📊 2023 OpenText Cybersecurity Threat Report
News, Announcements, Tech Discussions
January 30, 2020 By Pierluigi Paganini Check Point detailed two recently patched vulnerabilities in Microsoft Azure services that could have allowed hackers to take over cloud services. Check Point researchers have published technical details of two recently fixed flaws in Microsoft Azure that could have allowed hackers to take over cloud services. Azure App Service allows users to build and host multi-platform web apps, mobile back ends, and RESTful APIs in the programming language of their choice, without managing infrastructure. It enables automated deployments from GitHub, Azure DevOps, or any Git repo. Full Article.
February 3, 2020 By Pierluigi Paganini Hackers have already compromised more than 2,300 Linear eMerge E3 building access systems exploiting a severe vulnerability that has yet to be fixed. Linear eMerge E3 smart building access systems designed by Nortek Security & Control (NSC) are affected by a severe vulnerability (CVE-2019-7256) that has yet to be fixed and attackers are actively scanning the internet for vulnerable devices. Researchers from SonicWall revealed that hackers are attempting to compromise Linear eMerge E3 smart building access systems to recruit them in a DDoS botnet. Full Article.
February 20, 2020 By Elizabeth Montalbano This week a hacking forum posted data from the breach—which included personal and contact details for celebrities, tech CEOs, government officials and employees at large tech companies. A hacking forum this week published details of more than 10.6 million guests who stayed at MGM Resorts, the result of a breach due to unauthorized access to a cloud server that occurred at the famous Las Vegas hotel and casino last summer. The incident—revealed in a published report on ZDNet Wednesday–once again highlights the importance of securing data stored on the cloud as well as the ripple effect breaches can have for companies and victims even long after they’ve occurred. Full Article.
February 3, 2020 By Tom Spring Popular trojan is sneaking its way onto PCs via malspam campaign that uses three levels of encryption to sneak past cyber defenses. A recent wave of AZORult-laced spam caught the attention of researchers who warn that malicious attachments associated with the campaign are using a novel obfuscation technique, in an attempt to slip past spam gateways and avoid client-side antivirus detection. What makes this campaign unique is the use by threat actors of a triple-encrypted AZORult downloader being pushed by the otherwise non-descript malspam assault. AZORult is remote access trojan popular on Russian forums and most recently spotted last month in a spam campaign perpetrated by a hacker with an affinity toward singer-songwriter Drake. Full Article.
February 3, 2020 By Pierluigi Paganini Apple researcher discovered an important vulnerability (CVE-2019-18634) in ‘sudo’ utility that allows non-privileged Linux and macOS users to run commands as Root. Security expert Joe Vennix from Apple has discovered an important vulnerability in ‘sudo‘ utility, tracked as CVE-2019-18634, that allows non-privileged Linux and macOS users to run commands as Root. The issue could be exploited only under a specific configuration Sudo is one of the most important, powerful, and commonly used utilities that comes as a core command pre-installed on macOS and almost every UNIX or Linux-based operating system. sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser. Full Article.
February 21, 2020 By Lawrence Abrams Slickwraps has suffered a data breach after a security researcher was able to access their systems and after receiving no response to emails, publicly disclosed how they gained access to the site and the data that was exposed. Slickwraps is a mobile device case retailer who sells a large assortment of premade cases and custom cases from images uploaded by customers. In a post to Medium, a security researcher named Lynx states that in January 2020 he was able to gain full access to the Slickwraps web site using a path traversal vulnerability in an upload script used for case customizations. Using this access, Lynx stated that they were allegedly able to gain access to the resumes of employees, 9GB of personal customer photos, ZenDesk ticketing system, API credentials, and personal customer information such as hashed passwords, addresses, email addresses, phone numbers, and transactions. Screenshot of Slickwraps payment gateway Full Article.
February 4, 2020 By Tom Spring As part of its February bug fixes, Google is patching a critical severity remote code execution vulnerability and an information disclosure bug. Google has released a security update for a critical flaw in its Android operating system that allows hackers to execute remote code on affected handsets, potentially allowing an adversary to gain remote access to the device. Part of Google’s February Android Security Bulletin, released Monday, also warns of a second critical flaw that could allow a remote hacker to gain access to an Android handset and obtain sensitive data. Tracked as CVE-2020-0022, the remote code execution (RCE) bug impacts Android versions Pie (9.0) and Oreo (8.0, 8.1). The same CVE also impacts Google’s most recent Android version, called 10. However, with Android 10, the severity rating is moderate and the impact is not a RCE bug, but rather a denial of service threat. Full Article.
February 5, 2020 By Tara Seals The Gamaredon advanced persistent threat (APT) group has been supercharging its operations lately, improving its toolset and ramping up attacks on Ukrainian national security targets. Vitali Kremez, head of SentinelLabs, said in research released on Wednesday that he has been tracking an uptick in Gamaredon cyberattacks on Ukrainian military and security institutions that started in December. He said that these include digital attacks on physical infrastructure and field hardware, including artillery – along with more expected cyber-espionage activity. One of the latter campaigns was a series of reconnaissance actions against the Hetman Petro Sahaidachnyi National Ground Forces Academy, in the Ukraine; and, spyware implants were spotted in a range of Ukrainian governmental targets. Full Article.
February 5, 2020 By Pierluigi Paganini Researcher published details about a backdoor mechanism he found in HiSilicon chips, but he did not report it to the vendor due to the lack of trust in it. The Russian security expert Vladislav Yarmak has published technical details about a backdoor mechanism he discovered in HiSilicon chips. The backdoor mechanism could allow attackers to gain root shell access and full control of device. The expert also published a Proof of concept code for the vulnerability. The expert did not disclose the flaw to HiSilicon due to the lack of trust in the vendor to address the issue. HiSilicon is a Chinese fabless semiconductor company based in Shenzhen and owned by Huawei, it is the largest domestic designer of integrated circuits in China. Full Article.
