Beyond Information Security

May 2020 Patch Tuesday: Microsoft fixes 111 vulnerabilities, 13 Critical

Today is Microsoft’s May 2020 Patch Tuesday, and as many system administrators are working remotely, so please be patient as they may not be able to respond quickly.

With the release of the May 2020 Patch Tuesday security updates, Microsoft has released fixes for 111 vulnerabilities in Microsoft products. Of these vulnerabilities, 13 are classified as Critical, 91 as Important, 3 as Moderate, and 4 as Low. This month there are no zero-day or unpatched vulnerabilities.

Source: Bleeping computer / Threatpost / Krebs on security / Dark reading / Securityweek / TALOS intelligence blog / Helpnet security / SANS internet storm center

Link: https://www.bleepingcomputer.com/news/microsoft/may-2020-patch-tuesday-microsoft-fixes-111-vulnerabilities-13-critical/

Link: https://threatpost.com/microsoft-111-bugs-may-patch-tuesday/155669/

Link: https://krebsonsecurity.com/2020/05/microsoft-patch-tuesday-may-2020-edition/

Link: https://www.darkreading.com/threat-intelligence/microsoft-fixes-111-vulnerabilities-for-patch-tuesday/d/d-id/1337798

Link: https://www.securityweek.com/microsofts-may-2020-security-updates-patch-111-vulnerabilities

Link: https://blog.talosintelligence.com/2020/05/microsoft-patch-tuesday-may-2020.html

Link: https://www.helpnetsecurity.com/2020/05/12/may-2020-patch-tuesday/

Link: https://isc.sans.edu/forums/diary/Microsoft+May+2020+Patch+Tuesday/26114/


Adobe fixes critical vulnerabilities in Acrobat, Reader, and DNG SDK

Adobe has released security updates for Adobe Acrobat, Reader, and Adobe DNG Software Development Kit that resolve a combined total of thirty-six security vulnerabilities in the three products. Of the thirty-six vulnerabilities, sixteen are classified as ‘Critical’ as they allow code execution or the bypassing of security features. If you use either of these products, it is strongly suggested that you upgrade to the latest versions as soon as possible.

Source: Bleeping computer / Threatpost / Securityweek / TALOS intelligence blog / Adobe Security Bulletins and Advisories

Link: https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-vulnerabilities-in-acrobat-reader-and-dng-sdk/

Link: https://threatpost.com/adobe-kills-16-critical-flaws-in-acrobat-and-reader-digital-negative-sdk/155652/

Link: https://www.securityweek.com/adobe-patches-36-vulnerabilities-acrobat-dng-sdk

Link: https://blog.talosintelligence.com/2020/05/vulnerability-spotlight-remote-code.html

Link: https://helpx.adobe.com/security.html


SAP May 2020 Security Patch Day delivers critical updates

Enterprise software maker SAP released its May security patches, which cover six critical issues in several of its products, three of them with a severity score very close to maximum.

All but one of these flaws are remotely exploitable, require no user interaction, and have a low attack complexity. Not all of them are new vulnerabilities, though; one of them is an update to a security note from April 2018.

These are different from the security issues the company announced last week, which impact cloud-based products and will get a fix before the end of the second quarter of the year.

Source: Bleeping computer

Link: https://www.bleepingcomputer.com/news/security/sap-may-2020-security-patch-day-delivers-critical-updates/


Unpatched Bugs in Oracle iPlanet Open Door to Info-Disclosure, Injection

CVE-2020-9315 and CVE-2020-9314 in iPlanet version 7 will not receive patches. A pair of vulnerabilities in Oracle’s iPlanet Web Server have been disclosed that can lead to sensitive data exposure and image injections onto web pages if exploited. However, no patch is forthcoming for either flaw. The bugs (CVE-2020-9315 and CVE-2020-9314) are specifically found in the web administration console of iPlanet version 7, which has reached end-of-life and is no longer supported – hence no patches.

Source: Threatpost

Link: https://threatpost.com/unpatched-bugs-oracle-iplanet/155639/


Cisco Patches High Severity Vulnerabilities in Security Products

Cisco Patches High Severity Vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). Cisco this week released security updates to address more than 30 vulnerabilities in various products, including 12 high severity flaws impacting Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD).

The most important of these issues is tracked as CVE-2020-3187 (CVSS score of 9.1) and could be exploited to conduct directory traversal attacks and then read or delete sensitive files on a vulnerable system.

