Warning — Two Unpatched Critical 0-Day RCE Flaws Affect All Windows Versions
Microsoft today issued a new security advisory warning billions of Windows users of two new critical, unpatched zero-day vulnerabilities that could let hackers remotely take complete control over targeted computers. According to Microsoft, both unpatched flaws are being used in limited, targeted attacks and impact all supported versions of the Windows operating system—including Windows 10, 8.1 and Server 2008, 2012, 2016, and 2019 editions, as well as Windows 7 for which Microsoft ended its support on January 14, 2020.
Source: The hacker news / Bleeping computer / Dark reading / Threatpost / Securityweek / Trendmicro / Infosecurity magazine / MS security advisory / SANS internet storm center
Link: https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html
Link: https://threatpost.com/microsoft-warns-of-critical-windows-zero-day-flaws/154040/
Link: https://www.securityweek.com/hackers-target-two-unpatched-flaws-windows-adobe-type-manager-library
Link: https://www.infosecurity-magazine.com/news/microsoft-targeted-attackers-two/
Link: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006
TrickBot Mobile App Bypasses 2‐Factor Authentication for Net Banking Services
The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions.
The Android app, called “TrickMo” by IBM X-Force researchers, is under active development and has exclusively targeted German users whose desktops have been previously infected with the TrickBot malware. “Germany is one of the first attack turfs TrickBot spread to when it first emerged in 2016,” IBM researchers said. “In 2020, it appears that TrickBot’s vast bank fraud is an ongoing project that helps the gang monetize compromised accounts.”
Source: The hacker news / Bleeping computer / Threatpost / Security intelligence
Link: https://thehackernews.com/2020/03/trickbot-two-factor-mobile-malware.html
Link: https://threatpost.com/trickbot-app-bypasses-non-sms-banking-2fa/154080/
Critical RCE Bug Affects Millions of OpenWrt-based Network Devices
A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt, a widely used Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic. Tracked as CVE-2020-7982, the vulnerability resides in the OPKG package manager of OpenWrt that exists in the way it performs integrity checking of downloaded packages using the SHA-256 checksums embedded in the signed repository index.
While an ‘opkg install’ command is invoked on the victim system, the flaw could allow a remote man-in-the-middle attacker in a position to intercept the communication of a targeted device to execute arbitrary code by tricking the system into installing a malicious package or software update without verification.
Source: The hacker news
Link: https://thehackernews.com/2020/03/openwrt-rce-vulnerability.html
Mukashi: A New Mirai IoT Botnet Variant Targeting Zyxel NAS Devices
A new version of the infamous Mirai botnet is exploiting a recently uncovered critical vulnerability in network-attached storage (NAS) devices in an attempt to remotely infect and control vulnerable machines. Called “Mukashi,” the new variant of the malware employs brute-force attacks using different combinations of default credentials to log into Zyxel NAS, UTM, ATP, and VPN firewall products to take control of the devices and add them to a network of infected bots that can be used to carry out Distributed Denial of Service (DDoS) attacks.
Multiple Zyxel NAS products running firmware versions up to 5.21 are vulnerable to the compromise, Palo Alto Networks’ Unit 42 global threat intelligence team said, adding they uncovered the first such exploitation of the flaw in the wild on March 12.
Source: The hacker news / Threatpost / Securityweek / Trendmicro
Link: https://thehackernews.com/2020/03/zyxel-mukashi-mirai-iot-botnet.html
Link: https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/
Link: https://www.securityweek.com/new-mirai-variant-delivered-zyxel-nas-devices-recently-patched-flaw
Chinese Hackers Use Cisco, Citrix, Zoho Exploits In Targeted Attacks
The Chinese state-sponsored group APT41 has been at the helm of a range of attacks that used recent exploits to target security flaws in Citrix, Cisco, and Zoho appliances and devices of entities from a multitude of industry sectors spanning the globe. It is not known if the campaign that started in January 2020 was designed to take advantage of companies having to focus on setting up everything needed by their remote workers while in COVID-19 lockdown or quarantine but, as FireEye researchers found, the attacks are definitely of a targeted nature.
