Posts

RedCurl cybercrime group discovered

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

A new CyberCrime group nicknamed RedCurl has been discovered after over two years of operation, attacking at least 14 organizations in over 26 attacks. They are known to attack companies in at least six countries, including Norway with banks, insurance and financial companies as some of the industries that they went after. The group was discovered by Group-IB, a global threat hunting and intelligence company headquartered in Singapore, and released a 57 page report on it.

The groups modus operandi did not use advanced tools but rather relied on handcrafted phishing emails, powershell and time to successfully carry out their attacks.

According to the Group-BI report “The attackers posed as members of the HR team at the targeted organization and sent out emails to multiple employees at once, which made the employees less vigilant, especially considering that many of them worked in the same department“, and used the companies logos, signature lines, and spoofing the companies own domain making it very difficult to spot that the mails were not legitimate.

Top 5 Security News

Thunderbolt interface makes millions of PC’s in danger

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

It wasn’t really a news that Thunderbolt technology (USB-C) was vulnerable from years before, but now we got a demo from researcher which shows how Thunderbolt flaw allows access to a PC’s data in minutes.

More on this:

https://thunderspy.io/

https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/

Top 5 Security links:

A bit of history or the 15 biggest data breaches of the 21st century

WordPress Page Builder Plugin Bugs Threaten 1 Million Sites with Full Takeover

Top 10 Routinely Exploited Vulnerabilities

Never, never pay to cybercriminals

The Confessions of the Hacker Who Saved the Internet

Woman holding laptop and media files

Zero click bugs in Apple operating systems

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

According to Google’s project zero there are vulnerabilities in Apples operating systems media managements. The vulnerabilities could let an attacker gain access by sending a specially crafted image or video to a target and no interaction would be needed from the user to be exploited.
The vulnerabilities was found using fuzzing techniques on previously found bugs, and the vulnerabilities they found have now been fixed.

More on this topic:

Google discloses zero-click bugs impacting several Apple operating systems

Top 5 Security links

Cloud security is voodoo?

“Researchers detail the process of finding two flaws in the Azure Stack architecture and Azure App Service, both of which have been patched.”

“Check Point Research analysts who discovered two vulnerabilities in the Microsoft Azure cloud infrastructure have published the details of how these flaws were found and how attackers could potentially use them.”

Read more at darkreading.com

 Top 5 Security News

 

 

(Blogpost image by Animesh Bhattarai on Unsplash)
Windows update

New year, new vulnerabilities

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

The year 2020 started of by throwing out a bunch of new vulnerabilities that needed fixing.
First it was the Citrix vulnerability in Application Delivery Controller and Gateway products, formerly known as netscaler. The vulnerability was technically was released in 2019 as CVE-2019-19781; and allowed an attacker to get arbitrary remote code execution trough a directory traversal. The exploit was really easy to pull of and only needed two web-requests to the gateway, and multiple POC was released early January leading to active exploitation in the wild. Citrix has not yet released a patch for the vulnerability, but instead released a way to mitigate the vulnerability by means of configuration. A patch is expected next week.

Then on Tuesday, 14th of January Microsoft released its monthly patches fixing a bunch of bugs and security issues. In this patch there were two critical vulnerabilities that warranted extra atention. One was dubbed “curveball” and is tracked as CVE-2020-0601. Curveball is a bug in the Windows crypto API(Crypt32.dll) and how Windows Elliptic Curve Cryptography (ECC). The vulnerability allows anyone to present a certificate, and windows will happily acknowledge it as a valid certificate even when it is no. This could let an attacker launch Man-in-the-middle attacks against HTTPS connections, present fake certificates for phishing pages and allow fake signed executables to be launched. The vulnerability affects Windows 10, and Windows server 20016 and later.

Another big one from this patch was the Microsoft RD gateway vulnerability tracked as CVE-2020-0609 allowing arbitrary remote code execution by sending a specially crafted request to the server over the RDP connection. By using this exploit an attacker could get full access to the server by means of installing software, create users with full access rights etc.

There were also multiple other other vulnerabilities fixed, such as CVE-2020-0603 is a critical remote code execution bug in ASP.NET Core allowing an attacker to execute code by getting a user to open a file, and CVE-2020-0636 (Windows Subsystem for Linux (WSL)) allowing a user to run commands with elevated privileges.

In other news, SHA-1 is a Shambles after the first chosen prefix collision for sha1 was done. This means that sha1 is considered unsafe to use for integrity checking as you can create two documents that are completely different, add extra data to make them the same length and then add some specific data to generate the same sha1-sum for both documents. SHA1 should now be avoided for integrity checking of data.

A total of 334 vulnerabilities was patched by Oracle this week, covering many widely used applications like MySQL, VirtualBox, Java and Oracle Database.

