Watch Out Wednesdays

No threat facing businesses and individuals has grown quite like that of cyber threats. They appear in all forms, from phishing emails to exploited vulnerabilities in software.

Starting July 2020, this “Watch Out Wednesdays” blog will be updated weekly to include the latest vulnerabilities and large-scale hacks that you should Watch Out for. While this list is updated weekly, it does not contain a full list of vulnerabilities or hacks, the list will only contain the largest data breaches, hacks, and security vulnerabilities that have been released to the public.

Looking to improve your cyber security monitoring practices and reduce vulnerabilities? Take a look at CyNtell’s Continuous Monitoring or Cyber Security Protection packages.

September 2020

7-13 September

New Flaw in Visa Contactless Payment:
– A new flaw has been discovered with Visa’s contactless payment. Read the CyNtell blog about Visa’s contactless payment woes here.

31 Aug-6 September

Critical WordPress File Manager Exploit:
– The File Manager plugin for WordPress has been found to contain a critical remote execution vulnerability. File Manager allows WordPress administrators to edit, delete, upload/download, archive, copy and paste files and folders directly from the WordPress backend. The vulnerability would allow a threat actor to run arbitrary code om the target due to the inclusion of the open-source file manager library called elFinder. At the time of discovery, File Manager was used on over 700,000 websites; the vulnerability has since been patched. Read the full details on the vulnerability here.

Cisco Issues Warning Over Zero-Day Flaw:
– Cisco has issued a warning for a zero-day flaw in its router software. The flaw would allow a threat actor to carry out memory exhaustion attacks on devices affected by the vulnerability. A memory exhaustion attack is when an attack exploits the weakness within a system that allocates memory to occupy a significant amount of memory resources. The flaw, CVE-2020-3566, was first discovered at the end of August 2020 and affects all Cisco devices running Internetwork Operating System (IOS) XR Software.While the vulnerability has been addressed by Cisco, there is no timeline for when a patch for the vulnerability will be released. Learn the full details of the vulnerability and follow along with developments on the patch here.

August 2020

24-30 August

High-Severity Bug in Google Chrome:
– A critical high-severity bug found in Google Chrome (CVE-2020-6492) has been patched. The flaw is a use-after-free vulnerability in the Web Graphics Library (WebGL) element of Chrome Browser. This element of the Javascript API could have allowed for threat actors to control the use-after-free exploit allowing them to execute arbitrary code. A use-after-free specifically refers to when someone intentionally attempts to access memory after is has been freed; in the case of a use-after-free flaw exploit can result in the potential of arbitrary code execution or in some case enable complete remote code execution capabilities. Read the full release on the Google Chrome bug here.

Flaws in Apache Web Server Software:
– Three critical flaws in the Apache Web Server Software, uncovered by a Google Project Zero researchers, has been patched by the Apache Foundation. One flaw allowed for remote code execution making it possible for threat actors to change or delete data. The second critical flaw may have led to memory corruption due to concurrent log pool usage. The most worrisome flaw used a specifically designed “Cache-Digest” header to cause memory corruption leading to a crash and denial-of-service. Read more about the flaws and how to make sure your Apache Web Server is patched here.

17-23 August

Emotet Is Running Again:
– Emotet an email-based malware was fixed and began botnet-driven spam campaigns and ransonware attacks again on August 6th. In early February 2020, researchers found a vulnerability in the malware Emotet that acted as a kill-switch and stopped the malware from being able to operate between Feb 6 and Aug 6, 2020. Unfortunately for us, the malware has been patched and is running now. Read more about Emotet here.

Canadian Government Systems Attacked:
– Canadian officials detected around 300K attack attempts to access accounts on at least 24 government systems this over the two past weeks. Threat actors attacked a CRA portal using a botnet to unleash a technique called “credential stuffing” to access GCKey accounts. GCKey accounts allows Canadians to access Canadian government services such as Employment Insurance, Veterans services, My Service Canada accounts, and more. Read the full scope of the attacks here.

