New Wi-Fi Encryption Vulnerability Affects Over A Billion Devices
Cybersecurity researchers today uncovered a new high-severity hardware vulnerability residing in the widely-used Wi-Fi chips manufactured by Broadcom and Cypress—apparently powering over a billion devices, including smartphones, tablets, laptops, routers, and IoT gadgets. Dubbed ‘Kr00k’ and tracked as CVE-2019-15126, the flaw could let nearby remote attackers intercept and decrypt some wireless network packets transmitted over-the-air by a vulnerable device. The attacker does not need to be connected to the victim’s wireless network and the flaw works against vulnerable devices using WPA2-Personal or WPA2-Enterprise protocols, with AES-CCMP encryption, to protect their network traffic.
Source: The hacker news / Threatpost / Dark reading / Securityweek / Helpnet security / ESET / Bleeping computer
Link: https://thehackernews.com/2020/02/kr00k-wifi-encryption-flaw.html
Link: https://threatpost.com/billions-of-devices-wifi-encryption-hack/153267/
Link: https://www.securityweek.com/kr00k-vulnerability-exposed-data-over-billion-wi-fi-devices
Link: https://www.helpnetsecurity.com/2020/02/27/cve-2019-15126/
Link: https://www.eset.com/int/kr00k/
New LTE Network Flaw Could Let Attackers Impersonate 4G Mobile Users
A group of academics from Ruhr University Bochum and New York University Abu Dhabi have uncovered security flaws in 4G LTE and 5G networks that could potentially allow hackers to impersonate users on the network and even sign up for paid subscriptions on their behalf. The impersonation attack — named “IMPersonation Attacks in 4G NeTworks” (or IMP4GT) — exploits the mutual authentication method used by the mobile phone and the network’s base station to verify their respective identities to manipulate data packets in transit.
Source: The hacker news / Securityweek / IMP4GT
Link: https://thehackernews.com/2020/02/lte-network-4g-vulnerability.html
Link: https://www.securityweek.com/mobile-networks-vulnerable-imp4gt-impersonation-attacks
Link: https://imp4gt-attacks.net
New OpenSMTPD RCE Flaw Affects Linux and OpenBSD Email Servers
OpenSMTPD has been found vulnerable to yet another critical vulnerability that could allow remote attackers to take complete control over email servers running BSD or Linux operating systems. Discovered by experts at Qualys Research Labs, who also reported a similar RCE flaw in the email server application last month, the latest out-of-bounds read issue, tracked as CVE-2020-8794, resides in a component of the OpenSMTPD’s client-side code that was introduced nearly 5 years ago. Just like the previous issue, which attackers started exploiting in the wild just a day after its public disclosure, the new OpenSMTPD flaw could also let remote hackers execute arbitrary commands on the vulnerable servers with privileges of either root or any non-root user.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2020/02/opensmtpd-email-vulnerability.html
Link: https://www.securityweek.com/opensmtpd-vulnerability-leads-command-injection
Link: https://github.com/OpenSMTPD/OpenSMTPD/releases
Zyxel Fixes 0day in Network Storage Devices
Networking hardware vendor Zyxel today released an update to fix a critical flaw in many of its network attached storage (NAS) devices that can be used to remotely commandeer them. The patch comes 12 days after KrebsOnSecurity alerted the company that precise instructions for exploiting the vulnerability were being sold for $20,000 in the cybercrime underground.
Source: Krebs on security / Securityweek / CMU CERT
Link: https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
Link: https://krebsonsecurity.com/2020/02/zyxel-0day-affects-its-firewall-products-too/
Link: https://www.securityweek.com/zyxel-patches-zero-day-vulnerability-network-storage-products
Link: https://www.securityweek.com/over-20-zyxel-firewalls-impacted-recent-zero-day-vulnerability
Link: https://www.kb.cert.org/vuls/id/498544/
ObliqueRAT: New RAT hits victims’ endpoints via malicious documents
Cisco Talos has observed a malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread a remote access trojan (RAT) we’re calling “ObliqueRAT.”
