spread-like-a-worm/152725/
Amex, Chase Fraud Protection Emails Used as Clever Phishing Lure
A very clever phishing campaign is underway that pretends to be fraud protection emails from American Express and Chase that ask you to confirm if the listed credit card transactions are legitimate. If you have credit cards and commonly use them, you may have received emails in the past asking you to confirm if a particular credit card transaction is valid. These emails will display the name of the vendor, the date of the transaction, and the amount of the transaction. It then asks you to confirm if the attempted charge is legitimate or not.
Source: Bleeping computer
Dell SupportAssist Bug Exposes Business, Home PCs to Attacks
Dell published a security update to patch a SupportAssist Client software flaw which enables potential local attackers to execute arbitrary code with Administrator privileges on vulnerable computers. As explained by Dell in its advisory, „A locally authenticated low privileged user could exploit this vulnerability to cause the loading of arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of arbitrary code.“
This uncontrolled search path vulnerability reported by Cyberark’s Eran Shimony is tracked as CVE-2020-5316, comes with a high severity CVSSv3 base score of 7.8, and it affects the following Dell SupportAssist versions:
• Dell SupportAssist for business PCs version 2.1.3 or earlier
• Dell SupportAssist for home PCs version 3.4 or earlier.
Source: Bleeping computer / Threatpost / Security week
Link: https://threatpost.com/dell-patches-supportassist-flaw-that-allows-arbitrary-code-execution/152771/
U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack
The U.S. Justice Department today unsealed indictments against four Chinese officers of the People’s Liberation Army (PLA) accused of perpetrating the 2017 hack against consumer credit bureau Equifax that led to the theft of personal data on nearly 150 million Americans. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.
Source: Krebs on security / Threatpost / Dark reading / Infosecurity magazine
Link: https://krebsonsecurity.com/2020/02/u-s-charges-4-chinese-military-officers-in-2017-equifax-hack/
Link: https://threatpost.com/equifax-breach-four-members-of-chinese-military-charged-with-hacking/152739/
Link: https://www.securityweek.com/equifax-breach-latest-many-hacks-linked-china
Link: https://www.securityweek.com/china-denies-us-allegations-over-military-hackers
Link: https://www.infosecurity-magazine.com/news/china-denies-involvement-in/
Third-Party Breaches — and the Number of Records Exposed — Increased Sharply in 2019
Third-party risks are quickly mounting for enterprise organizations if the number of data breaches and total number of records exposed as a result are any indication. In a recent analysis of data pertaining to security breaches in 2019, Risk Based Security uncovered a sharp increase in incidents involving companies handling sensitive data for business partners and other clients. The total number of such third-party breaches hit 368 in 2019, up from 328 in 2018 and 273 in 2017 — a 35% increase in two years.
Source: Dark reading / Security week
Link: https://www.securityweek.com/over-151-billion-records-exposed-data-breaches-2019
FBI: Business Email Compromise Cost Businesses $1.7B in 2019
BEC attacks comprised nearly half of cybercrime losses last year, which totaled $3.5 billion overall as Internet-enabled crimes ramped up. Business email compromise (BEC) attacks cost organizations an estimated $1.77 billion in losses in 2019, reports the FBI, which received a total of 23,775 complaints related to this threat. The FBI’s Internet Crime Complaint Center (IC3) this week released its „2019 Internet Crime Report,“ which digs into cybercrime trends throughout the year. In 2019 the IC3 received 467,361 complaints, which cost organizations $3.5 billion overall – up from $2.7 billion in 2018.
Source: Dark reading / Threatpost / Security week / BBC / Infosecurity magazine
Link: https://threatpost.com/fbi-3-5b-lost-in-2019-to-known-cyberscams-ransomware/152815/
Link: https://www.securityweek.com/bec-losses-surpassed-17-billion-2019-fbi
Link: https://www.bbc.com/news/technology-51474109
Link: https://www.infosecurity-magazine.com/news/fbi-bec-losses-soared-to-18/
Intel Patches High-Severity Flaw in Security Engine
The high-severity vulnerability could enable denial of service, privilege escalation and information disclosure. Intel is warning of a high-severity flaw in the firmware of its converged security and management engine (CSME), which if exploited could allow privilege escalation, denial of service and information disclosure. CSME powers Intel’s Active Management System hardware and firmware technology, used for remote out-of-band management in consumer or corporate PCs, Internet of Things (IoT) devices, and workstations. The subsystem of CSME has an improper authentication bug (CVE-2019-14598), which has a CVSS score of 8.2 out of 10.0, making it high severity. A privileged user, with local access, could exploit the flaw to launch an array of attacks, according to Intel.
