Thunderbolt interface makes millions of PC’s in danger

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

It wasn’t really a news that Thunderbolt technology (USB-C) was vulnerable from years before, but now we got a demo from researcher which shows how Thunderbolt flaw allows access to a PC’s data in minutes.

More on this:

https://thunderspy.io/

https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/

Top 5 Security links:

A bit of history or the 15 biggest data breaches of the 21st century

WordPress Page Builder Plugin Bugs Threaten 1 Million Sites with Full Takeover

Top 10 Routinely Exploited Vulnerabilities

Never, never pay to cybercriminals

The Confessions of the Hacker Who Saved the Internet

Woman holding laptop and media files

Zero click bugs in Apple operating systems

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

According to Google’s project zero there are vulnerabilities in Apples operating systems media managements. The vulnerabilities could let an attacker gain access by sending a specially crafted image or video to a target and no interaction would be needed from the user to be exploited.
The vulnerabilities was found using fuzzing techniques on previously found bugs, and the vulnerabilities they found have now been fixed.

More on this topic:

Google discloses zero-click bugs impacting several Apple operating systems

Top 5 Security links

CVE-2020-4415 – Stack-based Buffer Overflow vulnerability in IBM Spectrum Protect Server

Published: 2020-04-24
MITRE CVE-2020-4415

IBM Spectrum Protect server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. This could allow a remote attacker to execute arbitrary code on the system with the privileges of an administrator or user associated with the Spectrum Protect server or cause the Spectrum Protect server to crash.”

CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179990 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

This vulnerability is remedied by upgrading to version 8.1.9.300 or 7.1.10.100. Basefarm recommends upgrading to these version as soon as possible, at least within a week. Internally in Basefarm this progress is tracked as BF-VLN-2031464. (update 2020-04-27, Basefarm has fully upgraded all IBM Spectrum Protect Servers.)

Unassisted iOS Attacks via MobileMail in the wild

There has been discovered a vulnerability in the default mail application (MobileMail) for iOS.

The vulnerability allows an attacker to send an email to a victim (you) and without any action from you, the email will launch code prepared by the attacker on your device.
The fix for this is not released yet, it has been released as a public Beta-version.
Basefarm has decided to block this app from getting more mail from Basefarms Exchange servers.

Researchers has found attacks in the wild, exploiting this vulnerability, back in January 2018 on iOS 11. They state it is likely that the same threat operators are actively abusing these vulnerabilities presently.

There has been no wide exploitation, this is likely due to the fact that this is high value exploit, and the attacker was trying to minimize the risk for detection. There has been targeted attacks towards executives and VIPs in large organizations, MSSPs in Saudi Arabia and Israel (this can be used to make assumptions on who the threat operator is.), a journalist in Europe, etc.

Now that the vulnerability is exposed the value of it is dropping by the minute, and the threat operator has no reason to hold back any more. There is now a race between them and getting fixes out to the users.

Internally in Basefarm the activity related to this vulnerability is tracked in BF-VLN-2031243.

See also:

https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/

Zoom faces a privacy and security backlash

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

The use of the Zoom video conference application has exploded in popularity amid the ongoing coronavirus pandemic but this has lead to the importance of scrutiny from a security and privacy perspective which as uncovered lots of privacy and security issues and even zero day vulnerabilities.
As result of this Zoom now faces a privacy and security backlash.

More on this topic:

Wired article on Zoom

Even Doc Searls has written a series of four posts about Zoom and privacy.

 

Top 5 Security links

In COVID-19 Scam Scramble, Cybercrooks Recycle Phishing Kits

Hackers Install Secret Backdoor on Thousands of Microsoft SQL Servers

Online Credit Card Skimmers Are Thriving During the Pandemic

‘Zombie’ Windows win32k bug reanimated by researcher

Privacy vs. Surveillance in the Age of COVID-19

Covid-19 phishing on the rise

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Criminals continue to use the covid-19 pandemic for personal gain and according to Barracuda networks the amount of phishing emails have spikes by over 650% since the end of February.

But even as the campaigns are revving up their attempts at tricking people, their attempts remain largely the same as before the pandemic started. The tools, methods and payloads stays pretty much the same, but now trying to leverage the fear and need for information during a crisis. The company proofpoint.com made en excellent one-slide summary of what is new seen below.

 

 

Top 5 Security links

ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

Published: 2020-03-23
MITRE CVE-2020- (TBD)

Microsoft is warning about a vulnerability they have detected used in targeted attacks and that there is no patch for yet. No patch and detected in use, a place for the scary word “zero-day”, but this is not a tabloid.

“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.” This would not be so exciting if not document formats had the feature of including their own fonts in documents.

“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”

This affects Windows 10 (but read on), and all Windows Server from 2008 until 2019. Windows 10 has some mitigating features. As always, read the advisory for full details.

There exist no official patch for this as of now. There are some mitigations possible, like “Disable the Preview Pane and Details Pane in Windows Explorer”, “Disable the WebClient service” (WebDAV) and “Rename ATMFD.DLL”. Basefarm has not tested these and recommend everyone to have a test environment that resembles their production environment and test the mitigations before applying them.

