Tag Archives: cyber security news

Cisco Patches Critical Flaw In ASR 9000 Routers

The flaw could enable an unauthenticated, remote attacker to access the devices, Cisco said.

Cisco has rushed out patches for a critical vulnerability in its ASR 9000 routers that could give remote, unauthenticated attackers access to the devices – as well as the power to launch denial-of-service (DoS) attacks against them.

The flaw is specifically in Cisco Aggregation Services Routers (ASR) 9000 Series, Cisco’s popular carrier Ethernet router intended for service applications. The vulnerability could allow an unauthenticated, remote attacker to access internal applications on the sysadmin virtual machine for the router, according to a Wednesday advisory.

“An attacker could exploit this vulnerability by connecting to one of the listening internal applications,” the advisory stated. “A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device.”

he vulnerability (CVE-2019-1710) has a CVSS score of 9.8, making it critical in severity.

Specifically, Cisco ASR 9000 routers have an issue where the internal sysadmin applications are incorrectly isolated in the secondary management interface. ASR 9000 routers that are running Cisco IOS XR 64-bit software and that have the secondary management interface are impacted.

That means an attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both DoS and remote unauthenticated access to the device.

Cisco said that the vulnerability was discovered during internal security testing, and that it is not aware of any exploits.

Cisco has urged users to upgrade to the Cisco IOS XR 64-bit software as soon as possible: “This vulnerability has been fixed in Cisco IOS XR 64-bit Software Release 6.5.3 and 7.0.1, which will edit the calvados_boostrap.cfg file and reload the device,” it said.

Cisco on Wednesday also revealed that exploit code for a previously-disclosed critical remote code execution vulnerability was now available. The critical flaw (CVE-2017-3881) was previously disclosed in March 2017 and exists in the Cisco Cluster Management Protocol used in Cisco IOS and IOS XE software.

“A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges,” according to Cisco.

Cisco has released patches for the flaw – but the exploit code was made available by a security researcher on April 10, according to Cisco.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability that is described in this advisory,” according to Cisco.

Earlier in April, Cisco re-patched flaws for two high-severity bugs affecting its RV320 and RV325 routers after a botched first attempt at fixing them. The company also reported two new medium-severity router bugs impacting the same router models – and with no reported fixes or workarounds.

After FBI agents, hackers now release personal information of AAF members

  • In the last week, the hacker group who goes by the name of ‘PokemonGo Team’ had uploaded the personal information of several Federal agents.
  • The hackers could have exploited a flaw in the third-party software used by the websites associated with the FBINAA in order to steal the data.

The hacker group, who previously had exposed the personal information FBI agents, is back with a fresh batch of data. This time, the group has leaked information of tens of thousands of American Advertising Federation (AAF) members.

Background – In the last week, the hacker group who goes by the name of ‘PokemonGo Team’ had uploaded the personal information of several Federal agents and law enforcement officers on the internet. They breached three sites associated with the FBI National Academy Association to gain access to the data.

As detailed by FBINAA’s press release, the hackers could have exploited a flaw in the third-party software used by the websites in order to steal the data.

The stolen document contained 4000 unique records that included member names, job titles, email addresses, phone numbers, and postal addresses.

TechCrunch reported that the hackers have hacked more than 1,000 sites and that they are in the process of structuring and selling the data.

What’s the new update – According to a report from Bleeping Computer, the ‘PokemonGo Team has published the personal information of 22,013 AAF members. The exposed records represent a list of people being watched by the FBI.

The new data leak contained full names, companies, work area information and email addresses of AAF members.

After releasing the data, the hacking group has its Twitter account suspended. Meanwhile, the leaked ‘FBI watchlist’ of AAF members is still available on the group’s website.

Attackers compromised Microsoft support agent’s credentials to access users’ email accounts

  • Attackers compromised Microsoft support agent’s credentials and gained access to view ‘limited’ number of users’ email account information.
  • Upon learning about the incident, Microsoft immediately disabled the compromised support agent’s credentials.

