Warning: Citrix ShareFile Flaw Could Let Attackers Steal Corporate Secrets
Since the past few weeks, software giant Citrix has privately been rolling out a critical software update to its enterprise customers that patches multiple security vulnerabilities affecting Citrix ShareFile content collaboration platform. The security advisory—about which The Hacker News learned from Dimitri van de Giessen, an ethical hacker and system engineer—is scheduled to be available publicly later today on the Citrix website.
Citrix ShareFile is an enterprise-level file sharing solution for businesses using which employees can securely exchange proprietary and sensitive business data with each other.
The software offers an on-premises secure cloud environment for data storage with auditing capabilities and regulatory compliance controls. For example, a company can remotely lock or wipe data from potentially compromised mobile devices, or they’re when lost or stolen.
The newly identified security issues (CTX-CVE-2020-7473) specifically affect customer-managed on-premises Citrix ShareFile storage zone controllers, a component that stores corporate data behind the firewall.
Source: The hacker news / CITIX security bulletin
Link: https://thehackernews.com/2020/05/citrix-sharefile-vulnerability.html
Link: https://support.citrix.com/article/CTX269106
New Malware Jumps Air-Gapped Devices by Turning Power-Supplies into Speakers
Cybersecurity researcher Mordechai Guri from Israel’s Ben Gurion University of the Negev recently demonstrated a new kind of malware that could be used to covertly steal highly sensitive data from air-gapped and audio-gapped systems using a novel acoustic quirk in power supply units that come with modern computing devices.
Dubbed ‘POWER-SUPPLaY,’ the latest research builds on a series of techniques leveraging electromagnetic, acoustic, thermal, optical covert channels, and even power cables to exfiltrate data from non-networked computers.
“Our developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities,” Dr. Guri outlined in a paper published today and shared with The Hacker News.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2020/05/air-gap-malware-power-speaker.html
Link: https://www.securityweek.com/power-supply-can-turn-speaker-data-exfiltration-over-air-gap
Critical SaltStack RCE Bug (CVSS Score 10) Affects Thousands of Data Centers
Two severe security flaws have been discovered in the open-source SaltStack Salt configuration framework that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. The vulnerabilities were identified by F-Secure researchers earlier this March and disclosed on Thursday, a day after SaltStack released a patch (version 3000.2) addressing the issues, rated with CVSS score 10.
“The vulnerabilities, allocated CVE IDs CVE-2020-11651 and CVE-2020-11652, are of two different classes,” the cybersecurity firm said.
“One being authentication bypass where functionality was unintentionally exposed to unauthenticated network clients, the other being directory traversal where untrusted input (i.e., parameters in network requests) was not sanitized correctly allowing unconstrained access to the entire filesystem of the master server.”
Source: The hacker news / Threatpost / Securityweek
Link: https://thehackernews.com/2020/05/saltstack-rce-vulnerability.html
Link: https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/
Link: https://www.securityweek.com/critical-vulnerability-salt-requires-immediate-patching
Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability
Days after cybersecurity researchers sounded the alarm over two critical vulnerabilities in the SaltStack configuration framework, a hacking campaign has already begun exploiting the flaws to breach servers of LineageOS, Ghost, and DigiCert.
Tracked as CVE-2020-11651 and CVE-2020-11652, the disclosed flaws could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. The issues were fixed by SaltStack in a release published on April 29th.
“We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours,” F-Secure researchers had previously warned in an advisory last week.
Source: The hacker news / Dark reading / Threatpost / Security week / Bleeping computer / GHOST org
Link: https://thehackernews.com/2020/05/saltstack-rce-exploit.html
Link: https://status.ghost.org
Targeted Phishing Attacks Successfully Hacked Top Executives At 150+ Companies
In the last few months, multiple groups of attackers successfully compromised corporate email accounts of at least 156 high-ranking officers at various firms based in Germany, the UK, Netherlands, Hong Kong, and Singapore.
Dubbed ‘PerSwaysion,’ the newly spotted cyberattack campaign leveraged Microsoft file-sharing services—including Sway, SharePoint, and OneNote—to launch highly targeted phishing attacks.
According to a report Group-IB Threat Intelligence team published today and shared with The Hacker News, PerSwaysion operations attacked executives of more than 150 companies around the world, primarily with businesses in finance, law, and real estate sectors.
