Weekly Cybersecurity Roundup #10
"The problem of viruses is temporary and will be solved in two years." – John McAfee, 1988
SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol
Cybersecurity researchers today uncovered a new critical vulnerability affecting the Server Message Block (SMB) protocol that could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed "wormable" bug, the flaw can be exploited to achieve remote code execution attacks.
Dubbed "SMBleed" (CVE-2020-1206) by cybersecurity firm ZecOps, the flaw resides in SMB's decompression function — the same function as with SMBGhost or EternalDarkness bug (CVE-2020-0796), which came to light three months ago, potentially opening vulnerable Windows systems to malware attacks that can propagate across networks.
The newly discovered vulnerability impacts Windows 10 versions 1903 and 1909, for which Microsoft today released security patches as part of its monthly Patch Tuesday updates for June.
The A1 Telekom Austria Hack
On the 3rd of February 2020 I received an encrypted email on 3 of my email addresses from a person calling themself
"Libertas"with the subject "Information for the public".
I am writing to you today because you seem to be a IT security related guy from Austria with a brain. I hope this assumption is correct, otherwise please disregard this message.
I am writing concerning your local telecom company A1 Telekom. -Libertas
At first I thought it's some conspiracy theorist who wants to publish something on my blog
(they always do)but it was not one of these cases and I wasn't prepared to what they presented me.
Honda investigates possible ransomware attack, networks impacted
Computer networks in Europe and Japan from car manufacturer giant Honda have been affected by issues that are reportedly related to a SNAKE Ransomware cyber-attack.
Details are unclear at the moment but the company is currently investigating the cause of the problems that were detected on Monday.
CallStranger vulnerability lets attacks bypass security systems and scan LANs
A severe vulnerability resides in a core protocol found in almost all internet of things (IoT) devices.
The vulnerability, named CallStranger, allows attackers to hijack smart devices for distributed denial of service (DDoS) attacks, but also for attacks that bypass security solutions to reach and conduct scans on a victim's internal network -- effectively granting attackers access to areas where they normally wouldn't be able to reach.
According to a website dedicated to the CallStranger vulnerability published today, the bug impacts UPnP, which stands for Universal Plug and Play, a collection of protocols that ship on most smart devices.
Windows 10 SMBGhost bug gets public proof-of-concept RCE exploit
Working exploit code that achieves remote code execution on Windows 10 machines is now publicly available for CVE-2020-0796, a critical vulnerability in Microsoft Server Message Block (SMB 3.1.1).
More refined versions of the exploit are expected to emerge, especially since at least two cybersecurity companies created exploits for the vulnerability and have been holding back the release since April.
Unpatched Microsoft Systems Vulnerable to CVE-2020-0796
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of publicly available and functional proof-of-concept (PoC) code that exploits CVE-2020-0796 in unpatched systems. Although Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber actors are targeting unpatched systems with the new PoC, according to recent open-source reports. CISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.
US aerospace services provider breached by Maze Ransomware
The Maze Ransomware gang breached and successfully encrypted the systems of VT San Antonio Aerospace, as well as stole and leaked unencrypted files from the company's compromised devices in April 2020.
VT San Antonio Aerospace (VT SAA) is a leading North American aircraft MRO (maintenance, repair, and overhaul) service provider specialized in airframe maintenance repair and overhaul, line maintenance, aircraft modifications, and aircraft engineering services.
VT SAA is a subsidiary of ST Engineering (part of ST Aerospace, its aerospace arm), one of the largest firms listed on the Singapore Exchange and an engineering group with customers in the defense, government, and commercial segments in over 100 countries, and roughly 23,000 people across Asia, Europe, Middle East, and the United States.
ST Aerospace provides repair and overhaul services for more than 25,000 mechanical and avionics component types fitted on various Airbus and Boeing aircraft and helicopters.
Botnet blasts WordPress sites with configuration download attacks
Security researchers at WordFence, a company that’s focused on securing WordPress, have reported a burst of old-school attacks that are after your WordPress configuration data.
In a default installation of WordPress, whether you’ve installed it yourself or are using a hosted service, the configuration file
wp-config.phpshould be off limits to outsiders.
Chinese And Iranian Hackers Target Trump, Biden’s Election Campaign, Google Says
Google researchers announced it has identified state-sponsored hacking attempts that are targeting both Republican President Donald Trump and Democrat nominee Joe Biden’s election campaigns.
On Thursday, Shane Huntley, the head of Google’s Threat Analysis Group (TAG), said on Twitter that they recently detected two separate phishing campaigns.
For those unaware, TAG is a division inside Google’s security department, which works to counter government-backed hacking and attacks against the company and its users.
According to TAG, staffers working on the U.S. presidential campaign of Biden were targeted by China-linked APT (advanced persistent threat) group. Similarly, an Iran-linked APT group were found to be targeting email accounts belonging to Trump’s campaign staff.
“Recently TAG saw China APT group targeting Biden campaign staff & Iran APT targeting Trump campaign staff with phishing. No sign of compromise. We sent users our govt attack warning and we referred to fed law enforcement,” Huntley tweeted.
New Cyber Operation Targets Italy: Digging Into the Netwire Attack Chain
Info stealer malware confirms to be one of the most adopted weapons of cyber actors. One of them is Netwire (MITRE S0198), a multiplatform remote administration tool (RAT) that has been used by criminals and espionage groups at least since 2012.
During our Cyber Threat Intelligence monitoring we spotted a particular Office document weaponized to deliver such kind of malicious tool, uncovering a hidden malicious campaign designed to target Italian speaking victims. The particular chain of attack we discovered showed interesting technical patterns resembling other previous activities targeting the Italian manufacturing landscape, for this reason we decided to dig deeper.
Phishing Attacks Against Trump and Biden Campaigns
Google's threat analysts have identified state-level attacks from China.
I hope both campaigns are working under the assumption that everything they say and do will be dumped on the Internet before the election. That feels like the most likely outcome.
Phishing Attacks Spoofing PBX Integrations
With workforces largely remaining partially or fully remote, employees continue to rely on tools for greater efficiency and productivity. While we all know that software like Slack and Zoom have emerged in popularity in recent months, there are other technologies - both new and old - that have proven invaluable to employee’s as they ride out COVID-19 working from home.
One of those tools is the Private Branch Exchange (PBX), a legacy technology which enables voice message recordings to be sent directly to an employee’s inbox. As workers have little to no access to office land lines, PBX enables employees to retrieve important messages through integration with a company’s email client. Simply put - if an employee misses a call, then they instantly receive a recording or message in their inbox.
While this configuration has made it easier to connect and work from anywhere, it has also allowed cybercriminals to find another way to phish workers. That’s completely unsurprising: if we know anything about hackers, is that there is no current event that is out-of-bounds to try and exploit.
Any Indian DigiLocker Account Could've Been Accessed Without Password
The Indian Government said it has addressed a critical vulnerability in its secure document wallet service Digilocker that could have potentially allowed a remote attacker to bypass mobile one-time passwords (OTP) and sign in as other users to access their sensitive documents stored on the platform.
"The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as a totally different user," security researcher Mohesh Mohan said in a disclosure shared with The Hacker News.
With over 38 million registered users, Digilocker is a cloud-based repository that acts as a digital platform to facilitate online processing of documents and speedier delivery of various government-to-citizen services. It's linked to a user's mobile number and Aadhar ID—a unique identity number (UID) issued to every resident of India.