What is the issue – Microsoft notified its users via email that a certain ‘limited’ number of users who use web email services managed by Microsoft might have had their accounts compromised.

What happened?

Attackers compromised Microsoft support agent’s credentials and gained access to view ‘limited’ number of users’ email account information such as email addresses, folder names, subject lines, and the names of other email addresses users have communicated between January 1, 2019, and March 28, 2019.

However, attackers did not view any content of emails or attachments.

What was the immediate action taken?

  • Upon learning about the incident, Microsoft immediately disabled the compromised support agent’s credentials.
  • Microsoft notified the potentially affected users about the incident and provided additional guidance and support.
  • The company has requested its users ‘out of caution’ to reset their email account passwords.
  • It has further enhanced its detection and monitoring services in order to protect affected accounts.

“As a result, you may receive phishing emails or other spam mails. You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source,” Microsoft said in the email notification, TechCrunch reported.

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” a spokesperson for Microsoft told TechCrunch in an email.

Newly discovered RobinHood ransomware variant drops four ransom notes at once after encryption

  • RobinHood renames the encrypted files something similar to Encrypted_b0a6c73e3e434b63.enc_robinhood.
  • The ransomware drops 4 ransom note with different names at the same time.

A new ransomware named RobinHood has been found targeting computers within an entire network. The operators of the ransomware are so particular about victims’ privacy that they delete the encryption keys and IP addresses after the payment is received.

How does the ransomware operate – The propagation method of the ransomware is unknown. However, once it is installed, RobinHood renames the encrypted files something similar to Encrypted_b0a6c73e3e434b63.enc_robinhood.

After this, the ransomware drops 4 ransom note with different names at the same time. The names of these notes are _Decryption_ReadMe.html, _Decrypt_Files.html, _Help_Help_Help.html, and _Help_Important.html.

What do these ransom notes say – The ransom notes include information regarding what happened to the victim’s files, the ransom amount and links to the TOR sites.

The TOR links are the ones where the victim is required to leave a message for the attackers or where they can decrypt 3 files of up to 10MB in size for free.

The ransom varies depending on the number of computers that are encrypted.

“For example, in a ransom note seen by BleepingComputer, the ransom was 3 bitcoins per computer or 7 bitcoins for the network,” Bleeping Computer noted.

By the fourth day, the ransom increases by $10,000 per day if the victim fails to pay on time.

Once the ransom is received, the attackers delete the encryption key and IP address to protect the privacy of the victim.

Hackers crack university defenses in just two hours

More than 50 universities in the United Kingdom had their cyber-defenses tested by ethical hackers, and the ‘grades’ aren’t pretty

A team of ethical hackers recently conducted tests on the cybersecurity defenses of more than 50 universities in the United Kingdom. In each case, it took them less than two hours to gain access to “high-value data”.

This is according to The Higher Education Policy Institute (HEPI) and the non-profit Jisc, which provides digital services to academia in the UK.

Key to the 100-percent success rate of the simulated attacks was spear-phishing, a targeted form of phishingthat involves sending a bespoke email to a well-researched prospective victim. These emails, where the sender pretends to be a trusted entity in a bid to convince the victim to open malicious attachments or visit fake websites, worked to breach the network of each participating university.

“Alarmingly, when using spear-phishing as part of its penetration testing service, Jisc has a 100-percent track record of gaining access to a higher education institution’s high-value data within two hours,” reads the report.

In some cases it took the white hats less than an hour to “reach student and staff personal information, override financial systems and access research databases”, said the BBC.

It is no wonder that security experts are concerned. “We are not confident that all UK higher education providers are equipped with the adequate cybersecurity-related knowledge, skills and investment,” said John Chapman, head of Jisc’s Security Operations Centre.

