US CYBERCOM: Patch Palo Alto Now!; NSA Guidance Securing IPsec VPNs; macOS Ransomware; MSP Hit by Ransomware

On June 29, US Cyber Command issued a cybersecurity alert regarding a critical flaw affecting Palo Alto Networks PAN-OS, the operating system that runs on the company's firewalls and VPN appliances. The alert urges users to "patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use." US Cyber Command expects that foreign adversaries will likely begin to exploit the vulnerability soon.

Read more in

The US National Security Agency (NSA) has released guidance to help organizations secure their IPsec virtual private networks (VPNs). Many organizations are using these to allow their employees to work from home. The BNSA has also released a document with information about configuring IPsec VPNs.

Read more in

Researchers at Malwarebytes have detected new ransomware that targets devices running macOS. Dubbed ThiefQuest, the ransomware also has spyware capabilities: it can exfiltrate files, search for cryptocurrency wallets and passwords, and log keystrokes. ThiefQuest has been detected bundled with other software on torrent sites.

Read more in

In an 8-K form filed with the US Securities and Exchange Commission (SEC), DXC technologies disclosed that systems at one of its subsidiaries were hit with a ransomware attack. The company, Xchanging, is a managed service provider that focuses primarily on the insurance industry but has customers in other sectors as well. According to the filing, "DXC is actively working with affected customers to restore access to their operating environment as quickly as possible."

Read more in

The Barclays Bank website appears to have been calling a Javascript file from the Internet Archive's Wayback Machine. This meant that if the Internet archive went down, the Barclays website would be down as well. Barclays has fixed the issue.

Read more in

F5 has released fixes to address a critical flaw in its BIG-IP networking equipment that could be exploited to take complete control of vulnerable devices. US Cyber Command tweeted last week that patching this vulnerability is urgent. On Sunday, July 5, CISA Director Christopher Krebs tweeted. "If you didn't patch by this morning, assume compromised." Proof-of-concept exploit code for the critical vulnerability, which has been given a CVSS score of 10, has been released. Hackers have begun exploiting the vulnerability. F5 has also released fixes for a high-severity cross-site scripting vulnerability in the BIG-IP Configuration utility.

Read more in

Cisco has released fixes for a cross-site scripting vulnerability that affects two of its small business VPN routers. The flaw is the result of "insufficient validation of user-supplied input by the web-based management interface of the affected software." The issue affects Cisco Small Business RV042 and RV042G Routers running firmware releases older than 4.2.3.14.

Read more in

Cisco has released a security update to fix a high-severity flaw in its Small Business Smart and Managed Switches. The vulnerability, which "is due to the use of weak entropy generation for session identifier values," could be exploited to gain administrator privileges. The issue is fixed in version 2.5.5.47 of the firmware release for affected products that ae still supported.

Read more in

Starting September 1, 2020, Apple software, Chrome, and Firefox will identify new TLS certificates that are valid for more than 398 days as invalid. The changes arises from a unilateral decision Apple made earlier this year, bypassing the expected practice of bringing issues like this one to the CA/B Forum, "a voluntary group of certification authorities (CAs), vendors of Internet browser software, and suppliers of other applications that use X.509 v.3 digital certificates for SSL/TLS and code signing." The intent of reducing certificates' lifespans is to force websites and apps to issue new certificates every year. This will introduce more certificates that use the newest cryptographic standards.

Read more in

On June 30, Microsoft released two unscheduled patches to address remote code execution vulnerabilities in the Windows Codecs Library. Microsoft took the unusual step of delivering the fixes through the Microsoft Store rather than through Windows Update. The advisories for the vulnerabilities say, "Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update."

Read more in

A study of 127 home routers from seven manufacturers found numerous security issues. The Fraunhofer Institute for Communication (FKIE) in Germany looked at each router's most current firmware, focusing on five security aspects: when the firmware was last updated; which operating systems are used and how many known flaws they have; what exploit mitigation techniques the vendors use; whether the firmware images contain private cryptographic key material; and whether there are any hard-coded login credentials. Among the report's findings: 46 of the routers had not had a security update in the past year; some vendors ship firmware updates that contain known vulnerabilities, and just one of the seven vendors did not publish private cryptographic keys in its firmware.

Read more in

The top three network intrusion signatures detected by the US Department of Homeland Security's (DHS's) EINSTEIN intrusion detection system during May 2020 are the NetSupport Manager Remote Access Tool (RAT) - legitimate software that is also being used in phishing campaigns; the Kovter fileless Trojan; and the XMRig cryptocurrency miner. EINSTEIN gathers and analyzes traffic flowing into and out of federal civilian organizations systems and networks.

Read more in