Consider the usage of your servers, are there documents viewed on them? Are the documents from an unknown, potentially untrusted source? Do you value the integrity of that server and all it in turn has access too? It might be worth to consider implementing the mitigations. For many servers this use case is not a match and it is potentially better to wait for an official and tested patch.

Basefarm follows this vulnerability internally as BF-VLN-2011507 and asking our dedicated customer teams to follow up these recommendations.

Covid-19 forces changes

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Helpdesksecurity writes “A time of chaos is a time for opportunity for unscrupulous individuals and groups, and COVID-19 is seemingly an unmissable boon for cyber crooks.

We’ve already covered a variety of COVID-19-themed scams, phishing attempts, hoaxes and malware delivery campaigns, but new and inventive approaches are popping up daily.”

Top 5 Security links

Infosec preparedness during Covid-19 outbreak

Our customers’ business continuity is of paramount importance for Basefarm. We are fully aware that several of our clients provide services that are absolutely critical for our society. Basefarm is following the ongoing outbreak closely and is constantly considering the implications for secure operations for us and our customers.

There are several ways that this outbreak can affect secure operations. In short Basefarm recommends increased security awareness and consciousness, especially in regards to remote work.

Keeping software updated has always been an important part of secure operations, and it is important that this work is still prioritized. Lack of available resources over an increased period of time might affect a businesses capability to perform these actions.

The risk of a breach going unnoticed increases significantly if there is manual work needed to be performed in order to detect a potential breach. If there is a significant increase in sick leave this activity will suffer. Automation of these processes are recommended.

Working remotely
It is normal for employees to have a lower guard when working remotely, due to the lesser focus on security awareness.

  • The current situation is such that deviations from normal security procedures have a higher acceptance than normal. Consider in which parts this is acceptable, while the employees should still able to perform their work in a secure way.
  • Ensure there are routines for handling of alerts and alarms.
  • Remind employees about routines for alerting about security nonconformity.
  • Consider strengthening the IT-support function. As many employees might not be used to remote work they might have an increase need for support. If the employees find it hard to get help they might take unwanted shortcuts.
  • Only use privately owned IT equipment to work remotely if this is agreed with and approved by the employer. Privately owned equipment might not be up to the same standards as corporate equipment.
  • Update all equipment used for remote work.
  • Use a secure connection to all corporate network and services, like VPN.
  • Ensure that credentials are strong and use multi-factor authentication where possible.
  • Remote work might increase the exposure of business sensitive information. Increase the awareness around what kind of information that is OK to handle when working remotely.
  • SARS-coronavirus-2 in cyber attacks and malspam
    Cyber threat actors have always, and will always, leverage recent events and news to increase the likelihood of victims opening emails, clicking links or opening attachments.

    Several security consultancy services are reporting about campaigns using the covid-19 outbreak as a theme for their phishing, and this will probably increase in the future.

    Basefarm recommends to stay vigilant when reviewing suspect email and links. Some threat actors are setting up fake websites and using covid-19 themed domains. The goal is to steal credentials or infect victims.

    In general threat actors are often aiming to pray on their victims’ fear, and to make it seem time critical.

    There has been examples of malspam imitating well-known organizations like WHO, and government health authorities that victims will be familiar with. Combined with fear, uncertainty and doubt the attacker might see more success.

    General awareness and vigilance online

    Fake news and disinformation about the covid-19 outbreak spread quickly online and have a wide reach. Fake accounts on social media are created in large numbers and are used to spread bad information. Awareness and critical thinking when faced with sensational news, and verifying sources, helps handle the flow of information.

    Talk together

    The trifecta of fearmongering, urgency and discretion/secrecy is a well-known repeating pattern in successful frauds. The attacker impersonates someone important whom the victim should trust, and asks the victim to do something for them. It is urgent, so the attacker wants the victim to do this as fast as possible, and they add some reason for this to be secret. That way they hope the victims gets too stressed to stop and consider the situation.

    The solution here is to talk together. Accept that some things need a little bit more time to proceed. Stop and consider. Give the employees enough confidence to double check and verify odd requests. Talk together.

    And wash your hands.

CVE-2020-0852 | Microsoft Word Remote Code Execution Vulnerability

Published: 2020-03-10
MITRE CVE-2020-0852

“A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.”

This vulnerability was overshadowed by the SMBv3 remote code execution vulnerability “announced” at the same time, as we have written about earlier. Basefarm evaluated this to be just as likely, if not more, to cause major infections in a corporate environment. It requires some user action to successfully exploit, but opening a document is not an action most users considers risky.

Basefarm recommends applying this patch as soon as possible, even though there is no known exploitation and no proof of concept published, because if a campaign starts up exploiting this on a Friday afternoon you will not have enough time to react.

This affects Microsoft Office (certain versions) AND Sharepoint Server 2019.
Basefarm is tracking this internally as BF-VLN-2004690.