According to the UK’s National Cyber Security Centre (NCSC), most actual attacks that target universities in the country are related to phishing and attempts to gain entry for ransomware and other malware, including with the aim of stealing sensitive research data and intellectual property.

Needless to say, besides the personal information of employees and students, universities hold staggering amounts of highly-valuable and commercially-sensitive research data.

More Than Half of Organizations with Cybersecurity Incident Response Plans Fail to Test Them

cyber7-900px.jpg

A vast majority of organizations are still unprepared to properly respond to cybersecurity incidents, with 77 percent of survey respondents indicating they do not have a cybersecurity incident response plan applied consistently across the enterprise.

The 2019 Cyber Resilient Organization study from IBM Resilient also found that of the organizations that do have a plan in place, more than half (54 percent) do not test their plans regularly, leaving them less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.

The continued difficulty cybersecurity teams are facing in implementing a cyber security incident response plan has also impacted businesses compliance with the General Data Protection Regulation (GDPR). Nearly half of respondents (46 percent) say their organization has yet to realize full compliance with GDPR, even as the one-year anniversary of the legislation quickly approaches.

“Failing to plan is a plan to fail when it comes to responding to a cybersecurity incident. These plans need to be stress tested regularly and need full support from the board to invest in the necessary people, processes and technologies to sustain such a program,” said Ted Julian, VP of Product Management and Co-Founder, IBM Resilient. “When proper planning is paired with investments in automation, we see companies able to save millions of dollars during a breach.”

Other takeaways from the study include:

  • Automation in Response Still Emerging – less than one quarter of the respondents said their organization significantly uses automation technologies, such as identity management and authentication, incident response platforms and security information and event management (SIEM) tools, in their response process.
  • Skills Still not Paying the Bills – only 30 percent of respondents reported that staffing for cybersecurity is sufficient to achieve a high level of cyber resilience.
  • Privacy and Cybersecurity Tied at Hip – 62 percent of respondents indicated that aligning privacy and cybersecurity roles is essential or very important to achieving cyber resilience within their organizations.

Automation Still Emerging

For the first time, this year’s study measured the impact of automation on cyber resilience. In the context of this research, automation refers to enabling security technologies that augment or replace human intervention in the identification and containment of cyber exploits or breaches. These technologies depend upon artificial intelligence, machine learning, analytics and orchestration.

When asked if their organization leveraged automation, only 23 percent said they were significant users, whereas 77 percent reported their organizations only use automation moderately, insignificantly or not at all. Organizations with the extensive use of automation rate their ability to prevent (69 percent vs. 53 percent), detect (76 percent vs. 53 percent), respond (68 percent vs. 53 percent) and contain (74 percent vs. 49 percent) a cyberattack as higher than the overall sample of respondents.

Skills Gap Still Impacting Cyber Resilience

The cybersecurity skills gap is further undermining cyber resilience, as organizations are understaffed and unable to properly manage resources and needs. Survey participants stated they lack the headcount to properly maintain and test their incident response plans and are facing 10-20 open seats on cybersecurity teams. Only 30 percent of respondents reported that staffing for cybersecurity is sufficient to achieve a high level of cyber resilience. Furthermore, 75 percent of respondents rate their difficulty in hiring and retaining skilled cybersecurity personnel as moderately high to high.

Adding to skills gap, nearly half of respondents (48 percent) admitted their organization deploys too many separate security tools, ultimately increasing operational complexity and reducing visibility into overall security posture.

Privacy Growing as a Priority

Organizations are finally acknowledging that collaboration between privacy and cybersecurity improves cyber resilience, with 62 percent indicating that aligning teams is essential to achieving resilience. Most respondents believe the privacy role is becoming increasingly important, especially with the emergence of new regulations like GDPR and the California Consumer Privacy Act, and are prioritizing data protection when making IT buying decisions.

When asked what the top factor was in justifying cybersecurity spend, 56 percent of respondents said information loss or theft. According to a recent survey by IBM, 78 percent of respondents say a company’s ability to keep their data private is extremely important, and only 20 percent completely trust organizations they interact with to maintain the privacy of their data.

