Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Weekly cyber-factsin review
18/04/21
Vulnerabilities In Review
3 | Weekly cyber-facts in review
Microsoft
This week Microsoft has released its bundle of patches for its products. The batch fixes more than 100 vulnerabilities, and among them, 5 were made public before
being patched. The releases also include the correction for 4 vulnerabilities under exploitation by advanced threat actors against Exchange servers.
Chromium
During Pwn2Own, an hacking event which took place past week in Texas (US), a critical vulnerability was found in Chromium-based browsers. The vulnerability allows a
remote code exceution thanks to an issue in JavaScript libraries. The vulnerability is partly mitigated by the built-in sandbox. Even with that in place, cybersecurity
researchers achieve to triger XSS (Cross Site Scripting) attacks. Up to the moment, two exploits were discovered.
Patches of the month
Along with Microsoft; SAP (Business Client, Commerce and NetWeaver) and Adobe (Pothoshop, Bridge, Digital Editions and RoboHelper) release patches for multiple
products. The patches tacle vulnerabilities which could allow an attacker to take control of the affected systems.
Vulnerabilities in NAS
9 vulnerabilities were made public and patched in Synology NAS. Vulnerabilities could allow an attacker to trigger a remote code execution. At the same time, a
vulnerability wich relies on authentication bypass was found in Qnap Surveillance Station (software for CCTV's to store their content). The vulnerability allows an attacker
to execute code.
Issues to keep in mind
5 | Weekly cyber-facts in review
The VPN siege
This According to US agencies, the Russian Foreign Intelligence Service (SVR)
is currently exploiting vulnerabilities in VPN devices a a part of a cyber-
espionage campaign.
The attack campaign consists of two phases: scanning and exploiting the
following assets:
• Fortigate VPN
• Synacor Zimbra Collaboration Suite
• Pulse Connect Secure VPN
• Citrix Application Delivery Controller & Gateway
• VMware Workspace ONE Access
The scanning and exploitation of vulnerabilities in VPN devices can be the first
phase in a cyberattack against any entity. With this action, the attacker seeks to
establish an entry point in the victim's network. The objective to be completed is
to enter the internal network or obtain credentials to also access from other
points, such as email or cloud infrastructure.
Name: Wreck
Details of 9 vulnerabilities in the implementation of the DNS protocol are published in
at least 4 TCP / IP stacks.
The vulnerabilities allow remote code executions (RCE), denial of service (DoS)
conditions, and NAME: IP table poisoning (DNS poisoning). All the vulnerabilities are
found in the compression algorithms of DNS (Domain Name Service) requests
through TCP / IP calls. These compression algorithms have errors in the allocation of
memory spaces, input validation or parsing of incoming packets. The four stacks
identified as vulnerable are FreeBSD (v12.1), IPnet (VxWorks 6.6), NetX (v6.0.1), and
Nucleus NET (v4.3). The highest scoring vulnerability allows a stack overflow,
allowing code to be executed remotely.
An attacker could exploit vulnerabilities to take control of systems, make network
users access malicious sites, or be unable to access resources on the internet by
referencing domain names.
Phishing Campaigns in Review
A recent phishing campaign attacking MS Office 365 is using a clever trick to evade detection
A new phishing campaign targeting MS Office 365 credentials has been identified using a trick to evade detection. It is building
fraudulent web page from chunks of HTML code store locally and remotely. Inside it hides JavaScript files to obtain the fake login
interface and prompt the potential victim to type in the sensitive information.
Celsius Network is a cryptocurrency rewards platform. Celsius suffered a data breach via the compromise of a third-party marketing
server. This data breach gave attacker access to the customer list. Then, these customers were targeted by a phishing campaign
impersonating Celsius, with which attacker were trying to steal cryptocurrency.
A new phishing campaign impersonating Celsius has been identified attempting to steal cryptocurrency
International Phishing Campaigns
Threat actors are trying to capitalize on NFT’s sales. To do so, attackers are typosquatting domain names impersonating the popular
NFT’s Rarible[.]com site to lead victims to scams, malware and other unwanted content, such as cryptominers.
Phishing campaign impersonating NFT marketplace is installing adware and cryptominers
Impersonating Microsoft, McAfee and Norton, cybercriminals are luring victims with fake antivirus billing renewals in a large-scale email
campaign.
New phishing campaign luring victims with fake antivirus billing emails
A phishing campaign pretending to be an online burofax is distributing droppers
With a nation-wide potential impact, a new phishing campaign pretending to be a “Burofax Online” is targeting different victims with fake
bills to trick them into downloading spyware.
It is not the first time that the Spanish National Department of Traffic (DGT) is being impersonated in several phishing campaigns, to
trick victims into downloading malware.
The most common technique used to trick users is to deliver a fake traffic ticket. Now, cybercriminals are renewing tactics and are
delivering messages falsely advising victims about the expiration of their driver's license.
Phishing campaign impersonating National Department of Traffic
National Phishing Campaigns
Malware in Review (1/2)
Threat actors use Slack and Discord's content distribution
network to store malicious files loaded with Trojans,
specifically Agent Tesla, which are distributed through
communication channels. Actors post malicious links that
download the files. They are using this technic to evade
security and distribute malware.
