Category Archives: Security alerts

Security Alert: A critical vulnerability in Microsoft RDP could lead to another WannaCry-magnitude attack

A network detection rule/signature provided by NCCgroup concerning CVE-ID CVE-2019-0708, which occurs in RDP implementations down to Windows XP, has just been released. 

Our experts have credible intelligence to support that this vulnerability could be exploited in less than a week, potentially producing the same amount of damage as we have seen in the case of self-replicating code like WannaCry and the older Conficker worm. 

As per our intelligence, 8.5% of machines are vulnerable to the attacks. Based on this data, we conclude the impact it could have on organizations worldwide would be devastating. 

Our Research & Intelligence team, which monitors underground fora and dark market services, has observed several offers for sale of functional exploit code. One of these offers, in particular, comes from a person who had previously sold 0-day vulnerabilities on the dark market. 

We are already in possession of the functional exploit code and we can confirm that it works scarily reliably against vulnerable installations/services.  

How does the exploit work and how critical is it? 

Although Microsoft has stopped offering support for Windows XP and other older versions since 2014, they released a new patch on May 14, 2019.  

Here is the list of vulnerable operating systems: 

  • Windows 2003 
  • Windows XP 
  • Windows 7 
  • Windows Server 2008 
  • Windows Server 2008 R2 

If exploited, a remote code execution bug in RDP would allow hackers to run code on machines using RDP without them having to authenticateOnce an attacker breaks into a computer this way, they have full control over the machine – no login credentials needed!  

The simple fact that you are running RDP could mean the gates to your system are wide open. 

This vulnerability could allow access to worms, which are pieces of malware that have the capability to replicates themselves across a network.  

We’ve noticed this happen in the past with attacks such as WannaCry and NotPetya and most probably, this RDP vulnerability will lead to another similar cyber disaster.  

WannaCry was a ransomware worm that spread around the globe in 24 hours, infecting around 300 million computers in 150 countries at an alarming pace. The National Health Service (NHS) in England and Scotland was one of the first companies affected, and other major victims included Telefonica, Renault, and Fed-Ex. 

What’s even more concerning is that the NotPetya outbreak followed shortly after, probably fueled by to the it-will-not-happen-to-me mentality and by people not taking matters like these seriously. NotPetya was based on the same EternalBlue exploit, and the activity of giant organizations such as Maersk and Ukraine’s central bank was disrupted.  

This proves the lack of regular patching of outdated systems and people not learning their lessons remain fundamental problems.  

Here is the security guide you need to follow 

Since we’ve already witnessed the rapid pace these types of infections can spread, we would like to offer you some recommendations so you can stay safe.  

We recommend that you apply these security measures as quickly as possible since the outbreak could start sooner than anyone would expect 

  • Patch as soon as possible 

We recommend all of our customers to create a current overview of available RDP services and make sure that they must be securely patched 

At the same time, we recommend a stronger and prioritized focus on all RDP services that are exposed to externally. 

What you need to do if for certain reasons you are not able to patch your machines immediately: 

  • Implement IP restrictions that would prevent global access towards RDP services, no matter whether LAN or WAN. 
  • Enable Network Level Authentication (NLA). This puts another form of authentication in front of RDP, which makes it more difficult for intruders to log in.  
  • Turn off RDP. Obviously, this would not be an option if your business cannot run without it.    

Be part of the solution, not part of the problem and act quickly. 

Here you can also find the network signatures.

*This article features cyber intelligence provided by CSIS Security Group researchers. 

The post Security Alert: A critical vulnerability in Microsoft RDP could lead to another WannaCry-magnitude attack appeared first on Heimdal Security Blog.

Security Alert: Mass Credit Card Stealing Campaign Detected in Online Shops

Security researchers unveiled a still-ongoing mass credit card stealing campaign, which started collecting data from unsuspecting online shoppers sometime in October 2018.

The target of this campaign was a pool of over 100 online shops, all of them otherwise deemed legitimate and trustworthy. Six of the targeted websites were even listed in the one million websites Alexa Top.

Moving forward with reporting on this, we’ll dub the mass credit card stealing campaign Magento Analytics, since that’s the name of the domain used for injecting malicious scripts into the code of the online shops.

How Does the Magento Analytics Mass Credit Card Stealing Campaign Operate?

The domain was first picked up by the radars of cybersecurity researchers back in October 2018, when they noticed something seemed off about it. Even though the traffic was pretty low, there seemed no purpose to the domain and its traffic was increasingly stealthily, via other portals.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.


Get Thor Foresight

The name seemed innocent enough at a first glance. Magento is a major e-commerce platform and its engine is used by countless online shops around the world. It would make sense for something called Magento Analytics to be spotted running through these websites from time to time. But the domain didn’t actually contain anything if you tried to access it directly.

Another dubious thing which tipped off the security researchers who looked into it was the fact that the registration address & IPs for the domain was ever changing. While initially the domain was registered in Panama, the IP from which it was operating changed a lot. Initially, it seemed to be located in Arizona, US, but then it moved to Moscow, Russia for a while, before heading to Hong Kong, China. This alone warranted a second look from the cybersecurity researchers on the case.

But shifting IPs were not the only thing wrong with this domain, by far. While the domain itself returns just a 430 error page if you try to access it directly (not recommended, though), the researchers were seeing various pages (sub-domains) of the domain with nothing meaningful on them, either. Instead, all of these contained JS scripts.

Through continuous traffic monitoring, the security researchers realized that the Magento Analytics was actually injecting these malicious scripts into the code of 3rd party websites. These websites (online shops) had no idea that the Magento Analytics mass credit card stealing campaign was actually collecting the credit card info of their users.

trysend function in magento analytics malware

As soon as the JS code is loaded, a timer is set and the TrySend function is called every 500ms. This function attempts to try to get input data from credit cards

What Were the Losses Incurred by the Magento Analytics Malware Campaign?

Data revealed by the security researchers showed that the TrySend function called by the JS scripts collected the following information from users: card number, name of the cardholder, expiry date, and the CVV code. Basically, it’s everything a hacker would need in order to steal your money afterward.

For now, no one came through to complain explicitly about losing money to the Magento Analytics campaign. But this doesn’t mean that there have been no losses yet. Most likely, the losses were small, or the legitimate card owners managed to annul the transactions, or they just haven’t been able to connect the loss with this particular campaign yet.

We will keep you updated on reports about the losses incurred through Magento Analytics as more is revealed.

The scary part about the Magento Analytics mass credit card stealing campaign is precisely the fact that the injected JS codes weren’t even that sophisticated. All in all, it amounts at a pretty rudimentary online scam. It just shows how disastrous it can be for online stores to allow security holes in their systems, since there will always be malicious 3rd parties interested in exploiting them.

Data provided in this analysis was obtained by Netlab 360.

The post Security Alert: Mass Credit Card Stealing Campaign Detected in Online Shops appeared first on Heimdal Security Blog.