In addition, most respondents also reported having a privacy leader employed, with 73 percent stating they have a Chief Privacy Officer.

Threat actors leverage old email conversation threads to spread Emotet

  • Threat actors revive old email conversation threads to inject a link to an Emotet-infected file.
  • The tactic has been previously used by a North Korean hacker group to target various individuals.

The operators of Emotet trojan have evolved their tactics to spread the malware. Lately, they have been observed reviving old email conversation threads to inject a link to an Emotet-infected file.

How does it work – Users involved in the previous email exchanges would receive an email that pretends to be from the previous correspondents. However, the email actually comes from Emotet servers.

The email conversation thread would be left intact but the Emotet gang would insert an URL at the top of the email that would link to an Emotet-infected file or a malicious document.

How old is the tactic – The tactic has been previously used by a North Korean-based hacking group to target various individuals across the world. In 2017, Palo Alto Networks Unit 42 researchers had noted that the threat actors had leveraged the tactic to compromise multiple email accounts tied to a legitimate domain in North East Asia.

How long the Emotet gang is using the tactic – The Emotet gang has taken this new approach in October last year. This enabled the group to launch a mass-harvesting campaign.

According to a report from Cofense, the gang has been actively using the tactic from April 9, 2019, thus calling it as a ‘Major evolution in the way Emotet works’.

This new Emotet email thread spam isn’t limited to English emails. The operators are also leveraging English and German email threads to launch attacks.

“The injected reply is usually prefaced with ‘Attached is your confidential docs. These templates are pretty limited in run and not very numerous compared to the ‘normal’ [Emotet] malspam,” said Cryptolaemus Group researcher Joseph Roosen, ZDNet reported.

Which other malware has used the tactic – The creators of URSnif trojan used a similar tactic in March and October 2018. They created the email threads from scratch, instead of reviving the threads, to spread the malware.

FBI now investigating “RobinHood” ransomware attack on Greenville computers

GREENVILLE, NC (WITN) – Most city-owned computers remain offline for the second day as the FBI has joined in the investigation into the ransomware attack.

The city shut down most computers early Wednesday after a police department employee noticed the virus.

A city spokesman said they are victims of the “RobbinHood” ransomware, but they will not say how much the ransomware is asking to free up infected computers.

Brock Letchworth says they are exploring all options to fix their systems, but right now they have no plans to pay the ransom.

He said in addition to the FBI, they have brought in outside experts to help.

It’s not known how long the city’s computers will be shut down. For the time being, all payments must be made in person with cash.

Those wishing to pay a parking or red light ticket can still do so online via third-party vendors.


Previous Story

Greenville has confirmed that ransomware attacked the city’s computers.

The attack was noticed overnight and a spokesman said the city shut down most of its computers to keep the virus from spreading.

Brock Letchworth said even with the shutdown, all public safety systems were functioning, and they have no reason to believe any personal information has been compromised.

“There is no public safety concern, but it’s certainly a major headache,” Letchworth said.

Ransomware is a computer virus that denies owners access to systems or data until a ransom is paid. It is often spread through emails containing links that are clicked on by the unsuspecting recipient.

The city says for now all payments must be made with cash, and they do not have an estimate on when the computers will be back online. Operations at city hall have been slowed down because they are now having to use paper records.

Some people hoping to pay parking tickets Wednesday said it was frustrating not to be able to get it all taken care-of right away.

“It’s just wasting time, you know I just want to check on it,” James Evrett said after not being able to check on a parking fine.

Greenville says it will gradually be bringing servers back online to evaluate the virus, while the city is looking at all options for restoring their systems.

Greenville Utilities is not impacted by this shutdown, according to the city.

Last fall, the Onslow Water And Sewer Authority had a similar attack and had to shut down its computers for several days. ONWASA did not pay the ransom to restore their system.