10- 16 August

Microsoft’s Patch Tuesday Release:
– The August Patch Tuesday release from Microsoft included 120 vulnerabilities. 17 of the addressed vulnerabilities are labeled as critical and 103 as important as affect Microsoft Windos, Edge HTML-based, Chromium-based, ChakraCore, Internet Explorer, MS Office, MS Office Services and Web Apps, Microsoft Windows Codecs Library, .NET Framework, and Microsoft Dynamics. Two of the vulnerabilities are zero-days in the Windows OS and related products. See the full release here.

Amazon Alexa Has A New Skill:
– Cyber security researchers have discovered several critical vulnerabilities in Amazon’s Alexa. With one vulnerability threat actors can install malicious software allowing them to spy on individuals remotely using only a web link.The vulnerabilities originated from a flaw in one of Amazon’s subdomains. Check out the researchers complete findings here.

3-9 August

Vulnerability Scanning Tool for Kubernetes:
– KubiScan, not a vulnerability but a scanning tool was showcased at Black Hat USA 2020. This open source Kubernetes tool was announced and show cased on the opening morning. KubiScan will all cluster administrators with containerized environments to be able to shrink their attack surface. Read more about the tool here.

High-Risk Windows TeamViewer Vulnerability:
– The software application TeamViewer has been found to contain a vulnerability with the severity rating of 8.8. The TeamViewer software was designed to allow remote control, desktop sharing, online meetings, and more which has seen an uptick in usage since the beginning of remote work due to the COVID19 pandemic. The vulnerability, named CVE-2020-13699, would allow threat actors to remotely attack and crack user passwords which could lead to a more complete system exploitation. Learn the complete details on the vulnerability here.

 

July 2020

27-2 July/August

Cisco Read-Only Path Traversal Vulnerability:
– Security Advisory released by Cisco for the actively exploited Read-Only Path Traversal vulnerability (CVE-2020-3452). This vulnerability is located in the interface of Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software, researchers found over 85,000 ASA/FTD internet-accessible devices. If the vulnerability is exploited, a remote attacker will be able to read sensitive files on the device as well as carry-out directory traversal attacks. Read the Cisco Security Advisory here.

7.5m Records of Dave.com Users Leaked:
–  Security breach of analytics platform Waydev, former partner of Dave.com, allows over 7.5 million Dave.com users personal data to be leaked. While Dave.com was notified of the breach in early July, user data was found on a website for hackers weeks later. Read more about the breach and release of data from the hackers here.

Orange Confirms Ransomware Attack:
– Orange, the fourth largest mobile phone operator in Europe, confirmed that the organization was a victim of a ransomware attack the night of July 4th. Nefilim, new ransomware actors, have claimed they are behind the attack that affected the business services division of the company. Read more about the Orange ransomware attack here.

GRUB2 Vulnerabilities for Linux & Windows Systems:
– Multiptle vulnerabilities affecting billions of devices that run on Windows or Linux; including laptops, servers, workstations, and even IoT devices. If this vulnerability was to be exploited it would allow the operating systems booting system to be compromised to carry out arbitrary code. As of Aug 5th, patches have been released to secured the vulnerability but booting issues remain after the patch has been utilized. Learn more about the patching issues here.

20-26 July

Garmin Hit with Ransomware:
– Garmin suffered a global outage on their website Garmin.com, Garmin Connect product, as well as navigation and flight plan services for aircraft nav systems. Early reports also say their phone systems, email, and chat applications were also affected. After suffering for two days of outages and much speculation from their customers, media, and global cyber community, Garmin was hit with a $10m Ransom. This confirms many suspicions that the company was hit with the WastedLocker ransomware. As of July 27th, Garmin.com has a note at the top of the site mentioning the outage and inability to communicate with customers, though articles say Garmin is in the final stages of recovery. Follow the latest in the Garmin ransomware attack here.

Microweber CMS Critical Security Vulnerability:
– A per-authentication flaw was found in the controller.php script “leftover from the early days of Microweber’s development” according to a penetration tester at Rhino Security Labs. This critical vulnerability leaked administrator credentials deemed “easy-to-crack” and a variety of other user information. Read the full details on the vulnerability here.