Source: The hacker news / Threatpost / Security week / Bleeping computer
Link: https://thehackernews.com/2020/04/targeted-phishing-attacks-successfully.html
Link: https://threatpost.com/microsoft-sway-abused-office-365-phishing-attack/155366/
Link: https://www.securityweek.com/sophisticated-phishing-kit-used-multiple-groups-target-executives
How Cybercriminals are Weathering COVID-19
In many ways, the COVID-19 pandemic has been a boon to cybercriminals: With unprecedented numbers of people working from home and anxious for news about the virus outbreak, it’s hard to imagine a more target-rich environment for phishers, scammers and malware purveyors. In addition, many crooks are finding the outbreak has helped them better market their cybercriminal wares and services. But it’s not all good news: The Coronavirus also has driven up costs and disrupted key supply lines for many cybercriminals. Here’s a look at how they’re adjusting to these new realities.
Source: Krebs on security / Dark reading
Link: https://krebsonsecurity.com/2020/04/how-cybercriminals-are-weathering-covid-19/
Oracle: Unpatched Versions of WebLogic App Server Under Active Attack
CVE-2020-2883 was patched in Oracle’s April 2020 Critical Patch Update – but proof of concept exploit code was published shortly after. Oracle is urging customers to fast-track a patch for a critical flaw in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability patched last month. Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. The server has a remote code execution flaw, CVE-2020-2883, that can be exploited by unauthenticated attackers to take over unpatched systems.
Source: Threatpost / Securityweek
Link: https://threatpost.com/oracle-unpatched-versions-of-weblogic-app-server-under-active-attack/155420/
Link: https://www.securityweek.com/oracle-says-hackers-targeting-recently-patched-vulnerabilities
Microsoft Teams Impersonation Attacks Flood Inboxes
A convincing cyberattack that impersonates notifications from Microsoft Teams in order to steal the Office 365 credentials of employees is making the rounds, according to researchers. Two separate attacks have targeted as many as 50,000 different Teams users, according to findings from Abnormal Security. The news comes as the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about Office 365 remote-work deployments. “CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks,” the agency said.
Source: Threatpost / Dark reading / Securityweek / Bleeping computer
Link: https://threatpost.com/microsoft-teams-impersonation-attacks/155404/
Link: https://www.darkreading.com/cloud/fake-microsoft-teams-emails-phish-for-credentials/d/d-id/1337717
Link: https://www.securityweek.com/dhs-reiterates-recommendations-securing-office-365
Google Android RCE Bug Allows Attacker Full Device Access
Google has patched a vulnerability in its Android OS that could allow attackers to completely take over someone’s device to install programs, steal or change data, or create new accounts with full privileges. The flaw (CVE-2020-0103) was one of 39 vulnerabilities affecting Android OS builds that use older security profiles and are spread throughout various components of Android that the company fixed in its latest security patch, according to a security bulletin published Monday. The vulnerabilities pose a high risk for consumers as well as business and government institution users, the company said. However, the most critical of these—found in the System component of Android–could allow for remote code execution (RCE), depending on the existing privileges on the device, according to Google.
Source: Threatpost / Securityweek / ANDROID security bulletin
Link: https://threatpost.com/google-android-rce-bug-full-device-access/155460/
Link: https://www.securityweek.com/androids-may-2020-patches-fix-critical-system-vulnerability
Link: https://source.android.com/security/bulletin/2020-05-01
Malware in Google Apps
Interesting story of malware hidden in Google Apps. This particular campaign is tied to the government of Vietnam.
Source: Bruce Schneier on security / WIRED
Link: https://www.schneier.com/blog/archives/2020/05/malware_in_goog_1.html
Link: https://www.wired.com/story/phantomlance-google-play-malware-apt32/
New ‘Kaiji’ Botnet Attacks Linux, IoT Devices via SSH Brute Force
Designed to Launch DDoS Attacks, the Golang-Based ‘Kaiji’ Botnet Infects Devices via SSH Brute Force. A recently identified botnet built using the Golang programming language is targeting Linux systems, including Internet of Things (IoT) devices, using a custom implant, Intezer reports. The botnet, which security researcher MalwareMustDie named Kaiji, is of Chinese origin and spreads exclusively via SSH brute force attacks, targeting the root user only. Designed to launch distributed denial of service (DDoS) attacks, the malware requires root access to craft custom network packets and operate unhindered. Kaiji, Intezer explains, was designed to launch a multitude of DDoS attack types, including ipspoof and synack assaults, but also includes a SSH bruteforcer module to spread, and a second SSH spreader to hijack local SSH keys and infect hosts that the server connected to in the past.