February 5, 2020 By Tom Spring Malware campaign targets global manufacturers that are still dependent on Windows 7 subsystems to run fleets of IoT endpoints. Printers, smart TVs and automated guided vehicles that depend on Windows 7 have become the latest juicy targets for cybercriminals leveraging a “self-spreading” variant of the malware Lemon Duck. In a report released Wednesday by TrapX Security, researchers warn manufacturers dependent on IoT devices are targets in a new global campaign leveraging the malware variant. Criminals behind the wave of attacks are singling out IoT gear in hopes of enlisting them into a “slave army” of crypto-mining devices focused on generating Monero coins via the XMRig mining tool. Researchers warn that the processor-intensive mining efforts are taking their toll on gear and triggering equipment malfunctions along with exposing devices to safety issues, disruption of supply chains and data loss. Full Article.
By Eduard Kovacs on February 24, 2020 Cisco on Monday unveiled SecureX, a new cloud-native security platform designed to improve visibility, deliver analytics, and automate common security workflows. SecureX, expected to become generally available in June, will unify visibility across an organization’s security portfolio, including Cisco and third-party solutions. It can help analyze data across endpoints, network traffic and cloud environments, and it will help organizations quickly identify threats and respond to them, Cisco said. Full Article.
February 6, 2020 By Lawrence Abrams Google is moving forward with its plan to block mixed content downloads from web sites to protect users from man-in-the-middle attacks. In April 2019, we reported that Google was looking into blocking mixed content downloads, which are files delivered over insecure HTTP connection when they are first initiated from HTTPS websites. In an announcement posted today, Google has outlined their plan of gradually rolling out this feature in Chrome by first displaying console warnings to the eventual blocking of all mixed content downloaded files. Google states that they are blocking these types of downloads as they are a risk to a user's security and privacy as they could be swapped out or viewed in man-in-the-middle (MiTM) attacks. Full Article.
February 25, 2020 By Pierluigi Paganini Security experts are warning of a new wave of attacks targeting a zero-day vulnerability in the popular Duplicator WordPress Plugin. Last week the development team behind the popular Duplicator WordPress plugin, the Snap Creek, addressed a zero-day vulnerability that affected at least 1 million websites. Now researchers at security firm WordFence are warning of a new wave of attacks attempting to exploit the vulnerability in the popular plugin. The Duplicator plugin allows WordPress users to migrate, copy, move or clone a site from one location to another and also serves as a simple backup utility. Duplicator has more than 15 million downloads and is active on over 1 million sites. The experts claim to have monitored 60,000 attempts to harvest sensitive information from the target websites, 50,000 of them took place before the authors of the plugin addressed the issue. Full Article.
January 20, 2020 By Brian Krebs A Georgia man who co-founded a service designed to protect companies from crippling distributed denial-of-service (DDoS) attacks has pleaded to paying a DDoS-for-hire service to launch attacks against others. Tucker Preston, 22, of Macon, Ga., pleaded guilty last week in a New Jersey court to one count of damaging protected computers by transmission of a program, code or command. DDoS attacks involve flooding a target Web site with so much junk Internet traffic that it can no longer accommodate legitimate visitors. Full Article.
January 22, 2020 By Jérôme Segura In the early days, practically all tech support scammers would get their own leads by doing some amateur SEO poisoning and keyword stuffing on YouTube and other social media sites. They’d then leverage their boiler room to answer incoming calls from victims. Today, these practices continue, but we are seeing more advanced operations with a clear separation between lead generation and actual call fulfillment. Malvertising campaigns and redirections from compromised sites to browser locker pages are owned and operated by experienced purveyors of web traffic. There is one particular browser locker (browlock) campaign that had been eluding us for some time. It stands apart from the others, striking repeatedly on high-profile sites, such as the Microsoft Edge Start page, and yet, eluding capture. In addition, and a first to our knowledge, the browser locker pages were built to be ephemeral with unique, time-sensitive session tokens. In November 2019, we
Mozilla's browser will, from March, require manual override By Tim Anderson 10 Feb 2020 Mozilla Firefox will require user intervention to connect to websites using the TLS 1.0 or 1.1 protocol from March 2020 – and plans to eventually block those weak HTTPS connections entirely. We have been hearing about issues with TLS 1.0 and 1.1 for some time. Web servers should really be using TLS 1.2 or 1.3 for their encrypted and secure HTTPS connections. The PCI Data Security Standard (PCI DSS) for sites handling credit card transactions has required at least TLS 1.1 since 1 July 2018. That said, it is not until March this year that most users will see more than a warning in their web browser, and some browsers do not show any warning. We took a look at a website running TLS 1.0 in a variety of web browsers today. Of these: Full Article.
MSP vendors Datto, Huntress Labs and ConnectWise helped save an MSP's access credentials from being sold on the dark web’s auction block. February 10, 2020 By O’Ryan Johnson A chilling post to an online black-market bulletin board that began “I’m selling access to an MSP…” was spotted by channel security researchers who were then able to catfish the suspect, warn the MSP and work with the FBI, which later arrested him. “We decided amongst the Datto and Huntress teams that we weren’t going to stand for hackers to come after MSPs,” Huntress CEO Kyle Hanslovan told CRN. “What started out as a simple Torum post -- where hackers sell vulnerabilities, they sell access, they sell stolen credit cards, you name it – we decided to take it a step further.” Over the course of a few months the hacker known as “w0zniak” had used his jobs as a systems engineer at an MSP and at a tax preparation service to steal account information for businesses and individuals – from the inside -- and then post
