Zoom continues to face security issues

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

Zoom has become very popular as people are working from home and unable to travel, but faced backlash after multiple security vulnerabilities was discovered earlier this year. Now Cisco Talos discovered two more security vulnerabilities that could lead to remote code execution. One of the bugs was in zooms giphy animated gif code that could lead to path traversal and arbitrary file write, and the other one was in Zooms message processing code where a specially crafted message could lead to arbitrary code execution. Both vulnerabilities was disclosed to Zoom and a patch was released
before Talos publicly released the information. Just another reminder to keep software up to date.

Zoom also announced that they will no longer offer end-to-end encryption to its free user but offer it as part of its premium feature for paid customers. The move has been criticized by security experts, especially in lieu of all the recent security vulnerabilities discovered in their platform. Eric Yuan, Zooms CEO claim that the move is to work together with FBI and local law enforcement in case someone use Zoom for a bad purpose

Top 5 Security links:

NATO Condemns Cyber-Attacks

Fraudulent iOS VPN Apps Attempt to Scam Users

Hackers Compromise Cisco Servers Via SaltStack Flaws

Malware Campaign Hides in Resumes and Medical Leave Forms

Zero-day in Sign in with Apple

Thunderbolt interface makes millions of PC’s in danger

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

It wasn’t really a news that Thunderbolt technology (USB-C) was vulnerable from years before, but now we got a demo from researcher which shows how Thunderbolt flaw allows access to a PC’s data in minutes.

More on this:

Top 5 Security links:

A bit of history or the 15 biggest data breaches of the 21st century

WordPress Page Builder Plugin Bugs Threaten 1 Million Sites with Full Takeover

Top 10 Routinely Exploited Vulnerabilities

Never, never pay to cybercriminals

The Confessions of the Hacker Who Saved the Internet

Woman holding laptop and media files

Zero click bugs in Apple operating systems

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

According to Google’s project zero there are vulnerabilities in Apples operating systems media managements. The vulnerabilities could let an attacker gain access by sending a specially crafted image or video to a target and no interaction would be needed from the user to be exploited.
The vulnerabilities was found using fuzzing techniques on previously found bugs, and the vulnerabilities they found have now been fixed.

More on this topic:

Google discloses zero-click bugs impacting several Apple operating systems

Top 5 Security links

CVE-2020-4415 – Stack-based Buffer Overflow vulnerability in IBM Spectrum Protect Server

Published: 2020-04-24
MITRE CVE-2020-4415

IBM Spectrum Protect server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. This could allow a remote attacker to execute arbitrary code on the system with the privileges of an administrator or user associated with the Spectrum Protect server or cause the Spectrum Protect server to crash.”

CVSS Base score: 9.8
CVSS Temporal Score: See: for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

This vulnerability is remedied by upgrading to version or Basefarm recommends upgrading to these version as soon as possible, at least within a week. Internally in Basefarm this progress is tracked as BF-VLN-2031464. (update 2020-04-27, Basefarm has fully upgraded all IBM Spectrum Protect Servers.)

Unassisted iOS Attacks via MobileMail in the wild

There has been discovered a vulnerability in the default mail application (MobileMail) for iOS.

The vulnerability allows an attacker to send an email to a victim (you) and without any action from you, the email will launch code prepared by the attacker on your device.
The fix for this is not released yet, it has been released as a public Beta-version.
Basefarm has decided to block this app from getting more mail from Basefarms Exchange servers.

Researchers has found attacks in the wild, exploiting this vulnerability, back in January 2018 on iOS 11. They state it is likely that the same threat operators are actively abusing these vulnerabilities presently.

There has been no wide exploitation, this is likely due to the fact that this is high value exploit, and the attacker was trying to minimize the risk for detection. There has been targeted attacks towards executives and VIPs in large organizations, MSSPs in Saudi Arabia and Israel (this can be used to make assumptions on who the threat operator is.), a journalist in Europe, etc.

Now that the vulnerability is exposed the value of it is dropping by the minute, and the threat operator has no reason to hold back any more. There is now a race between them and getting fixes out to the users.

Internally in Basefarm the activity related to this vulnerability is tracked in BF-VLN-2031243.

See also:

ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

Published: 2020-03-23

Microsoft is warning about a vulnerability they have detected used in targeted attacks and that there is no patch for yet. No patch and detected in use, a place for the scary word “zero-day”, but this is not a tabloid.

“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.” This would not be so exciting if not document formats had the feature of including their own fonts in documents.

“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”

This affects Windows 10 (but read on), and all Windows Server from 2008 until 2019. Windows 10 has some mitigating features. As always, read the advisory for full details.

There exist no official patch for this as of now. There are some mitigations possible, like “Disable the Preview Pane and Details Pane in Windows Explorer”, “Disable the WebClient service” (WebDAV) and “Rename ATMFD.DLL”. Basefarm has not tested these and recommend everyone to have a test environment that resembles their production environment and test the mitigations before applying them.

Consider the usage of your servers, are there documents viewed on them? Are the documents from an unknown, potentially untrusted source? Do you value the integrity of that server and all it in turn has access too? It might be worth to consider implementing the mitigations. For many servers this use case is not a match and it is potentially better to wait for an official and tested patch.

Basefarm follows this vulnerability internally as BF-VLN-2011507 and asking our dedicated customer teams to follow up these recommendations.

Covid-19 forces changes

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Helpdesksecurity writes “A time of chaos is a time for opportunity for unscrupulous individuals and groups, and COVID-19 is seemingly an unmissable boon for cyber crooks.

