Breach CVE Malware Ransomware TrickBot Vulnerability

CloudSEK Daily Threat Bulletin – 6th March 2020

Round Up of Major Breaches and Scams

Brazilian security firm exposes 25 GB of data on leaky S3 bucket

A Brazilian home and business security firm has exposed 25 GB of files on a leaky S3 bucket. The files, which include tax documents, payment slips, and social security documents, reveal their clients’ contract details and staff information. The company, which provides property security services such as surveillance, CCTV, and access control, has said the S3 bucket only stored legacy documents from a portal that was disabled in 2017.

Data from Koodo Mobile breach being sold online

Koodo Mobile announced that their systems were hacked on 13 February 2020. An unauthorized user accessed their systems, using compromised credentials, to copy customer data for August and September 2017. The copied data includes mobile account and telephone numbers. This information can be used by scammers to port Koodo mobile numbers, to their devices, and steal 2 factor authentication codes, which are required to access the victim’s email and bank accounts. In addition, the company has evidence that the stolen information is being sold online. However, they have enabled the ‘Port Protection’ feature, for affected devices, to prevent such attacks.

Round Up of Major Malware and Ransomware Incidents

TrickBot malware capitalises on Italy’s severe Coronavirus outbreak

In an effort to capitalize on the Coronavirus (COVID-19) outbreak, a new campaign is spreading TrickBot malware in Italy via email attachments that pretend to provide information on precautions. Once a victim enables the document content, malicious macros extract files to install and launch the TrickBot malware. The malware then steals information from the affected system and tries to spread laterally through the network.

Round Up of Major Vulnerabilities and Patches

Zoho releases patch for remote execution flaw in fleet control product

A vulnerability (CVE-2020-10189) in endpoint management product Zoho ManageEngine Desktop Central allows attackers to remotely execute arbitrary code with root privileges on affected installations. Security experts have warned that ransomware groups may exploit the flaw, in the 2300+ installations of the product. Since the product is used to control fleets of devices, attackers can exploit it to take full control of a company’s fleet of devices. The flaw has been patched in Zoho ManageEngine Desktop Central version 10.0.479.

Intel chips released in the last 5 years have hardcoded firmware flaw

Most Intel chips released in the last 5 years have a flaw, in the Converged Security and Management Engine (CSME), that allows attackers to execute malicious code with the highest system privileges. Since it is a firmware flaw that is hardcoded in the mask ROM of microprocessors and chips, it can’t be patched with a firmware update. While Intel has released patches to alleviate the risk of the vulnerability, researchers don’t believe it is enough to protect systems completely.

WordPress plugin RegistrationMagic patches several critical vulnerabilities

WordPress plugin RegistrationMagic, has several critical vulnerabilities that can be exploited by an attacker with subscriber-level permissions, to elevate their account to gain admin privileges. The flaws in the plugin, which is installed in 10,000+ sites, allow attackers to perform unprotected AJAX actions to send arbitrary emails, upload replacement forms, and use the vulnerability to register a new admin user. The flaws, which affects the plugin’s versions up to, have been patched.

Critical flaw in ppp Daemon allows remote execution of arbitrary code

Point to Point Protocol Daemon (pppd) has a critical vulnerability (CVE-2020-8597) that allows attackers to cause a buffer overflow and remotely control the code execution of a process and execute arbitrary code. The vulnerability, which has a CVE score of 9.3, affects pppd versions 2.4.2 to 2.4.8. The root cause is an error in input size validation causes arbitrary code to be copied into the memory and leads to memory corruption that allows arbitrary code execution.

FDA warns patients against Bluetooth protocol flaw in medical devices

FDA has warned patients that pacemakers and glucose-monitoring systems are affected by vulnerabilities in wireless protocol Bluetooth Low Energy (BLE). The flaws, which affect a variety of microchipped devices, allow an attacker, within radio range, to disrupt its communication, thus forcing the device to restart. While there are no reports of exploitation of the flaws, FDA has asked medical device manufactures to curtail the risks posed, by working with healthcare providers and patients.