Researchers released new information of a vulnerability in the Integrated Dell Remote Access Controller. iDRAC is designed to allow IT administrators to remotely deploy, update, monitor and maintain Dell servers without installing new software. Path Traversal vulnerability CVE-2020-5366 has a 7.1 score which reflects a high degree of danger. Although the vulnerability was fixed earlier in July, by exploiting the flaw, remote attackers could take over control of server operations.
To monitor threats against company servers, it’s crucial to have a managed security program in place. With services like Secure IT – SIEMyou can rely on a team of security experts who perform remediation, root cause analysis and provide security recommendations to help you defend against malicious threats.
A high-severity vulnerability in Cisco’s network security software could comprimise sensitive data. The flaw exists in the web services interface of Cisco’s Firepower Threat Defense (FTD) software, and its Adaptive Security Appliance (ASA) software. The vulnerability (CVE-2020-3452) allows attackers to conduct directory traversal attacks, which is an HTTP attack enabling bad actors to access restricted directories and execute commands outside of the web server’s root directory.
The vulnerability affects products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software, with a vulnerable AnyConnect or WebVPN configuration. To eliminate the vulnerability, Cisco users are urged to update Cisco ASA to the most recent version.
North Korean-backed hackers tracked as the Lazarus Group have developed and are actively using VHD ransomware against enterprise targets. VHD ransomware samples were found between March and May 2020 during two investigations, being deployed over the network with the help of an SMB brute-forcing spreading tool and the MATA malware framework (also known as Dacls). The ransomware tool creeps through the drives connected to a victim’s computer, encrypts files, and deletes all System Volume Information folders.
Organizations must have 24/7 monitoring and remediation solutions in place to defend against VHD Ransomware and similar threats. Secure IT – Endpoint Protection and SIEM help to avoid, or at least isolate these attacks from spreading.
Android mobile device users are being infected with the FakeSpy infostealer. The attack is part of a ‘smishing’ campaign from the Roaming Mantis threat group. The malware is disguised as legitimate global postal-service apps, and ends up stealing SMS messages, financial data, and other sensitive information from the users’ devices. The attacker sends text messages with information about a package delivery, prompting the recipients to click on a malicious link.
Users are recommended to ignore text messages from contacts they don’t recognize and be suspicious of any message about deliveries or other postal services. To avoid being scammed users should double-check the info received through trusted links to local delivery carriers.
Employees who browsed the news on one of these websites could have their computers compromised and then used as a stepping point into their companies’ enterprise networks.
Companies must have proper security measures in place to defend against WastedLocker Ransomware and similar threats. Secure IT – Endpoint protection provides an advanced, comprehensive threat detection and defence solution for an organization’s computer endpoints.
CVE-2020-1425 | CVE-2020-1457
Microsoft has released two emergency security updates to address remote code execution vulnerabilities affecting the Microsoft Windows Codecs Library on several Windows 10 and Windows Server versions. The two vulnerabilities are tracked as CVE-2020-1425 and CVE-2020-1457, the first one being rated as ‘critical’ while the second received an ‘important severity’ rating. After successfully exploiting these vulnerabilities, attackers could obtain information to further compromise the user’s system, and lead to arbitrary code execution on vulnerable systems.
According to Microsoft, the two security patches address the vulnerabilities “by correcting how Microsoft Windows Codecs Library handles objects in memory.” According to Microsoft it wasn’t identified any mitigating measures or workarounds for these two vulnerabilities.
A new variant of malware is attacking Windows systems. Dubbed Lucifer, this malware identified by security experts has cryptojacking and DDoS capabilities that leverage old vulnerabilities to perform malicious attacks. The vulnerabilities targeted by Lucifer malware include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework CVE-2019-9081), and Microsoft Windows (CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464).
Besides applying patches and increase password safety, it is important to manage these updates to guarantee protection from any potential vulnerabilities. Manage IT and Secure IT – Endpoint combined provide clients with 24/7/365 IT management service, which includes monitoring, support/troubleshooting, maintenance, reporting and asset management of their IT infrastructure (servers, storage, networking, applications, desktop/laptops).
New ransomware with peculiar features, named Thanos, is being promoted as a Ransomware-as-a-Service. According to a new report by Recorded Future, Thanos is enlisting hackers, and other threat actors, to distribute the ransomware in exchange for a revenue share of the ransom payments. Thanos ransomware is considered a serious threat because of its advanced features, like the use of a researcher-disclosed RIPlace anti-ransomware evasion technique.