Source: Securityweek / Threatpost
Link: https://www.securityweek.com/new-kaiji-botnet-attacks-linux-iot-devices-ssh-brute-force
Link: https://threatpost.com/kaiji-botnet-iot-linux-devices/155463/
SAP announces security issues in cloud-based product
German software maker SAP announced on Monday that it started to fix security issues identified in several of its cloud-based products. The company discovered the problems following an internal review and has already started working on eliminating the vulnerabilities. Details about the security flaws have not been disclosed. In an advisory this week, the company says that fixing the bugs “will largely be completed in the second quarter 2020.”
Source: Bleeping computer
(Last) Week in Ransomware – May 1st 2020 – Banishing the Shade
For the victims of the Shade Ransomware, otherwise known as Troldesh, this was an excellent week as the threat actors released over 750,000 decryption keys for their victims.
The Shade operators claimed to have shut down their operation at the end of 2019 and decided to release all of the master and individual decryption keys so that victims could recover their files for free. Using these keys, Kaspersky has updated its ShadeDecryptor so that it can now decrypt any user who was encrypted by the Shade Ransomware in the past.
Other news this week includes a pharmaceutical company named ExecuPharm who filed a data breach notification after the actors behind the Clop Ransomware leaked stolen data.
Source: Bleeping computer / GIThub shade team
Link: https://github.com/shade-team/keys/blob/master/README.md
GoDaddy Suffers Data Breach
Domain registrar and web-hosting company GoDaddy has notified an undisclosed number of its 19 million customers of a data breach. The security incident took place on October 19, 2019, but went undetected until April 23, 2020, when GoDaddy noticed some suspicious activity occurring on a subset of its servers. As a result of the episode, the web-hosting account credentials of an unknown number of customers have been compromised.
The impact of the breach could be far-reaching since GoDaddy is the world’s largest domain registrar, managing 77 million domains. The breach was confirmed in an email filed with the State of California Department of Justice and sent out to customers by GoDaddy CISO and vice president of engineering Demetrius Comes. According to Comes, an unauthorized individual accessed login information used by customers to connect to SSH (secure shell) on their hosting account.
In his message to affected customers, Comes described the known impact of the breach as minor, but said that an investigation into the incident had not yet reached a conclusion.
Source: Infosecurity magazine / Bleeping computer / Security week / Threatpost
Link: https://www.infosecurity-magazine.com/news/godaddy-suffers-data-breach/
Link: https://www.bleepingcomputer.com/news/security/godaddy-notifies-users-of-breached-hosting-accounts/
Link: https://www.securityweek.com/godaddy-informs-users-data-breach
Link: https://threatpost.com/godaddy-hack-breaches-hosting-account-credentials/155475/
Understanding NoSQL Injection and How to Prevent it
This article starts with “once upon a time” when I was learning MongoDB and thought that the schema less feature could be more secure than SQL Databases (SQL Injections). So I migrated all my projects to MongoDB and for the past few months I have been working on NoSQL Injection and writing a series of tutorials on it.
Source: Secjuice / OWASP
Link: https://www.secjuice.com/nosql-injection/
Link: https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf
Secjuice Squeeze Volume 22
Welcome to the 22nd edition of the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly prepared for you every week. This week’s volume compiled by Secjuice writers Sinwindie, Hartoyo Wahyu, and Miguel Calles.
Source: Secjuice
Link: https://www.secjuice.com/infosec-news-and-events-squeeze-vol-22/
Keeping an Eye on Malicious Files Life Time
We know that today’s malware campaigns are based on fresh files. Each piece of malware has a unique hash and it makes the detection based on lists of hashes not very useful these days. But can we spot some malicious files coming on stage regularly or, suddenly, just popping up from nowhere? I’m using VirusTotal to hunt for malicious files based on a bunch of YARA rules and, via the VT API, everything is indexed into a Splunk instance
Source: SANS internet strom center (Xavier Mertens)
Link: https://isc.sans.edu/forums/diary/Keeping+an+Eye+on+Malicious+Files+Life+Time/26092/
Cloud Security Features Don’t Replace the Need for Personnel Security Capabilities
We received excellent comments and a question regarding cloud security features from an ISC reader today that we thought was important to share broadly. We’d certainly like to open this up to reader comments, insights, and feedback.
Source: SANS internet storm center