These maldocs use malicious macros to deliver the second stage RAT payload. This campaign appears to target organizations in Southeast Asia. Network based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.
Source: TALOS intelligence blog
Link: https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html
Sports Giant Decathlon Leaks 123 Million Records
French sporting retail giant Decathlon has become the latest big brand to expose user data via a misconfigured database, leaking over 123 million records including customer and employee information, according to researchers. A team at vpnMentor uncovered the 9GB database on an unsecured Elasticsearch server. It contained information from Decathlon’s Spanish, and potentially also its UK, businesses. “The leaked Decathlon Spain database contains a veritable treasure trove of employee data and more. It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information,” said vpnMentor.
Source: Infosecurity magazine
Link: https://www.infosecurity-magazine.com/news/sports-giant-decathlon-leaks-123/
Squeeze Volume 14 – KidsGuard, VPN backdoors, Bluetooth, MGM & more!
Welcome to the 14th edition of the Secjuice Squeeze, where we present a selection of last weeks interesting infosec articles curated for your reading enjoyment in case you missed them!
Source: Secjuice
Link: https://www.secjuice.com/infosec-news-squeeze-vol-14/
Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!
Attackers are actively scanning the Internet for Microsoft Exchange Servers vulnerable to the CVE-2020-0688 remote code execution vulnerability patched by Microsoft two weeks ago.
All Exchange Server versions up to the last released patch are exposed to potential attacks following these ongoing scans, including those currently out of support even though Microsoft’s security advisory doesn’t explicitly list them. The flaw is present in the Exchange Control Panel (ECP) component and it is caused by Exchange’s inability to create unique cryptographic keys when being installed.
Source: Bleeping computer / Helpnet security / Securityweek
Link: https://www.helpnetsecurity.com/2020/02/26/cve-2020-0688-exploitation/
Link: https://www.securityweek.com/hackers-looking-exchange-servers-affected-recently-patched-flaw
New Mozart Malware Gets Commands, Hides Traffic Using DNS
A new backdoor malware called Mozart is using the DNS protocol to communicate with remote attackers to evade detection by security software and intrusion detection systems.
Typically when a malware phones home to receive commands that should be executed, it will do so over the HTTP/S protocols for ease of use and communication.
Using HTTP/S communication to communicate, though, has its drawbacks as security software normally monitors this traffic for malicious activity. If detected, the security software will block the connection and the malware that performed the HTTP/S request. In the new Mozart backdoor discovered by MalwareHunterTeam, the malware uses DNS to receive instructions from attackers and to evade detection.
Source: Bleeping computer
Offensive Tools Are For Blue Teams Too
Many offensive tools can be very useful for defenders too. Indeed, if they can help to gather more visibility about the environment that must be protected, why not use them? More information you get, more you can be proactive and visibility is key. A good example is the combination of a certificate transparency list with a domain monitoring tool like Dnstwist, you could spot domains that have been registered and associated with a SSL certificate: It’s a good indicator that an attack is being prepared (like a phishing campaign).
A tool got more attention recently event if now brand new: “Amass” from the OWASP project. This tool is easy to install, easy to be “Dockerised” and there is also a package available on Kali. Amass is a reconnaissance tool that helps to gather information about your “target” if you’re on the Red side or, if you’re on the Blue side, to have an overview of your Internet exposure.
Source: SANS Internet storm center
Link: https://isc.sans.edu/forums/diary/Offensive+Tools+Are+For+Blue+Teams+Too/25842/
#RSA Conference – ‘Cloud Snooper’ Attack Circumvents AWS Firewall Controls
A recently spotted targeted attack employed a rootkit to sneak malicious traffic through the victim organization’s AWS firewall and drop a remote access Trojan onto its cloud-based servers. Researchers at Sophos discovered the attack while inspecting infected Linux and Windows EC2-based cloud infrastructure servers running in Amazon Web Services (AWS). The attack, which Sophos says is likely the handiwork of a nation-state, uses a rootkit that not only gave the attackers remote control of the servers but also provided a conduit for the malware to communicate with their command-and-control servers. According to Sophos, the rootkit also could allow the C2 servers to remotely control servers physically located in the organization as well.