Magento fixes critical SQL vulnerability with latest security updates

  • The e-commerce platform released patches for both Magento Commerce and Magento Open Source variants.
  • The SQL flaw found in versions 2.3.1 and earlier could allow attackers to steal sensitive information from databases connected to Magento-based sites.

Content management software provider Magento has released a string of updates to fix multiple security holes in its platform. These updates come after the platform was targeted in a number of attacks since February.

One critical flaw that was addressed with the updates is a SQL-injection bug that could allow attackers to execute malicious codes, and obtain sensitive information from databases used by Magento-based sites.

The big picture

  • The new versions 2.3.1, 2.2.8 and 2.1.17 fix the security vulnerabilities discovered in both Magento Commerce as well as Magento Open Source.
  • In the advisory published by Magento, online sites using versions below Magento 2 are advised to move to Magento Commerce & Open Source.
  • The SQL-injection bug, designated as ‘PRODSECBUG-2198’ by Magento, could allow an unauthenticated user to run malicious arbitrary code and subsequently steal sensitive data. As of now, no technical details are available for this bug.
  • Other bugs that were patched include remote code execution, cross-site scripting, privilege escalation, cross-site request forgery, and information disclosure flaws.

Databases at risk

Since SQL injections corrupt databases, Magento users are advised to update to the latest versions as soon as possible.

“Unauthenticated attacks, like the one seen in this particular SQL Injection vulnerability, are very serious because they can be automated — making it easy for hackers to mount successful, widespread attacks against vulnerable websites,” Sucuri stated in its blog.

Man in the Middle (MitM) attack – What is it and how to stay protected?

  • The first and foremost step in the Man-in-the-Middle (MitM) attack is to intercept internet traffic before it reaches its destination.
  • Once the interception is achieved, the SSL traffic has to be decrypted without the user’s knowledge and without interrupting the application.

Man-in-the-Middle (MitM) is an attack where the attacker eavesdrops on the communication between two parties, commonly between a user and an application, in order to alter or intercept the communication.

The information obtained in the communication will then be used to stealpersonal information, credentials, and financial information.

How does this work?

Attackers perform MitM attacks in two phases – Interception and Decryption.

Interception

The first and foremost step in the Man-in-the-Middle (MitM) attack is to intercept internet traffic before it reaches its destination. Interception is executed by using the following techniques.

  • IP Spoofing
  • ARP Spoofing
  • DNS Spoofing

Decryption

Once the interception is achieved, the SSL traffic has to be decrypted without the user’s knowledge and without interrupting the application. This can be done with the following methods.

  • HTTPS Spoofing
  • SSL Hijacking
  • SSL Stripping
  • SSL Beast

Example of MitM vulnerabilities – UC Browser vulnerable to MitM attacks

Researchers uncovered a feature in UC browser that downloads extra app modules and runs executable codes on users’ devices, thereby violating Google Play Store policies and potentially exposing its users to Man in the Middle (MitM) attacks.

  • UC Browser sends a request to the C&C server to download new plug-ins.
  • In response to the request, the UC browser receives a link to file.
  • Attackers can get hold of the requests from the UC browser since its communication to the C&C server is carried over an unsecured channel.
  • Attackers can then replace the commands with ones containing different addresses.
  • This makes the UC browser download new modules from the malicious server instead of its C&C server.

How to stay protected?

  • It is best to implement the HSTS (HTTP Strict Transport Security) solution that forces browsers and sites to connect through secure HTTPS connections.
  • In order to stay protected, it is best to avoid using public WiFi that is not password protected.
  • It is recommended to ensure that your home and office WiFi is always secure.
  • Experts recommend using a secure Virtual Private Network (VPN).
  • Security researchers recommend using Public key pair based authentication like RSA in order to secure your communication.
  • It is recommended to always ensure that the webpages or websites you visit are running on HTTPS and not the HTTP protocol.