Source: Securityweek / Threatpost

Link: https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-security-products

Link: https://threatpost.com/cisco-fixes-high-severity-flaws-in-firepower-security-software-asa/155568/


Over 4000 Android Apps Expose Users’ Data via Misconfigured Firebase Databases

More than 4,000 Android apps that use Google’s cloud-hosted Firebase databases are ‘unknowingly’ leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data.

The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, is the result of an analysis of 15,735 Android apps, which comprise about 18 percent of all apps on Google Play store.

Source: The hacker news

Link: https://thehackernews.com/2020/05/android-firebase-database-security.html


7 New Flaws Affect All Thunderbolt-equipped Computers Sold in the Last 9 Years

A cybersecurity researcher today uncovers a set of 7 new unpatchable hardware vulnerabilities that affect all desktops and laptops sold in the past 9 years with Thunderbolt, or Thunderbolt-compatible USB-C ports. Collectively dubbed ‘ThunderSpy,’ the vulnerabilities can be exploited in 9 realistic evil-maid attack scenarios, primarily to steal data or read/write all of the system memory of a locked or sleeping computer—even when drives are protected with full disk encryption. In a nutshell, if you think someone with a few minutes of physical access to your computer—regardless of the location—can cause any form of significant harm to you, you’re at risk for an evil maid attack.

According to Björn Ruytenberg of the Eindhoven University of Technology, the ThunderSpy attack “may require opening a target laptop’s case with a screwdriver, [but] it leaves no trace of intrusion and can be pulled off in just a few minutes.”

Source: The hacker news / Bleeping computer / Dark reading / Threatpost / Bruce Schneier on security / Securityweek / Björn Ruytenberg blog

Link: https://thehackernews.com/2020/05/thunderbolt-vulnerabilities.html

Link: https://www.bleepingcomputer.com/news/security/new-thunderbolt-security-flaws-affect-systems-shipped-before-2019/

Link: https://www.darkreading.com/endpoint/thunderbolt-vulnerabilities-could-threaten-millions-of-pcs/d/d-id/1337789

Link: https://threatpost.com/millions-thunderbolt-devices-thunderspy-attack/155620/

Link: https://www.schneier.com/blog/archives/2020/05/attack_against_2.html

Link: https://www.securityweek.com/thunderspy-more-thunderbolt-flaws-expose-millions-computers-attacks

Link: https://thunderspy.io


This Asia-Pacific Cyber Espionage Campaign Went Undetected for 5 Years

An advanced group of Chinese hackers has recently been spotted to be behind a sustained cyber espionage campaign targeting government entities in Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar, and Brunei—which went undetected for at least five years and is still an ongoing threat. The group, named ‘Naikon APT,’ once known as one of the most active APTs in Asia until 2015, carried out a string of cyberattacks in the Asia-Pacific (APAC) region in search of geopolitical intelligence.

According to the latest investigation report Check Point researchers shared with The Hacker News, the Naikon APT group had not gone silent for the last 5 years, as initially suspected; instead, it was using a new backdoor, called “Aria-body,” to operate stealthily.

“Given the characteristics of the victims and capabilities presented by the group, it is evident that the group’s purpose is to gather intelligence and spy on the countries whose governments it has targeted,” the researchers said.

Source: The hacker news / Threatpost / Securityweek

Link: https://thehackernews.com/2020/05/asia-pacific-cyber-espionage.html

Link: https://threatpost.com/naikon-apt-five-year-espionage-attack/155492/

Link: https://www.securityweek.com/chinese-naikon-apt-rediscovered-after-new-five-year-stealth-campaign


An Undisclosed Critical Vulnerability Affect vBulletin Forums — Patch Now

If you are running an online discussion forum based on vBulletin software, make sure it has been updated to install a newly issued security patch that fixes a critical vulnerability.

Maintainers of the vBulletin project recently announced an important patch update but didn’t reveal any information on the underlying security vulnerability, identified as CVE-2020-12720. Written in PHP programming language, vBulletin is a widely used Internet forum software that powers over 100,000 websites on the Internet, including forums for some Fortune 500 and many other top companies. Considering that the popular forum software is also one of the favorite targets for hackers, holding back details of the flaw could, of course, help many websites apply patches before hackers can exploit them to compromise sites, servers, and their user databases.

