Daily Perk 4/14/2021

Almost done …

Patch it NOW: Patch Tuesday walloped us with four exciting new RCE vulnerabilities for on-prem Exchange servers. Thankfully no known exploits and Cloud servers are safe. But if you have on-premise Exchange, stop reading and get patching. Please

Patch it Now: per Malwarebytes Lab, There are active exploits 2 vulnerabilities, CVE-2021-21206 and 21220, affecting the Chrome browser but also Edge, Brave and Vivaldi. You can let Google update Chrome automagically but better to make sure it does. Based on current malware trends, there are a hella lot more browser exploits happening.

Buyer Be Wary: per Threatpost. We know a lot of nasty stuff finds its way into GooglePlay store and Google sites. ESentire wrote a report detailing a hundred thousand malicious web pages loaded with malware, awaiting victims sent there via SEO tactics, all for the sake of an invoice template.

This drive-by-download compromise is increasing, bacause it works. And given the new way or working remote, the potential for individual compromise to become corporate is definitely a concern. Case in point: a victim in FI who sought a free version of a document and trusted their search results via Google to a Google site page where threat actors took over. Given these are cybercriminals at work, their dirt RATs are all about “show me the money”.

Daily Perk 4/13/2021

One down, one to go

Happy Patch Tuesday!

Chrome 0day exploit shared on Twitter per Threatpost

A security researcher perhaps a little too eagerly shared their Pwn2Own discovery by tweeting a link to the exploit code yesterday. The code is for a remote code execution vulnerability that affects current versions of browsers using Chromium, like Google Chrome but also Mucrosoft Edge and others. Potentially all kinds of bad.

Now, Pwn2Own rules are that companies get notified before the bug gets dropped, so they can make and issue patches. That was the intention but the patch had not yet been deployed into official releases of the browsers. Oops 😬 Google will be releasing a new version of Chrome today which may or may not fix it. The upside fwiw is that the code shared is not “fully weaponized” ie it is not a full exploit chain capable of escaping the sandbox.

NAME:WRECK vulnerabilities impact IoT/OT per ZDNet

From the things that brought you Urgent/11 and Ripple20, now there’s NAME:WRECK. Vulnerabilities in millions of IoT devices that could let attackers disable them or control them remotely, ultimately gaining more network access. Nine vulnerabilities, four TCP/IP stacks, and potentially 100 million devices used by consumers, industry and enterprise.

Security patches are available but unlike with IT, it’s not a simple process for IoT or OT. Chances are that many will remain unpatched rather than risk breaking software, configurations and older equipment that has been painstakingly put in place. At high risk will be healthcare, already hard hit by ransomware attacks. Network segmentation and monitoring network traffic will provide mitigation when patching can’t be done.

Watch for the QBot / IcedID rotation per Bleeping Computer

Just to mix it up, malware operators are shuffling between IcedID (kinda the new Emotet) and QBot banking trojans. Both are nasty, multi-stage attack functional and will deliver a ransomware payload. and both are using Ettersilent, an increasingly popular service to build malicious documents.

Daily Perk 4/9/2021

Happy Weekend to All

IcedID – The new Emotet? per Threatpost

Don’t worry – Emotet isn’t really gone. It just stepped back a bit, and as we’ve seen happen, a new contender has stepped up. In this case, modular malware banking trojan IcedID aka BokBot has made its presence known in 2021, serving as a dropper for other malware via Email campaigns using MS Excel attachments. Sounds familiar right? Evasion techniques include:

Hiding macro formulas in three different sheets; masking the macro formula using a white font on white background; and shrinking the cell contents and making the original content invisible

Microsoft’s blog today delved further into a “unique form of email delivery for IcedID malware, looking at the abuse of website contact forms and emails with malicious links sent to enterprises. Contents download – you guessed it – IcedID. This is a good heads up for organizations because the abuse of website contact forms can bypass protections by piggybacking on legitimate infrastructure.

Pwn2Own finds critical Zoom vulnerability for RCE per ZDNet

Zoom really stepped up efforts last year to secure a platform that was never intended for the volume of use it received during the pandemic. It’s become a mainstay for personal and business purposes. With so many users, that’s a big target. The annual Pwn2Own hacking competition is a great way to test what we think is secure and patch potential holes, or open our minds to all kinds of attacker thinking. This year, researchers from Computest showed a how a chain built from three vulnerabilities could lead to RCE on a target device with NO user interaction required, as per the animated attack here. Currently, the attack has been shown to work against Zoom on Windows and Mac. It’s not tested yet on iOS or Android. The browser version is SAFE. Zoom has been notified and has 90 days to develop a security solution for something nobody was looking for – except an attack. This is effective collaboration!

Daily Perk 4/7/2021

We made it to Wednesday!

Trends of 2021: if it isn’t patched it’s getting ransomware.

Unpatched Fortinet VPNs being targeted by Cring ransomware per Bleeping Computer

Remember that joint FBI CISA warning about APTs scanning for Fortinet SSL VPNs? These attacks exploits CVE-2018-13379 on unpatched Fortigate SSL VPN servers per this Kaspersky report. It gets domain admin creds using Mimikatz, removes backup files, and kills MS Office and Oracle Database processes.

