NewsBites Volume XXII - Issue #54 July 10, 2020

Top of the News

2020-07-09

Zoom Zero-day Affects Clients Running on Older Versions of Windows

Zoom is working on a fix for a zero-day vulnerability that was disclosed on Thursday, July 9. The arbitrary code execution flaw affects the Zoom client running on Windows 7, Windows Server 2008 R2, and older versions of the operating system. Zoom clients running on Windows 8 and Windows 10 are not affected.

Editor's Note

Johannes Ullrich

A more complete fix is to upgrade to supported Windows versions. Windows 7 and Server 2008 support ended January 14th this year. If you must run older operating systems, don't use them for internet-based activities such as email, browsing, or video conferencing, and restrict access to make exploitation more difficult.

Lee Neely

Palo Alto Networks Releases Updates for Another PAN-OS Vulnerability

Palo Alto Networks has released updates to fix a critical command injection vulnerability in its PAN-OS GlobalProtect portal. The flaw affects PAN-OS 9.1 versions prior to 9.1.3; PAN-OS 8.1 versions prior to 8.1.15; PAN-OS 9.0 versions prior to 9.0.9; and all versions of PAN-OS 8.0 and PAN-OS 7.1. Fixes will not be released for PAN-OS 8.0 and 7.1 as those versions are no longer supported.

Editor's Note

This patch addresses CVE-2020-2034, which allows unauthenticated remote attackers to execute arbitrary OS commands with root privileges on unpatched devices. If you're on the older unsupported PAN-OS versions, it's time to move forward, which may necessitate new hardware.

Lee Neely

Another reason to make sure the administrative interfaces for these devices are not visible to the outside.

Johannes Ullrich

Citrix Patches 11 Vulnerabilities in Networking Products; Someone is Already Scanning for Vulnerable Installations

Earlier this week, Citrix released fixes for 11 vulnerabilities in Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP appliances. The flaws include information disclosure, local privilege elevation, code injection, cross-site scripting, authorization bypass, denial of service. Rob Joyce, the former head of the NSA's Tailored Access Operations (TAO) team, has urged users to apply the patches as soon as possible. Active scanning for vulnerable installations has been detected.

Editor's Note

The XSS vulnerability is particularly interesting here. The impact of XSS vulnerabilities is often underestimated. In this case, the XSS vulnerability can be used to execute code on the device. Exploitation has been demonstrated in a YouTube video, but code for the full exploit has not been made public yet. The victim, an administrator currently logged into the system, will have to visit a malicious website to trigger the exploit chain. The result is full access to the device for the attacker.

Johannes Ullrich

The debate over urgency occurs because the attacks require access to vulnerable devices to exploit. Targeting the management interface using XSS can lead to compromise. Virtual IPs could also be used to initiate a DOS attack or internal network scan. In addition to applying the patches, restrict access to the management interface.

Lee Neely

Given the large number of people now working remotely during the Coronavirus pandemic, attacks against remote access points, such as Citrix gateways, are on the rise. These vulnerabilities are already being actively exploited and should be patched as quickly as possible.

Brian Honan

Critical Flaw in WordPress Plugin

A critical remote code execution flaw in the Adning Advertising plugin for WordPress could be exploited to completely take control of vulnerable sites. The flaw has been exploited in the wild. Users are urged to update to Adning version 1.5.6, which also fixes a high-severity unauthenticated arbitrary file deletion via path traversal vulnerability.

The Rest of the Week's News

2020-07-07

Russian Hacking Group Cosmic Lynx is Conducting Sophisticated eMail Scams

A group of Russian hackers dubbed Cosmic Lynx has been launching sophisticated business email compromise schemes since last July. According to researchers at Agari, the group has launched more than 200 attacks against organizations in 46 countries. Cosmic Lynx targets organizations that have not implemented DMARC; the group has focused on scams involving mergers and acquisitions.