Source: Bleeping computer / Threatpost / Infosecurity magazine
Link: https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/
Link: https://www.infosecurity-magazine.com/news/apt41-exploited-cisco-citrix-and/
Adobe Fixes Critical Vulnerability in Creative Cloud Application
Adobe has released a security update for its Creative Cloud Desktop Application to fix a vulnerability that could allow attackers to delete files on a vulnerable computer. The Adobe Creative Cloud is an application suite consisting of numerous apps such as Photoshop, Premiere Pro, Illustrator, Adobe Acrobat, InDesign, Lightroom, and XD. Adobe normally releases its security updates on the second Tuesday of each month to align with Microsoft’s Patch Tuesday.
Source: Bleeping computer / Threatpost / Securityweek / Adove security bulletin
Link: https://threatpost.com/critical-adobe-flaw-out-of-band-security-update/154075/
Link: https://www.securityweek.com/critical-flaw-adobe-creative-cloud-app-allows-hackers-delete-files
Link: https://helpx.adobe.com/security/products/creative-cloud/apsb20-11.html
Tech Giant GE Discloses Data Breach After Service Provider Hack
Fortune 500 technology giant General Electric (GE) disclosed that personally identifiable information of current and former employees, as well as beneficiaries, was exposed in a security incident experienced by one of GE’s service providers. GE says in a notice of data breach filed with the Office of the California Attorney General that Canon Business Process Services (Canon), a GE service provider, had one of their employees’ email accounts breached by an unauthorized party in February. “We were notified on February 28, 2020 that Canon had determined that, between approximately February 3 – 14, 2020, an unauthorized party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries entitled to benefits that were maintained on Canon’s systems,” the notification says.
Source: Bleeping computer / Threatpost / Securityweek / Infosecurity magazine
Link: https://threatpost.com/ge-employees-sensitive-hr-doc-breach/154136/
Link: https://www.securityweek.com/ge-says-some-employees-hit-data-breach-canon
Link: https://www.infosecurity-magazine.com/news/general-electric-employees/
Malware Disguised as Google Updates Pushed via Hacked News Sites
Hacked corporate sites and news blogs running using the WordPress CMS are being used by attackers to deliver backdoor malware that allows them to drop several second-stage payloads such as keyloggers, info stealers, and Trojans. After gaining admin access to the compromised WordPress websites, the hackers inject malicious JavaScript code that will automatically redirect visitors to phishing sites. These landing pages are designed to look like a legitimate Google Chrome update page and are used by the attackers to instruct potential victims to download an update for their browser.
Source: Bleeping computer
HPE Warns of New Bug That Kills SSD Drives After 40,000 Hours
Hewlett Packard Enterprise (HPE) is once again warning its customers that certain Serial-Attached SCSI solid-state drives will fail after 40,000 hours of operation, unless a critical patch is applied. The company made a similar announcement in November 2019, when firmware defect produced failure after 32,768 hours of running. The current issue affects drives in HPE server and Storage products like HPE ProLiant, Synergy, Apollo 4200, Synergy Storage Modules, D3000 Storage Enclosure, StoreEasy 1000 Storage.
Source: Bleeping computer / HPE Support Center
Link: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00097382en_us
Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps
A new cyber attack is hijacking router’s DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Oski information-stealing malware. For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a ‘COVID-19 Inform App’ that was allegedly from the World Health Organization (WHO).
After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home D-Link or Linksys routers to use DNS servers operated by the attackers. As most computers use the IP address and DNS information provided by their router, the malicious DNS servers were redirecting victims to malicious content under the attacker’s control.
Source: Bleeping computer
Who’s Behind the ‘Web Listings’ Mail Scam?
In December 2018, KrebsOnSecurity looked at how dozens of U.S. political campaigns, cities and towns had paid a shady company called Web Listings Inc. after receiving what looked like a bill for search engine optimization (SEO) services rendered on behalf of their domain names. The story concluded that this dubious service had been scamming people and companies for more than a decade, and promised a Part II to explore who was behind Web Listings. What follows are some clues that point to a very convincing answer to that question.
