CVE Emotet

CloudSEK Daily Threat Bulletin – 12th February 2020

Just 3 weeks before the legislative election, it has been found that Israel’s ruling party has inadvertently exposed all 6.5 million eligible voters’ personal information. And despite the growing sophistication of cyber-attacks, simple but severe Business Email Compromise attacks, are the leading cause for cybercrime losses. Phishing efforts continue to get more convincing, with a recent spate of emails masquerading as Amex and Chase fraud protection emails.

Google has announced that in a few months 2 factor authentication will be necessary to access Google Nest devices. Surprisingly, a new study shows that in 2019, an average of 11 threats were registered per Mac, which is double that of Windows. With macOS beings more vulnerable to adware and PUPs.

In its biggest Patch Tuesday, Microsoft has fixed 99 vulnerabilities. And Adobe has patched 42 flaws across 5 of its products.  SoundCloud patches address its API flaws that could’ve been exploited to cause account takeovers and DDoS attacks.  Mozilla released Firefox 73 with important security fixes, and new features such as default zoom and NextDNS as a new DoH Provider.

Round Up of Major Cyber Security Breaches and Scams

6.5 million voters’ information leaked by app used by Israel’s Ruling Party

With only 3 weeks to Israel’s legislative election, it has been found that a campaign website, operated by the ruling political party Likud, has exposed the voter information, including full names father’s name, mother’s name, and other personal details, of all 6.5 million eligible voters. Before the elections, all political parties receive complete details of the voters, which they are supposed to protect and erase after the election. However, Likud allegedly shared this data with a software company Feed-b, that uploaded it to the voting management app Elector’s website.

Business Email Compromise accounts for half of the reported cyber-crime losses

FBI’s 2019 Internet Crime Report estimates that half of the reported losses, due to cybercrimes, were attributed to Business Email Compromise (BEC) attacks. The average loss per BEC complaint was found to be ~$75,000. In 2019, the FBI received 467,361 internet crime complaints which amount to > $3.5 billion in losses, out of which a whopping $1.77 billion was due to BEC attacks. This trend has been ascribed to the simplicity of a BEC scam, which only requires a spoof email account to send fake invoices or business contracts.

Phishing mails masquerade as Amex and Chase Fraud Protection Emails

Scammers are using fake Chase and Amex fraud protection mails, wherein victims are asked to confirm if a fake transaction on their card is valid. Assuming that their card has been stolen, the victim will click on NO to dispute the charge. The victim is then directed to a fake Chase or Amex login page where they have to perform a complicated verification process that collects their login name, password, address, birth date, social security number, bank info, and card info.

Estée Lauder’s unprotected server exposes 440 million records

The cosmetic company Estée Lauder inadvertently exposed 440 million records, through an unprotected database. The records included email addresses in plaint text. In addition to that, production, audit, error, CMS, and middleware logs were also left accessible in the unsecured database. It is believed that references to internal documents and specifics such as IP addresses, ports, pathways, and storage details were also exposed.

2FA to become mandatory for Google Nest devices

In a few months, Google users will have to use 2 factor authentication (2FA) to access their Google Nest devices. The extra step will verify the user’s identity via email. For every login attempt, a six-digit verification code will be sent to the registered email ids. This announcement comes in the wake of additional protections that Google has recently released, including checking a user’s password has been exposed in a previous credential breach.

Hacking group ‘Outlaw’ resurfaces with enterprise server attacks

The hacking group ‘Outlaw’ has resurfaced, after a break, with attacks on Linux- and Unix-based operating systems, Internet of Things (IoT) devices, and vulnerable servers. They aim to steal, data and enterprise resources, to find and eradicate existing cryptocurrency miners. It is believed that the attacks have moved from China, to US and Europe, with focus on the auto and finance sectors. The group mainly exploits old vulnerabilities, and attack servers, with no security patches and weak SSH and Telnet credentials.

macOS more vulnerable to adware and PUPs than Windows

According to a new report, in 2019, an average of 11 threats were registered per Mac. This is double the number of average threats registered per Windows system. The increasing market share of Mac has made it more attractive for threat actors and criminals. macOS is more susceptible to adware and PUPs because its in-built security systems have not cracked down on them. Of the threats NewTab, which causes new tabs to open without any user interaction, and PCVARK, which trigger scare messages, are the most prevalent.

Round Up of Major Malware and Ransomware Incidents

Emotet module can jump WiFi gap to infect nearby networks

Keeping with the trend of increasing sophistication, one of Emotet’s modules – “WiFi spreader” module- was found to jump the WiFi gap to nearby networks, under certain circumstances. The module opens a new attack vector within infected companies to increase their spread. However, because the module exploits weak passwords to spread to other networks, it does not guarantee a 100% infection rate. This is still a dangerous trend because it is not only a threat to the affected network, but also to other close by networks.

“Living” virus KBOT infects executables and performs web injections

KBOT is a “living” virus that spreads by injecting malicious code into Windows executable files. The malware writes itself to Startup and the Task Scheduler, infecting .exe files on logical drives and shared network folders, of the affected system. In addition to infecting executable files, it also performs web injections to steal a victim’s personal details and credentials. Apart from slowing the affected system, it spreads quickly to reduce the chances of recovery.

Round Up of Major Vulnerabilities and Patches

99 vulnerabilities patched in Microsoft’s biggest ever Patch Tuesday

In its biggest Patch Tuesday, Microsoft has released fixes for 99 vulnerabilities. One of the key fixes was for CVE-2020-0674, a zero-day vulnerability in Internet Explorer. The patches also fixed 11 ‘critical’ bugs, most of which concerned remote code execution and memory corruption bugs in the IE scripting engine, the Remote Desktop Protocol service, LNK files, and the Media Foundation component.

42 vulnerabilities addressed in Adobe February updates

As part of the February updates, Adobe has patched 42 CVEs out of which 35 were ‘critical’ flaws. This included patches for critical bugs in FrameMaker and Flash Player products, which could have been exploited for arbitrary code execution. While 12 critical bugs were patched, in Acrobat and Reader, to address heap overflow and privilege escalation flaws, among others.

Mozilla releases Firefox 73 with security fixes and NextDNS as DoH Provider

Firefox 73 has been released to stable desktop channel for Windows, macOS, and Linux with patches and new features. The new release has addressed security vulnerabilities such as memory safety bugs, incorrect parsing of template tags, and missing bounds check on shared memory, among others. New features include default zoom setting, high contrast theme improvements, and NextDNS as a new DoH provider.

SoundCloud patches API flaws that could cause account takeovers and DDoS attacks

Audio platform SoundCloud has patched its API security flaws including: broken authentication and user enumeration, lack of resource request limiting, security misconfigurations, and improper input validation. These vulnerabilities could’ve been exploited to launch: account takeovers, Distributed Denial of Service (DDoS) attacks, and service exploitation.

Jenkins servers vulnerable to DDoS attacks

A bug in open source server Jenkins, tracked as CVE-2020-2100, can be exploited to distributed denial of service (DDoS) attacks. This vulnerability, in the server’s codebase, was fixed as part of the January 2020 release of Jenkins v2.219. Other that DDoS attacks, a secondary effect was that the bug could be exploited such that Jenkins servers send continuous packets to each other, perpetuating an infinite loop, and eventually crash. It is advised that users immediately update their internet exposed servers to v2.219 or block inbound traffic to port 33848.

Leave a Reply

Your email address will not be published. Required fields are marked *