Source: The hacker news / Helpnet security / NIST national vulnerability database

Link: https://thehackernews.com/2020/05/vBulletin-access-vulnerability.html

Link: https://www.helpnetsecurity.com/2020/05/11/cve-2020-12720/

Link: https://nvd.nist.gov/vuln/detail/CVE-2020-12720


US govt shares list of most exploited vulnerabilities since 2016

US Government cybersecurity agencies and specialists today have released a list of the top 10 routinely exploited security vulnerabilities between 2016 and 2019. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader US Government issued the AA20-133A alert through the National Cyber Awareness System to make it easier for organizations from the public and private sector to prioritize patching in their environments. “The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date,” CISA said.

Source: Bleeping computer

Link: https://www.bleepingcomputer.com/news/security/us-govt-shares-list-of-most-exploited-vulnerabilities-since-2016/


(Last) Week in Ransomware – May 8th 2020 – Attacks Continue

Ransomware operators continue their worldwide attacks against healthcare organizations and businesses, while leaking the data of victims who do not pay a ransom.

The biggest news this week is the Toll Group getting hit by a ransomware attack for the second time in three months, Snake ransomware hitting healthcare orgs, and REvil leaking the legal documents for a law firm catering to celebrities. We also saw some interesting information come out about the TTPs for the Sodinokibi and Maze ransomware operations.

Source: Bleeping computer

Link: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-8th-2020-attacks-continue/


WordPress Page Builder Plugin Bugs Threaten 1 Million Sites with Full Takeover

Severe CSRF to XSS bugs open the door to code execution and complete website compromise. Page Builder by SiteOrigin, a WordPress plugin with a million active installs that’s used to build websites via a drag-and-drop function, harbors two flaws that can allow full site takeover. According to researchers at WordPress, both security bugs can lead to cross-site request forgery (CSRF) and reflected cross-site scripting (XSS). They “allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser,” according to Wordfence researchers, in a Monday posting.

They assigned both flaws a severity rating of 8.8 out of 10, but no CVEs have yet been assigned.

Source: Threatpost / Bleeping computer / Securityweek / Infosecurity magazine

Link: https://threatpost.com/wordpress-page-builder-bugs-takeover/155659/

Link: https://www.bleepingcomputer.com/news/security/wordpress-plugin-bugs-can-let-hackers-take-over-almost-1m-sites/

Link: https://www.securityweek.com/nearly-1-million-wordpress-sites-targeted-old-vulnerabilities

Link: https://www.infosecurity-magazine.com/news/wordpress-plugin-bugs-expose-one/


Ransomware Hit ATM Giant Diebold Nixdorf

Diebold Nixdorf, a major provider of automatic teller machines (ATMs) and payment technology to banks and retailers, recently suffered a ransomware attack that disrupted some operations. The company says the hackers never touched its ATMs or customer networks, and that the intrusion only affected its corporate network.

Source: Krebs on security / Securityweek

Link: https://krebsonsecurity.com/2020/05/ransomware-hit-atm-giant-diebold-nixdorf/#more-51554

Link: https://www.securityweek.com/atm-maker-diebold-nixdorf-hit-ransomware


Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware

Fresenius, Europe’s largest private hospital operator and a major provider of dialysis products and services that are in such high demand thanks to the COVID-19 pandemic, has been hit in a ransomware cyber attack on its technology systems. The company said the incident has limited some of its operations, but that patient care continues.

Source: Krebs on security

Link: https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware/


Secjuice Squeeze Volume 23

Welcome to the 23rd edition of the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly prepared for you every week. This week’s volume compiled by Secjuice writers Mike Peterson, Sinwindie, Hartoyo Wahyu, Guise Bule and Miguel Calles.

Source: Secjuice

Link: https://www.secjuice.com/infosec-news-and-events-squeeze-vol-23/


Windows Forensics: Artifacts (2)

In this article we continue our digital forensics journey with Windows artifacts, so let’s jump right in and continue to look for artifacts in Windows! If you have not already read it, the first part of my guide can be found here, so do take a look before proceeding.

Source: Secjuice

Link: https://www.secjuice.com/windows-forensics-artifacts-2/

Link: https://www.secjuice.com/windows-forensics-artifacts/


Malspam with links to zip archives pushes Dridex malware

In recent weeks, I (Brad Duncan) continue to run across examples of malicious spam (malspam) pushing Dridex malware.  While malspam pushing Dridex can use attachments (usually Excel spreadsheets with malicious macros), I tend to focus on malspam using links to zip archives for Dridex.  Today’s diary, provides a quick rundown of link-based Dridex activity on Tuesday, 2020-05-12.

Source: SANS internet storm center (Brad Duncan)

Link: https://isc.sans.edu/forums/diary/Malspam+with+links+to+zip+archives+pushes+Dridex+malware/26116/