Source: Krebs on security
Link: https://krebsonsecurity.com/2020/03/whos-behind-the-web-listings-mail-scam/
COVID-19: Getting Ready for the Next Business Continuity Challenge
Business continuity planning (or resiliency) consists of preparing for how to operate if we lose our technology, facilities, or people. During the COVID-19 pandemic, so far, we are mostly dealing with losing our facility and having to have employees work remotely. What could come next? How do we prepare to deal with a large portion of our workforce getting sick at the same time and requiring isolation?
Source: Dark reading / Helpnetsecurity
Link: https://www.helpnetsecurity.com/2020/03/25/business-continuity-pandemic/
FBI Warns of Fake CDC Emails in COVID-19 Phishing Alert
The FBI Internet Crime Complaint Center (IC3) issued an alert late last week to warn people of fake emails claiming to be from the Centers for Disease Control and Prevention (CDC) or other healthcare organizations, pretending to share information about the virus. Officials advise not to open attachments or click links in these emails, and to be wary of websites and apps that claim to track COVID-19 cases. Criminals are using such websites to infect and lock computers.
Source: Dark reading
Hacking Voice Assistants with Ultrasonic Waves
I previously wrote about hacking voice assistants with lasers. Turns you can do much the same thing with ultrasonic waves. Voice assistants — the demo targeted Siri, Google Assistant, and Bixby — are designed to respond when they detect the owner’s voice after noticing a trigger phrase such as ‘Ok, Google’. Ultimately, commands are just sound waves, which other researchers have already shown can be emulated using ultrasonic waves which humans can’t hear, providing an attacker has a line of sight on the device and the distance is short.
Source: Bruce Schneier on security
Link: https://www.schneier.com/blog/archives/2020/03/hacking_voice_a_1.html
NIST Updates Flagship SP 800-53 Security and Privacy Controls
The National Institute for Standards and Technology (NIST) has published the draft version of SP 800-53 (revision 5): Security and Privacy Controls for Information Systems and Organizations. This is the first update to SP 800-53 since revision 4 was published seven years ago, and reflects the major changes to the security landscape over the last few years.
Source: Securityweek / NIST
Link: https://www.securityweek.com/nist-updates-flagship-sp-800-53-security-and-privacy-controls
Link: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5-draft.pdf
Remote Working Cybersecurity
Governments around the world recently began introducing previously unseen restrictions on the freedoms of individuals during peacetime with the aim of reducing the impact from the outbreak of novel Conronavirus COVID-19. These restrictions include travel bans, forced closure of businesses, mandatory isolation and generally encouraging people to stay at home. These changes are impacting the lives of millions across the world and they might just be impacting the cyber security landscape too because these new distancing measures have given flight to an unexpected social and economical experiment; millions working from home.
Source: Secjuice / Helpnet security / SANS internet storm center
Link: https://www.secjuice.com/covid-19-cyber-security/
Link: https://www.helpnetsecurity.com/2020/03/20/cybersecurity-working-remotely/
Link: https://isc.sans.edu/forums/diary/Another+Critical+COVID19+Shortage+Digital+Security/25940/
Secjuice Squeeze Volume 18
Welcome to the 18th edition of the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly prepared for you every week. This week’s volume compiled by Secjuice writers Mike Peterson, Manmeet Singh Bhatia, and Secprentice.
Source: Secjuice
Link: https://www.secjuice.com/secjuice-squeeze-volume-18/
Recent Dridex activity
This week, I’ve seen a lot of malicious spam (malspam) pushing Dridex malware. Today’s diary, provides a quick rundown on the types of malspam I’ve seen, and it also covers what an infected Windows host looks like.
Source: SANS internet storm center
Link: https://isc.sans.edu/forums/diary/Recent+Dridex+activity/25944/
Very Large Sample as Evasion Technique?
Security controls have a major requirement: they can’t (or at least they try to not) interfere with normal operations of the protected system. It is known that antivirus products do not scan very large files (or just the first x bytes) for performance reasons. Can we consider a very big file as a technique to bypass security controls? Yesterday, while hunting, I spotted a very interesting malware sample. The malicious PE file was delivered via multiple stages but the final dropped file was large… very large!
Source: SANS internet storm center
Link: https://isc.sans.edu/forums/diary/Very+Large+Sample+as+Evasion+Technique/25948/