Yes, attackers are actively hunting for them online. And industrial operations in Europe are victims. Those IT networks getting pwned are alongside OT networks running ICS devices and things on that side don’t tend to come back up well. AND – assume that anything compromise will be useful in future attacks as we keep learning.

Wormable Android Malware posing as Netflix per ZDNet

Just take in the first three words. While not “sky is falling” wormable anything is scary, and given the sheer prevalence of Android devices that’s a lot of potential compromise. Compounded by a global pandemic and lockdowns, online entertainment subscriptions like Netflix are the virtual escape for millions.

Check Point researchers have reported on wormable Android malware posing as a legit Netflix app in the Google Play store, which is supposed to be the place to safely get your Android Apps (I know, I know). The malware takes advantage of things we probably gloss over and agree to at installation: overlay permissions and battery optimization ignore, so it can grab credentials and stay on. And permission to reply to WhatsApp messages. With that, it spreads by replying to WhatsApp messages and further malicious links. While this app has now been removed from Google Playstore, be wary of all the others like it and how conditioned we are to just install apps without reviewing their demands thoroughly.

Daily Perk 4/6/2021

Unsecured critical SAP applications under active attack per Bleeping Computer

SAP enterprise applications are used by more than 400,000 organizations globally, which includes 92% of Forbes 2000. Attackers are seeking out exposed, unpatched applications online, and in some cases linking or chaining these vulnerabilities together to increase their success of intrusion. Per cloud security firm Onapsis,

“Observed exploitation techniques would lead to full control of the unsecured SAP applications, bypassing common security and compliance controls, and enabling attackers to steal sensitive data, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations”

We know that patching is complicated (don’t get me started 😉) and typically larger organizations are behind by a couple cycles. The truth is that can often be considerably more when legacy systems, proprietary programs and operational concerns factor in.

EtterSilent Maldoc builder per Bleeping Computer

Something to keep watch for. EtterSilent is used to build malware-laden documents that can bypass detection in on Windows, Google and email services etc. It’s gaining popularity of underground forums and getting regular weaponized enhancements either as a malicious macro or an exploit against a vulnerability. These can masquerade as Docusign or Digicert documents that need the macro enabled. It’s been seen to recently drop TrickBot and BazarLoader malwares, which in turn can deliver a nasty ransomware payload. Verify with care.

Daily Perk 4/2/2021

Savour the moment

FBI and CISA warn APTs using 3 Fortinet bugs for access per The Record

If you are running Fortinet, and have an unpatched version of the FortiOS, operating system, you’re gonna be going hunting but not for Easter eggs. Like many recently had to do with their on-prem Exchange servers, you need to go looking for signs of uninvited guests.

Both CISA and the FBI have released a joint report warning that state-backed, well-resourced adversaries (maybe possibly from Iran and China) are leveraging any or all of trio of bugs “to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks”. This would be the second joint report regarding a Fortinet security issue they have released, with the earlier one in October 2020.

The three security bugs you should have patched and now will are: CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591. But remember – patching after exploitation won’t protect you if they’re already in your network. And you don’t know that unless you go looking.

Breach: Capital One warns of more exposure from 2019 per Bleeping Computer

Capital One has warned more customers that their SSNs were exposed in a data breach from July 2019. This would be the AWS GitHub theft involving Paige Thompson. Unfortunately it didn’t stop at Capital One. Other companies include Ford, Vodaphone and Michigan State U. The additional SSNs came to light when the bank used new tools to sift through and learned that indeed those SSNs they said weren’t taken actually were. Lessons here about penalties for failure to disclose all the info at the time as per regulations. And to conclude that if it was accessible, it was taken.

Zero-day warning for unsupported, out-dated QNAP storage devices per Threatpost

QNAP NAS or network access storage devices are pretty common. Which makes they them choice targets for attack, especially since they don’t always stay updated, monitored and maintained. We know what happened to thing neglected and unprotected, right?

APT easy as 1-2-3

Two critical zero-day bugs affect legacy QNAP model TS-231 systems: CVE-2020-2509 and CVE-2021-36195. We are talking unauthenticated RCE meaning an attacker doesn’t need credentials. The bugs affect some non-legacy systems too, but those now have patches available. There are a whole lotta boxes out there so take the time, check yours against this list, and update what you can.

Shout out to my security-aware colleague Chuck – this is why I watch for QNAP 😊.

Daily Perk 4/1/2021

Happy Zero-trust Day!

North Korea sets up fake security firm lure per The Hacker News

Remember the reports back in January about North Korean attackers trying to lure security researchers with malware to investigate? They really went all out. There is a fake security firm, “SecuriElite” and social media accounts, like TrendMacro, with links back to the poisoned site. Attackers are getting better at dissolving and reappearing elsewhere, in a game of adversary “whak-a-mole”. Our job is to consider how else, where else, they can play this strategy.

