Weekly Cybersecurity Roundup #4
As was the case in the past weeks, threat actors attempt to capitalize on coronavirus outbreak.
Is BGP Safe Yet? No. But we are tracking it carefully
BGP leaks and hijacks have been accepted as an unavoidable part of the Internet for far too long. We relied on protection at the upper layers like TLS and DNSSEC to ensure an untampered delivery of packets, but a hijacked route often results in an unreachable IP address. Which results in an Internet outage.
The Internet is too vital to allow this known problem to continue any longer. It's time networks prevented leaks and hijacks from having any impact. It's time to make BGP safe. No more excuses.
Today, we are releasing isBGPSafeYet.com, a website to track deployments and filtering of invalid routes by the major networks.
We are hoping this will help the community and we will crowdsource the information on the website. The source code is available on GitHub, we welcome suggestions and contributions.
PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors
Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling "PoetRAT." At this time, we do not believe this attack is associated with an already known threat actor. Our research shows the malware was distributed using URLs that mimic some Azerbaijan government domains, thus we believe the adversaries in this case want to target citizens of the country Azerbaijan, including private companies in the SCADA sector like wind turbine systems. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data.
A Brand New Ursnif/ISFB Campaign Targets Italian Organizations
Ursnif is one of the most and widespread threats, it is delivered through malspam campaigns aimed at multiple industries across Italy and Europe.
Recently, we have identified a new variant that is targeting Italian organizations. The malspam messages use attachments with subjects like “Avviso di Pagamento_xxxx_date” where xxxx is a number and date is a date reported in the format “dd-mm-yyyy” (i.e. “Avviso di Pagamento_14326_15_04_2020”). We spotted some major changes in the techniques employed in the Ursnif/ISFB droppers used in the campaign. Operators behind the campaign have adopted new techniques to avoid detection and propose important changes in the Ursnif infection chain.
Are we doing enough to protect connected cars?
The trend in the automotive industry is to add solutions that entail more connectivity, such as IT-based solutions. But, to effectively thwart cyber threats, vehicles require cyber security solutions without the need for constant connectivity and which are suited for moving platforms unlike traditional IDS/IPS solutions and firewalls. While greater automotive connectivity promises to significantly enhance the driving experience, it also creates new attack vectors for hackers to exploit.
Vehicles should not need constant human interaction with the cybersecurity aspects of a vehicle in order to prevent cyber-attacks. To ensure that the foundation of a vehicle’s critical security system is safe, vehicles must be secure by design: security must be embedded within every aspect of the vehicle. There will always be new threats, but a car should be capable of stopping cyberattacks through standalone solutions that do not require any human intervention, and which are not learning mechanisms but rather deterministic.
MSC Data Center Closes Following Suspected Cyber-Attack
A container shipping company has said malware could be to blame for the closure of one of its data centers last week.
The Mediterranean Shipping Company (MSC) took to Twitter on Good Friday to report a network outage issue affecting the website msc.com, which was still down at time of writing.
The incident, which is thought to have occurred on Thursday, April 9, also brought down the shipping company's myMSC portal.
A message posted from the Twitter account MSC Cargo on April 10 stated: "We are sorry to inform you that http://MSC.com and myMSC are currently not available as we've experienced a network outage in one of our data centers. We are working on fixing the issue."
As a result of the outage, self-service tools for making and managing bookings on MSC ships have ceased to be operational. Alternative booking platforms are available, and customers can still book via email and over the phone.
"All our departments, terminals and depots are operating without disruptions,” said MSC. “Customers can still book via INTTRA and GT Nexus, which are both fully functional, or place bookings via email.”
New AgentTesla variant steals WiFi credentials
AgentTesla is a .Net-based infostealer that has the capability to steal data from different applications on victim machines, such as browsers, FTP clients, and file downloaders. The actor behind this malware is constantly maintaining it by adding new modules. One of the new modules that has been added to this malware is the capability to steal WiFi profiles.
AgentTesla was first seen in 2014, and has been frequently used by cybercriminals in various malicious campaigns since. During the months of March and April 2020, it was actively distributed through spam campaigns in different formats, such as ZIP, CAB, MSI, IMG files, and Office documents.
Newer variants of AgentTesla seen in the wild have the capability to collect information about a victim’s WiFi profile, possibly to use it as a way to spread onto other machines. In this blog, we review how this new feature works.
Indian Govt Issues Advisory Against Use Of Zoom App, Plans To Replace It
The Ministry of Home Affairs (MHA) on Thursday issued an advisory saying that video-conferencing application, Zoom “is not a secure platform” for private individuals and has advised government officers/officials not to use the app for any purpose.
Earlier, the Indian Computer Emergency Response Team (Cert-In) had issued similar advisories about exercising caution while using Zoom.
“Zoom is a not a safe platform and advisory of Cert-In on the same dated Feb 06, 2020, and March 30, 2020, may kindly be referred. These advisories are available on Cert-In website,” the MHA advisory said.
The MHA advisory comes after the CERT-in warning and is especially meant for private individuals and organisations.
U.S. House Oversight Committee Meeting Disrupted by Zoom-Bombers
An internal government letter revealed that Zoom-bombers had disrupted a meeting held by the U.S. House Oversight Committee.
In a letter sent to Representative Carolyn B. Maloney (D-N.Y.), chairwoman of the House of Representatives’ Committee on Oversight and Reform, ranking member Jim Jordan (R-Ohio) revealed that the incident took place at the beginning of April
Hack 5 GHz Wi-Fi Networks with an Alfa Wi-Fi Adapter
Wi-Fi networks come in two flavors: the more common 2.4 GHz used by most routers and IoT devices, and the 5 GHz one offered as an alternative by newer routers. While it can be frustrating to attack a device that moves out of reach to a 5 GHz Wi-Fi network, we can use an Alfa dual-band adapter to hack Wi-Fi devices on either type of network.
Wi-Fi is a radio standard that has been around since 1997, and the number of devices using it has made its part of the spectrum quite crowded. To relieve that stress, 5 GHz was introduced to offer fast Wi-Fi connections over similar distances as a comparable 2.4 GHz network. For hackers going after Wi-Fi devices, a router that provides both 2.4 and 5 GHz networks can be a real problem, as attacks requiring sending de-authentication frames can simply cause the target device to move out of reach to the 5 GHz network.
What’s a 10? PWNING VCenter with CVE-2020-3952
Last Thursday, VMware published a security advisory for CVE-2020-3952, describing a “sensitive information disclosure vulnerability in the VMware Directory Service (vmdir)”. It’s a pretty terse advisory, and it doesn’t go into much more detail than that, besides stating that any vCenter Server v6.7 that has been upgraded from a previous version is vulnerable.
What’s striking about this advisory is that the vulnerability got a CVSS score of 10.0 — as high as this score can go. Despite the amount of press the advisory got, though, we couldn’t find anything written about the technical details of the vulnerability. We wanted to get a better understanding of its risks and to see how an attacker could exploit them, so we started investigating the changes in VMware’s recommended patch — vCenter Appliance 6.7 Update 3f.
By combing through the changes made to the vCenter Directory service, we reconstructed the faulty code flow that led to this vulnerability. Our analysis showed that with three simple unauthenticated LDAP commands, an attacker with nothing more than network access to the vCenter Directory Service can add an administrator account to the vCenter Directory. We were able to implement a proof of concept for this exploit that enacts a remote takeover of the entire vSphere deployment.