Slack and Discord have been infiltrated by threat
actors
The Joker trojan has infected more than 500,000 mobile
devices
The Joker Trojan, also known as Bread, has infected more than 500.000
Android devices of Huawei due to the download of an infected application
in App Gallery store. This trojan was first discovered in 2017, focusing on
SMS fraud. It is known for subscribing users to premium services by
requesting access to background apps to obtain confirmation codes sent
by SMS for the subscription.
New backdoor used by Lazarus group
Due to the analysis of an attack by the Lazarus group on a
South African transport company, it has detected a new
backdoor, called Vyveva. This group, also known as Hidden
Cobra, is supported by the Korean government and has a
global impact. The backdoor was first identified in December
2018.
Malware in Review (2/2)
Attackers are using Google's SEO tactics to redirect users to
more than 100 thousand web pages controlled by them that
offer free corporate forms that, when downloaded, installs on
The Jupyter Trojan, also known as SolarMarket. Google and
Microsoft have warned about this campaign.
Used Google websites to distribute the Jupyter
trojan
Brata trojan
It has been identified numerous variants of malware very similar to FluBot
which target Android devices. Among these, BRATA stands out, a trojan
originated in Brazil that was identified in late 2018 and is being distributed
through the Google Play Store against users in the area. In addition to this,
as an input vector has phishing, websites that impersonates financial
institutions from various countries including Brazil, EE.UU and Spain.
New malware that is put into an NPM Browserify
package
A new malicious package has been identified in the NPM
repository, known as Browserify, which targets developers in
NodeJS who use Linux and Apple macOS operating systems.
It contained the malware they tracked as "web-browserify“.
Is IcedID the new EMOTET?
14 | Weekly cyber-facts in review
IcedID, the new EMOTET?
After the recently disruption that EMOTET has suffered, researchers have found the trojan IcedID appearing to be filling the void
left by EMOTET. IcedID (aka BokBot) was discovered in 2017 as a baking trojan, now it has been updated to also deploy second-
stage malware payloads, such as Trickbot, Qakbot and Ryuk ransomware. So, it could be used to download additional modules
after infecting a device, steal credentials and information, and move laterally across the victims’ networks. I is using two different
entry vectors, a widespread email campaign using malicious Microsoft Excel attachments, and also a phishing campaign using
legitimate corporate contact forms threating enterprises targets with lawsuits.
Other cases
New fake profiles and a website used in a campaign
targeting cybersecurity researchers
It has been observed that hackers from an identified and
reported campaign in January have included new fake social
media profiles and a fraudulent website to attract more
cybersecurity researchers. The campaign was attributed to a
government-backed North Korean group.
CISA has published additional details about the malware used
in the MS Exchange servers that were hacked exploiting
ProxyLogon vulnerabilities. Thus, it has revealed additional data
about the China chopper webshells and the DearCry
ransomware. It has also included a malware analysis report.
CISA published additional details about malware
found in MS Exchange servers
Codecov suffers a supply chain attack
An attack on the supply chain has compromised Codecov's
tool (Codecov Bash Uploader), exposing confidential
information from organizations around the globe since
January. Codecov is a tool that measures the coverage of
code tests.
Hackers increasingly using web shells to steal credit
cards
VISA warns that threat actors are increasingly deploying web
shells on compromised servers to exfiltrating customers' credit
card information. They use credit card skimmers into hacked
online stores in web skimming attacks. This allow them to steal
the payment and personal information and send it to servers
under their control.
Doom and Gloom
18 | Weekly cyber-facts in review
Doom and Gloom
This week Aiuken Cybersecurity had access to a report which indicates that around 80% of utility operators in USA does not sign their domain name references
in Internet (DNSSEC). DNSSEC is a security control that ensures that the name on the Internet of the company refers to the specific server the company wants
to head "you". If it is not enabled, miscreants could launch attacks to try, for example, to disguise the website visitors to malicious sites. Far from being web the
only service that relies on DNS, there are out there plenty of industrial and automation bits and software which relies on this system to gather telemetry, send
orders to components... If an attacker achieves to redirect a user to a malicious site, we are in front a nefarious action with limited scope and damage. But when
a criminal achieves to redirect the control systems that operate in a nuclear plant, the consequences automatically go "nuclear".
Since SolarWinds attacks cyberwarfare got to a whole new level. Threat actors seem not to cover their tracks not so well than before and direct attribution of
offences is made more often. A missing BASIC control of the kind of DNSSEC in an era of cyberattacks as part of the default "communication" method with
one's "not so friends" represents a high risk not only for any given company part of the group of strategic enterprises in their countries, but also it represents a
risk for the whole country which host that company. This lack also manifests the lack of concern among such companies.
Traditionally USA has been seen as one of the references in cybersecurity worldwide. If we accept it as true, we should expect other NATO countries to be in
worse conditions to respond cyberattacks than USA, and it also implies security controls in DNS... In Europe, France is the country with more nuclear plants in
whole Europe, Italian machinery moves the backbones of half world, Spain provides with warships and cars to majority NATO countries...
In upcoming years, if tendencies remain the same, whole society is going to witness a scalation of violence without precedents. The companies which want to
scape future calamities in cyberspace and real world will be forced to change their mindsets to avoid such "doom and gloom".
Calle Francisco Tomás y Valiente nº 2
Boadilla del Monte · 28660 Madrid (España)
Teléfono:+34 912 909 805
aiuken.com