Source: Threatpost
Link: https://threatpost.com/intel-patches-high-severity-flaw-in-security-engine/152794/
Docker Registries Expose Hundreds of Orgs to Malware, Data Theft
Misconfigured Docker registries could leak confidential data, lead to a full-scale compromise and interrupt the business operations.” A slew of misconfigured Docker container registries has inadvertently exposed source code for 15,887 unique versions of applications owned by research institutes, retailers, news media organizations and technology companies.
According to Palo Alto Networks’ Unit 42 division, the registries lacked proper network access control.
Source: Threatpost / Bleeping computer / Security week / Palo Alto networks
Link: https://threatpost.com/docker-registries-malware-data-theft/152734/
Link: https://www.securityweek.com/misconfigured-docker-registries-expose-thousands-repositories
Link: https://unit42.paloaltonetworks.com/leaked-docker-code/
Companies that Scrape Your Email
Motherboard has a long article on apps — Edison, Slice, and Cleanfox — that spy on your email by scraping your screen, and then sell that information to others.
Source: Bruce Schneier on security
Link: https://www.schneier.com/blog/archives/2020/02/companies_that_.html
Link: https://www.vice.com/en_us/article/pkekmb/free-email-apps-spying-on-you-edison-slice-cleanfox
SAP Releases 13 Security Notes on February 2020 Patch Day
The company released three new High priority Security Notes and 10 Medium priority notes this month. The updated Notes include a Hot News one and one Medium priority.
Source: Security week
Link: https://www.securityweek.com/sap-releases-13-security-notes-february-2020-patch-day
Crypto AG Was Owned by the CIA
The Swiss cryptography firm Crypto AG sold equipment to governments and militaries around the world for decades after World War II. They were owned by the CIA. This isn’t really news. We have long known that Crypto AG was backdooring crypto equipment for the Americans. What is new is the formerly classified documents describing the details.
Source: Bruce Schneier on security / Security week / BBC / Infosecurity magazine
Link: https://www.schneier.com/blog/archives/2020/02/crypto_ag_was_o.html
Link: https://www.securityweek.com/switzerland-investigating-alleged-cia-german-front-company
Link: https://www.securityweek.com/us-german-spies-plundered-global-secrets-swiss-encryption-firm-report
Link: https://www.bbc.com/news/world-europe-51467536
Link: https://www.infosecurity-magazine.com/news/crypto-ag-unmasked-cia-spied/
Loda RAT Grows Up
Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT.
These websites also host malicious documents that begin a multi-stage infection chain which ultimately serves a malicious MSI file. The second stage document exploits CVE-2017-11882 to download and run the MSI file, which contains Loda version 1.1.1.
This campaign appears to be targeting countries in South America and Central America, as well as the U.S.
Source: TALOS Intelligence Blog
Link: https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html
Secjuice Squeeze Volume 12 – sudo, Cisco, WhatsApp, and Android Bluetooth bugs & more!
Welcome to the twelfth edition of the Secjuice Squeeze, a selection of interesting infosec articles that you may have missed and curate them for your reading pleasure.
Source: Secjuice
Link: https://www.secjuice.com/infosec-news-squeeze-vol-12/
Apple iCloud Credential Stealing
In August 2019 I found a vulnerability in Apples iOS (CVE-2020-3841) during a Red Team Assessment. We were trying to lure users into entering their credentials in a Wi-Fi Phishing Attack. In this case iOS/Safari (macOS was also affected) helped us with it’s AutoFill features. It turned out to be somewhat buggy, but let’s have a quick look how and why it worked, and how we exploited it.
Source: Secjuice
Link: https://www.secjuice.com/apple-icloud-credential-stealing/
March Patch Tuesday is Coming – the LDAP Changes will Change Your Life!
Next month Microsoft will be changing the default behaviour for LDAP – Cleartext, unsigned LDAP queries against AD (over port 389) will be disabled by default. You’ll still be able to over-ride that using registry keys or group policy, but the best advice is to configure all LDAP clients to use encrypted, signed LDAPS queries (over port 636).
Source: SANS Internet storm center
Malwareanalysis: Malspam pushes Ursnif through Italian language Word docs
For the past two weeks or so, I haven’t found any malspam using password-protected zip archives with Word documents having macros for Ursnif. However, on Tuesday 2020-02-11, malspam from this campaign has resumed. This time, it used Italian language Word documents with macros for Ursnif.
Source: SANS Internet storm center
Link: https://isc.sans.edu/forums/diary/Malpsam+pushes+Ursnif+through+Italian+language+Word+docs/25792/