Update: Ubiquiti – it just gets worse per Bleeping Computer

We knew this was coming, right? Ubiquiti now says there was an extortion attempt back in January when that breach happened – but not to worry, no indication that source code or client data was taken. Hmm 🤨 After this past year of extortion ransomware, and the massive pwnage of the Accellion breach, I am sceptical. Especially since there wasn’t really any logging system in place to verify what the attacker got into. There are big lessons in here for all of us.

Don’t neglect your firmware per ZDNet

“Out of sight, out of mind” is not a cyber security best practice. Unfortunately, that sums up how most of us handle firmware updates and awareness. Yet, it’s where we keep credentials and encryption keys. Per the Microsoft Security Signals report for March, 80% of enterprises have had a security incident involving firmware but less than 1/3 of security budgets are invested in protecting it.

Firmware attacks are specialized, and may target UEFI or hardware drivers. Visibility is a problem, because firmware is that layer below what AV and detection services are made to monitor. It’s the purview of advanced persistent adversaries with resources. Think stealth, dwell time and painful compromise – what you can’t see will hurt you.

Daily Perk 3/31/2021

In this together

Patch it Now: per ZDNet, 2 critical vulnerabilities found in VMWare vRealize. These could result in admin credential theft in the AI-based platform that offers “self-driving IT operations management for private, hybrid and multi-cloud environments”. As we continue the mass migration to all things cloud, this opens up a whole new world of vulnerability and exploit possibilities through the universe of third party products and services.

WordPress Warning: per Bleeping Computer there are counterfeit versions of the jQuery Migrate plugin being injected. This plugin is used on over 7.2 million websites so early warning and watch your site

Campaign targets Japan’s industrial sector with fileless malware & backdoors per Securelist

This is an interesting one to be aware of because it involves several strains of fileless malware not seen before in a sophisticated campaign that has been targeting the industrial sector in Japan. Most notable is “Ecipekac”, a “very sophisticated multi-layer malware” with fileless malware payloads P8RAT and SodaMaster.

Kaspersky has been tracking the activity since 2019, and believes it is part of China’s well-established APT10. Fileless malware is hard to detect and doesn’t leave traces behind for forensics and learning afterwards – it’s something associated with an advanced/resourced/ determined threat actor.

Daily Perk 3/30/2021 Updated

Got you a refill!

Ubiquiti Networks Breach: A “Catastrophic” cover up? Per Krebs on Security

This looks really bad. Ubiquiti Networks reported a data breach back in December into January. Apparently, per an insider at Ubiquiti

“it was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk”.

Access to Ubiquiti was gained via a third party, AWS. The attackers had admin access to Ubiquiti servers via the Amazon cloud service. Let’s just pause and reflect there. And think about the third party cloud service relationships we all have in play. You can read Krebs’ post for a more detailed account of what ensued. And if you use Ubiquiti, be very suspect. As with what happened to those Exchange servers, once pwned, twice burned. You need to sanitize what may be hiding in there.

Indian’s Fintech platform MobiKwik data breach per The Hacker News up

Thanks to a global pandemic, online payments went from nice to necessity. That’s a lot of sensitive data – payment data. Now, 8 TB of it has been found for sale, believed to be stolen from India’s MobiKwik. They provide a payment gateway and financial services to over 120 million users, including 3 million retailers. The data was being offered for 1.5 bitcoin. There has been a lot of drama with this. As a month ago it first came to light and MobiKwik vehemently denied it. Servers were secured, the data tap shut off briefly. But then the attacker came back, claiming to have all that data. Whatever is going on, this involves is a tremendous amount of sensitive data that impacts people’s lives and livelihood once out there, and it can’t be taken back. We’ve seen the impact of mass data breaches fuelling cybercrime and the dark industry of synthetic identities. As individuals more is expected of us to keep watch over our online presence. This extends in terms of data stewardship and responsible disclosure to those we trust and entrust with out data.

Privacy Cringe 😬: per Threatpost, Intel has been served up a lawsuit for breaking Florida’s wiretapping law. Because – don’t be surprised- they had software on their website to capture the keystrokes and movements of site visitors. Yes, folks like you and I. Yes, that would be the Intel in our computer chips. This was for user analytics on their site. I am sure visitors do not recall giving consent or even being asked. We are going to be confronting an increasing number of ethics and privacy concerns as AI, machine learning and data analytics converge. Be aware.

Good news maybe: for those concerned about SMS hijacks and SIM swap, an update in today’s CyberWire shows major US carriers have addressed the security loophole attacks were leveraging. You can read the article here.

“Broken Trust”: The New Report from the Atlantic Council chronicles supply chain attacks

Atlantic Council Report

This is a link to the PDF report, “Broken Trust: Lesson from Sunburst”, recently released by the Atlantic Council, which looks at seven supply chain attacks to illustrate failures by private sector and governments to identify SolarWinds. The report states the need by federal government to identify “software with the largest potential blast radius” as a preventative measure against more major “sky is falling” cyberattacks like SolarWinds. And where to focus? Per the report “low-profile software used in critical parts of a network or given high-level permission that present valuable targets”.

Thanks to Politico’s weekly cybersecurity email for their insights and making the link available.