We’ve already covered a variety of COVID-19-themed scams, phishing attempts, hoaxes and malware delivery campaigns, but new and inventive approaches are popping up daily.”

Top 5 Security links

Infosec preparedness during Covid-19 outbreak

Our customers’ business continuity is of paramount importance for Basefarm. We are fully aware that several of our clients provide services that are absolutely critical for our society. Basefarm is following the ongoing outbreak closely and is constantly considering the implications for secure operations for us and our customers.

There are several ways that this outbreak can affect secure operations. In short Basefarm recommends increased security awareness and consciousness, especially in regards to remote work.

Keeping software updated has always been an important part of secure operations, and it is important that this work is still prioritized. Lack of available resources over an increased period of time might affect a businesses capability to perform these actions.

The risk of a breach going unnoticed increases significantly if there is manual work needed to be performed in order to detect a potential breach. If there is a significant increase in sick leave this activity will suffer. Automation of these processes are recommended.

Working remotely
It is normal for employees to have a lower guard when working remotely, due to the lesser focus on security awareness.

  • The current situation is such that deviations from normal security procedures have a higher acceptance than normal. Consider in which parts this is acceptable, while the employees should still able to perform their work in a secure way.
  • Ensure there are routines for handling of alerts and alarms.
  • Remind employees about routines for alerting about security nonconformity.
  • Consider strengthening the IT-support function. As many employees might not be used to remote work they might have an increase need for support. If the employees find it hard to get help they might take unwanted shortcuts.
  • Only use privately owned IT equipment to work remotely if this is agreed with and approved by the employer. Privately owned equipment might not be up to the same standards as corporate equipment.
  • Update all equipment used for remote work.
  • Use a secure connection to all corporate network and services, like VPN.
  • Ensure that credentials are strong and use multi-factor authentication where possible.
  • Remote work might increase the exposure of business sensitive information. Increase the awareness around what kind of information that is OK to handle when working remotely.
  • SARS-coronavirus-2 in cyber attacks and malspam
    Cyber threat actors have always, and will always, leverage recent events and news to increase the likelihood of victims opening emails, clicking links or opening attachments.

    Several security consultancy services are reporting about campaigns using the covid-19 outbreak as a theme for their phishing, and this will probably increase in the future.

    Basefarm recommends to stay vigilant when reviewing suspect email and links. Some threat actors are setting up fake websites and using covid-19 themed domains. The goal is to steal credentials or infect victims.

    In general threat actors are often aiming to pray on their victims’ fear, and to make it seem time critical.

    There has been examples of malspam imitating well-known organizations like WHO, and government health authorities that victims will be familiar with. Combined with fear, uncertainty and doubt the attacker might see more success.

    General awareness and vigilance online

    Fake news and disinformation about the covid-19 outbreak spread quickly online and have a wide reach. Fake accounts on social media are created in large numbers and are used to spread bad information. Awareness and critical thinking when faced with sensational news, and verifying sources, helps handle the flow of information.

    Talk together

    The trifecta of fearmongering, urgency and discretion/secrecy is a well-known repeating pattern in successful frauds. The attacker impersonates someone important whom the victim should trust, and asks the victim to do something for them. It is urgent, so the attacker wants the victim to do this as fast as possible, and they add some reason for this to be secret. That way they hope the victims gets too stressed to stop and consider the situation.

    The solution here is to talk together. Accept that some things need a little bit more time to proceed. Stop and consider. Give the employees enough confidence to double check and verify odd requests. Talk together.

    And wash your hands.

CVE-2020-0852 | Microsoft Word Remote Code Execution Vulnerability

Published: 2020-03-10
MITRE CVE-2020-0852

“A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.”

This vulnerability was overshadowed by the SMBv3 remote code execution vulnerability “announced” at the same time, as we have written about earlier. Basefarm evaluated this to be just as likely, if not more, to cause major infections in a corporate environment. It requires some user action to successfully exploit, but opening a document is not an action most users considers risky.

Basefarm recommends applying this patch as soon as possible, even though there is no known exploitation and no proof of concept published, because if a campaign starts up exploiting this on a Friday afternoon you will not have enough time to react.

This affects Microsoft Office (certain versions) AND Sharepoint Server 2019.
Basefarm is tracking this internally as BF-VLN-2004690.

CVE-2020-0796 | Server Message Block 3.0 (SMBv3) Remote Code Execution

Published: 2020-03-10
MITRE CVE-2020-0796

As of writing, Microsoft has not released any official information, but FortiGuard writes that there exists a “(…) Buffer Overflow Vulnerability in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.”

And as affected products FortiGuard mentions Windows 10, and Semi-Annual Channel (Windows Server 1903 and 1909). But as Microsoft has not released any official information this might be subject to change.

Basefarm does not recommend anyone to expose SMB and port 445 to an untrusted network. There also exists unofficial mitigation by adding a registry key to disable compression on the SMBv3 protocol. Basefarm is following the developments here, but as of writing there is no known proof of exploit or exploitation in the wild, there is also no official fix for this vulnerability.

Update 2020-03-11:

Microsoft has now released an advisory where they confirm previously known details and adds “to exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

So this vulnerability is more of a client-issue than a server issue. The known workaround to disable compression in SMBv3 prevents exploitation against an SMB Server, not an SMB Client.

Still no official fix, no known exploitation in the wild and no proof of concept available.

Basefarm is tracking this is a client issue in BF-VLN-2003557 and will most likely force all our clients to install this as soon as an official fix is available. We recommend others do too.