On a different note, Windows 7 and windows server 2008(r2) is now end of life as of January 14, and will not get any more security updates. Microsoft wil also up the fees for running these operation systems, so both from a economical and security standpoint it makes sense to upgrade now sooner than later.

To sum up this weeks security news, stay up to date with patching at all times. There is no excuse not to.

Millions of passenger data publicly accessible in cloud storage buckets

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

The breach, which reportedly exposed data on millions of passengers, is one of many that have resulted from organizations leaving data publicly accessible in cloud storage buckets.

Read more

 

Top 5 Security News

Robocalls now flooding US phones with 200m calls per day

Is Your Medical Data Safe? 16 Million Medical Scans Left Out in the Open

GitHub gobbles biz used by NASA, Google, etc to search code for bugs and security holes in Mars rovers, apps…

LastPass Fixes Bug That Leaks Credentials

Huawei suspended from the Forum of Incident Response and Security Teams

BF-SIRT Newsletter 2018-21

BUG in GIT opens developers systems up to attack.

Git repository hosting services GitHub, GitLab and Microsoft VSTS each patched a serious vulnerability on Tuesday that could lead to arbitrary code execution when a developer uses a malicious repository.

Developers behind the open-source development Git tool pushed out Git 2.17.1, addressing two bugs (CVE-2018-11233 and CVE-2018-11235).

“These are tricky vulnerabilities that will require the Git hosting services to patch, but also individual developers who are using the tool,” said Tim Jarrett, senior director of security, Veracode.

Of the two vulnerabilities, CVE-2018-11235 is the most worrisome, researchers said.

The vulnerability is described as a submodule configuration flaw that surfaces when the Git submodule configuration is cloned. Git provides developers with post-checkout hooks, which are executed within the context of the project. Those hooks can be defined within the submodules, and submodules can be malicious and directed to execute code.

“The software does not properly validate submodule ‘names’ supplied via the untrusted .gitmodules file when appending them to the ‘$GIT_DIR/modules’ directory. A remote repository can return specially crafted data to create or overwrite files on the target user’s system when the repository is cloned, causing arbitrary code to be executed on the target user’s system,” according to a SecurityTracker description of the flaw.

Top 5 Security links

European Commission “doesn’t plan to comply with GDPR” – well, sort of
PCI Security Standards Council publishes PCI DSS 3.2.1
Google patches 34 browser bugs in chrome67, adds spectre fixes
How to turn PGP back on as safely as possible
Research shows 75% of ‘open’ Redis servers infected

BF-SIRT Newsletter 2018-20

VIRGINIA TECH AND DASHLANE ANALYSIS FIND RISKY, LAZY PASSWORDS THE NORM

Dashlane analyzed over 61 million passwords and uncovered some troubling password patterns. The analysis was conducted with research provided by Dr. Gang Wang, an Assistant Professor in the Department of Computer Science at Virginia Tech.

The Virginia Tech project, described as “the first large-scale empirical analysis of password reuse and modification patterns…” resulted in a landmark research paper: “The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services.” Dr. Wang granted Dashlane’s Analytics Team access to the anonymized version of the 61.5 million passwords from the project so they could conduct further research into password trends.

Top 5 Security links

Amazon comes under fire for facial recognition platform
New VPNFilter malware targets at least 500K networking devices worldwide
Why not to use sha256crypt  or sha512crypt they’re dangerous
Intel’s ‘virtual fences’ spectre fix won’t protect against variant 4
The good and bad news about blockchain security

BF-SIRT Newsletter 2018-19

Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw

Don’t panic! But you should stop using PGP for encrypted email and switch to a different secure communications method for now.

A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), the most popular email encryption standard. The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim. The proof of concept is only one implementation of this new type of attack, and variants may follow in the coming days.

Top 5 Security links

Critical Linux flaw opens the door to full root access

Multi-stage email word attack without macros

GDPR phishing scam targets apple accounts

Hardcoded password found in Cisco Enterprise software, again

Another severe flaw in Signal desktop app

BF-SIRT Newsletter 2018-18

TWITTER URGES USERS TO CHANGE PASSWORDS DUE TO GLITCH

Twitter said Thursday that a glitch caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling  to change their passwords.

The social media company said that it found and has fixed the glitch, and its investigation shows no indication of a breach or misuse by anyone. While the company did not specify how many passwords were impacted, a Reuters report pegged the number at more than 330 million.

“I’d emphasize that this is not a leak and our investigation has shown no signs of misuse,” a Twitter spokesperson told Threatpost. “We’re sharing this information so everyone can make an informed decision on the security of their account.

Top 5 Security links
Meow, click me , Meow
Facebook’s getting a clear history button
Medical devices vulnerable to KRACK Wi-Fi attacks
Security Trade-Offs in the new EU privacy law
Glitch: new ‘Rowhammer’ attack can remotely hijack Android phones