Source: Dark reading / SOPHOS blog
Link: https://news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/
#RSA Conference: How to Hack Society (Bruce Schneier)
The method, procedures, and practices used by cybersecurity professionals have relevance beyond just the technology sphere; they can also be used to hack society. That’s the view espoused by Bruce Schneier, security technologist, researcher, and lecturer at the Harvard Kennedy School, during a keynote session at the RSA Conference in San Francisco.
Source: Infosecurity magazine
Link: https://www.infosecurity-magazine.com/news/rsac-how-to-hack-society/
Data Breach Occurs at Agency in Charge of Secure White House Communications
Hackers have compromised the Department of Defense (DoD) agency in charge of securing and managing communications for the White House, leaking personally identifiable information (PII) of employees and leading to concerns over the safety of the communications of top-level U.S. officials in the run-up to the 2020 presidential election.
Source: Threatpost / Infosecurity magazine
Link: https://www.infosecurity-magazine.com/news/us-defense-agency-notifies-users/
Active Attacks Target Popular Duplicator WordPress Plugin
Active exploits are targeting a recently patched flaw in the popular WordPress plugin Duplicator, which has more than 1 million active installations. So far, researchers have seen 60,000 attempts to harvest sensitive information from victims.
Duplicator is essentially a simple backup and site migration utility. It gives WordPress site administrators the ability to migrate, copy, move or clone a site. WordPress says that Duplicator has been downloaded more than 15 million times and is in active use for over one million sites. Unfortunately, Duplicator prior to version 1.3.28 and Duplicator Pro prior to version 3.8.7.1 contain an unauthenticated arbitrary file download vulnerability. According to a writeup from Tenable, “an unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a WordPress site using the vulnerable version of the Duplicator plugin.”
Source: Threatpost / Bleeping computer
Link: https://threatpost.com/active-attacks-duplicator-wordpress-plugin/153138/
Firefox Enables DNS over HTTPS
Whenever you visit a website — even if it’s HTTPS enabled — the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS, or DoH, encrypts the request so that it can’t be intercepted or hijacked in order to send a user to a malicious site.
Source: Bruce Schneier on security / Securityweek / The hacker news / Bleeping computer
Link: https://www.schneier.com/blog/archives/2020/02/firefox_enables.html
Link: https://www.securityweek.com/firefox-gets-dns-over-https-default-us
Link: https://thehackernews.com/2020/02/firefox-dns-over-https.html
Quick look at a couple of current online scam campaigns
Since I was exposed to three different online scam campaigns in the last three weeks, without having to go out and search for them, I thought that today might be a good time to take a look at how some of the current online scams work. All of the campaigns we’ll mention seemed to target people in the Czech Republic, although not exclusively, as one of the landing pages I found had at least 20 different regional variants set up for countries from all over the world. In cases where I was unable to find an English version of a page, I had Chrome translate it – the results are not always pretty, but should be sufficient for our purposes.
Source: SANS Internet storm center
Link: https://isc.sans.edu/forums/diary/Quick+look+at+a+couple+of+current+online+scam+campaigns/25838/
DoppelPaymer Hacked Bretagne Télécom Using the Citrix ADC Flaw
Cloud services provider Bretagne Télécom was hacked by the threat actors behind the DoppelPaymer Ransomware using an exploit that targeted servers unpatched against the CVE-2019-19781 vulnerability.
Source: The hacker news
Threat Source newsletter (Feb. 27, 2020)
As always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.
Source: TALOS intelligence blog
Link: https://blog.talosintelligence.com/2020/02/threat-source-newsletter-feb-27-2020.html
Hacking and targeted cyber-attacks as a result of anti-competitive practices in business
Attackers have many means to infiltrate companies. However, many attacks, don’t require a very high level of technological sophistication. Instead, techniques like targeted social engineering, i.e. spear phishing, or the use of known vulnerabilities for which, patches may have been issued but businesses have not yet deployed, can lead to damaged reputation, revenue and data breaches.
Source: ESET blog