Adobe Critical Bugs Fixed In Second Round of Patches:
Only a week after releasing critical patches, Adobe has released another set up of patches that addresses 13 vulnerabilities. The in a second round of patches, 12 of the vulnerabilities are critical out-of-bounds read or write flaws in Prelude, Photoshop, or Bridge; the 13th bug affects the mobile reader for Android apps. Access the latest and all Adobe patches here.

13-19 July

Zoom Zero-Day Critical Vulnerability Allows RCE:
– The latest Zoom vulnerability allows an attacker to execute remote code on the victim’s system without triggering a security warning. The flaw has been found in all versions of Zoom for Windows but it can only be exploited in Windows 7 or older versions of Windows with system-specific configurations. As of 15 July, Zoom has patched the vulnerability. Learn more details of the vulnerability here.

Microsoft Releases Security Bulletin Address 123 Vulnerabilities:
– Microsoft’s July Patch Tuesday security updates has been released. A total of 123 vulnerabilities were addressed; 18 showed as critical; 105 as important. All of the critical bugs are RCE and EoP that can be found in Internet Explorer, Windows, Microsoft Lync Server, Microsoft SharePoint, and Visual Studio Code, and more. There were no publicly disclosed zero-day, vulnerabilities, or live attacks with the Patch Tuesday release. See the full list of patches here.

Twitter Bitcoin Scam:
– Over 100 accounts with a high volume of followers were hacked and sent out the same message for Bitcoin requests. The tweets that went out asked for $1000 in Bitcoin to be deposited to a specific wallet that would later send back $2000 in Bitcoin to all that participated. It appears that the hack was done on Twitter directly with the help of an employee that had access to the Twitter admin panel. The hackers seemingly walked away with over $120,000 in Bitcoin before Twitter shuttered accounts that were targeted. As of, 17 July this is still a developing story, learn more about the hack and developments here.

6-12 July

A New Round of Citrix Bugs:
– Citrix has just announced they have found 11 more vulnerabilities in their software. While it took them a month to create a patch for the critical vulnerability they found in January 2020; this time they have patches ready to go for the new-found vulnerabilities. The latest vulnerabilities, to all appearances, won’t create the same panic as the new year vulnerabilities but they still need to be addressed.  Check out the latest on the Citrix vulnerabilities here.

Global Ransomware Cyber-Attack

Cyber Security Requires Policy and Program

Part 1 – Thwarting the Global Ransomware Attack Threat Made Simple

The recent global cyber-attack has raised our collective awareness that having a Cyber Security policy is not the same as having a Cyber Security program. The ransomware attack codenamed “WannaCry” takes advantage of a vulnerability found in the Windows operating system. The key word in the last sentence is the present verb tense “takes” as this ransomware threat has yet to be contained and there are now warnings of malicious code copycats. Just as concerning is that the threat should never have been as successful as it is since Microsoft provided the means of protection months ago. The critical, security patch aimed at addressing the known vulnerability was released in March both through Microsoft’s update service and the built-in antivirus software, Windows Defender.  Therefore, having a Cyber Security program with a mature, consistent approach to patch management and disaster recovery would have saved many of the victims from either becoming a victim in the first place, or escape paying the ransom since a recent backup copy or image of the system(s) could be used to restore those infected.

I hate to say, but we are only at the early stages of such cyber-attacks. For cybercriminals to build and execute such malware is relatively inexpensive with great opportunities for success, especially when small to medium sized businesses (SMB) are reluctant to invest time and money into implementing a program for adequate protection and only seek the appearance of compliance. Most solutions are simple and inexpensive, but still require proper operational process integration and consistent tactical practice. To achieve a Cyber Security program that truly provides prevention, detection, and recovery capabilities takes experience, and professionals with expertise are not free. Nevertheless, investing in the firm’s policy and program is better than worrying if it will be the next victim of cyber-attack and what such damages and costs could result.

To learn more about Claude L. Williams, follow on Twitter @ClaudeLW and/or http://www.LinkedIN/in/ClaudeLW

To learn more about CyNtelligent Solutions, follow on Twitter @CyNtelligent and/or LinkedIn