Editor's Note

While DMARC is not a panacea against phishing attacks, it helps reduce the risk. The Global Cyber Alliance has a simple step-by-step guide that is available for free on how to ensure your mail service has DMARC configured correctly: https://dmarc.globalcyberalliance.org/

Brian Honan

Criminals are Taking Control of Abandoned Subdomains

Criminals have been taking control of abandoned subdomains associated with well-known organizations and using them for nefarious purposes, including malware, pornographic content, or spreading malware. In late June, Microsoft published an article describing how to prevent subdomain takeovers.

Editor's Note

The use of cloud services caused "dangling DNS" records to be a bigger issue. Warnings were coming out at least as far back as 2015 when use of IaaS started to ramp up. Infoblox, Nominet and other DNS security-focused vendors have put out detailed "DNS basic security hygiene" advice.

John Pescatore

ThiefQuest macOS Malware More Focused on Stealing Information than on Encrypting Data

Researchers now think the ThiefQuest malware that targets macOS is largely focused on exfiltrating data from infected networks. Initial assessment of ThiefQuest categorized the malware as ransomware. While it does have an encryption component, researchers think it may be included as a distraction rather than the main purpose of the malware.

DigiCert Will Revoke 50,000 Certificates This Weekend Because of Botched Audit

DigiCert plans to revoke 50,000 Extended Validation (EV) certificates on Saturday, July 11 after learning that they were not properly audited. While the situation does not pose a security threat, EV guidelines require that the certificates be revoked.

Editor's Note

Yet more proof that the problem with TLS is not so much technical flaws but flaws in the CA ecosystem. The CA/Browser forum has done good work in tightening up some of the requirements around certificate authorities, and browser makers are abandoning the idea of "Extended Validation" (EV) certificates, as they caused more issues than they solved.

Johannes Ullrich

If you're managing your intermediate certificate store, you'll want to make sure you have updated intermediate certificate authority (ICA) certificates for DigiCert EV RSA CA G2, GeoTrust EV RSA CA G2 and Thawte EV RSA CA G2.

Lee Neely

Turchin Indictment Unsealed

The US Department of Justice recently unsealed an indictment charging Andrey Turchin

with conspiracy to commit computer hacking, two counts of computer fraud and abuse, conspiracy to commit wire fraud, and access device fraud. Turchin allegedly hacked into networks at hundreds of organizations, established backdoors, and then sold access to those systems. Turchin is a citizen of Kazakhstan and is believed to be residing there currently.

German Authorities Seize BlueLeaks Server

Authorities in Germany have seized a server hosting BlueLeaks data, 269 GB of US police documents. The department of public prosecution in Zwickau said the server was seized on July 3 at the request of the US government.

Microsoft Seizes Domains Used in Phishing Attacks that Targeted Office 365 Users

Recently unsealed documents detail Microsoft's efforts to thwart phishing attacks that preyed on people's concerns about COVID-19. The attacks targeted Office 365 users in 62 countries around the world and were crafted to appear to be from employers or other trusted entities. Microsoft's Digital Crime Unit became aware of the fraudulent activity in December 2019. On July 1, Microsoft obtained a court order allowing it to seize the malicious domains.

Editor's Note

The federal court's motion was sealed so as not to tip their hand, which allows Microsoft to fight cyber-attacks without enlisting federal prosecutors. Unlike traditional phishing email schemes, when the user clicked the link, they were prompted to grant access to their Office 365 account, which then allowed access to email, contacts, OneDrive, SharePoint and notes without explicitly collecting login credentials. Enabling 2FA is a key mitigation to this sort of attack.

Lee Neely

CISA Warns of Vulnerabilities in Medical Devices and Hospital Information Management System

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published two advisories regarding security issues in ultrasound systems from Philips and in the OpenClinic GA open source hospital information management system. Philips has released updates to address the authentication bypass issue in some of the affected products and expects to have fixes for the rest of the affected products by the end of the calendar year.