Businesses are increasingly becoming the most popular targets for ransomware. Consequently, it is important that companies take measures to improve their security posture. Secure IT offers a wide range of services to protect organizations against evolving security threats.
‘COVID-19 Employee Training’ Phish
Security experts are advising companies of a new phishing attack that exploits COVID-19 pandemic. The campaign targets employees using Office 365, by sending them alleged training resources regarding returning to work policies, as COVID-19 lockdowns lift. Users are then directed to a malicious URL, where they need to provide their credentials.
Users should be cautious of suspicious email links. Services like Secure IT – Mail help scan emails to detect if they are legitimate or not. If they are not legitimate, these tools will block users from even visiting the malicious website.
Customers of one of the largest domain name registrar company – GoDaddy – are being warned about an attack that took place last October. An intruder gained access to users’ login information of their hosting account. The attack was only discovered last April 23. GoDaddy proceeded to reset the passwords for all the 28,000 users affected by the attack.
Your organization should enact a credential monitoring program to be alerted when important credentials leak onto the dark web. Services like Secure IT – User Defence continuously scans the dark web for credential leaks and also train end-users on best cybersecurity practices.
Toll Group, an Australian transportation company said its systems had been targeted by a new form of ransomware called Nefilim. The company that operates across 50 countries, detected unusual activity on some of its servers, which led to delays to customers. The hackers behind Nefilim gain access through vulnerable Remote Desktop Protocol (RDP) servers, like other types of ransomware, namely Nemty, Crysis and SamSam.
Attacks via Remote Desktop Protocol servers are widespread these days. In order to prevent them, organizations should enable 24/7 monitoring and remediation solutions. Services like Endpoint Protection and SIEM (Security Information & Event Management) help avoid or at least isolate these attacks from spreading.
Cisco WebEx Phishing
A series of phishing attacks are targeting Cisco WebEx users by using fake certificate error warnings. These phishing emails include graphics and formatting similar to communications sent by Cisco WebEx to users. Users are requested to click on a hyperlink to unlock their accounts and are then redirected to a phishing credential site.
Users should be cautious whenever clicking links suggesting they need to unlock their accounts. Services like Secure IT – Mail help scan the links within emails to detect if they are legitimate or not. If they are not legitimate, these tools will block users from even visiting the malicious website.
A vulnerability has been identified in Microsoft Teams that involved a simple GIF image. For the attack to work, the victim had only to view the malicious GIF, which illustrated Donald Duck character sweeping a row of Mickey Mouse toys. The attackers were then able to steal data from specific systems and have access into the company’s Teams accounts.
Microsoft has already corrected this vulnerability by updating misconfigured DNS records, thus mitigating the problem.
A new spyware campaign has been identified and has been ongoing for 4 years. Named PhantomLance by Kaspersky, this spyware is distributed by dozens of Android apps available on Google Play (in addition to other points of sale). The attack implements high levels of encryption, in addition to being able to download and execute additional malicious payloads that would be suited to the specific environment of the device.
Kaspersky reported his findings to Google that has since removed the malicious apps from the Play Store.
Critical Adobe Illustrator, Bridge and Magento Flaws
Critical flaws were detected in several Adobe tools, namely Illustrator, Bridge and Magento. These critical flaws include a stack-based buffer overflow flaw (CVE-2020-9555), heap overflow bugs (CVE-2020-9562, CVE-2020-9563), memory corruption glitch (CVE-2020-9568) and use-after-free vulnerabilities (CVE-2020-9566, CVE-2020-9567). Also included are critical out-of-bounds write flaws (CVE-2020-9554, CVE-2020-9556, CVE-2020-9559, CVE-2020-9560, CVE-2020-9561, CVE-2020-9564, CVE-2020-9565, CVE-2020-9569). All of these could be exploited remotely by an attacker, allowing arbitrary code execution.
The RagnarLocker ransomware targeted Portuguese multinational energy giant EDP. More than 10TB of sensitive files have been stolen. Attackers are now asking for $10.9M to prevent stolen information from being leaked and are threatening to notify customers, partners and competitors. In addition to the files that have since been released, the attackers have also included an edpradmin2.kdb file – a KeePass password manager database.
A vulnerability was identified when Microsoft Office loads arbitrary type libraries. This vulnerability allows the installation of programs, in addition to viewing, modifying and deleting data, as well as the creation of new accounts with full permission by malicious agents. For attackers to be able to exploit this vulnerability, the user must open an Office document, created especially for this purpose.
Updates of Microsoft Office products now address the vulnerability by correcting how Office handles type libraries.
The Coronavirus crisis is being widely exploited by hackers to deceive users. The crew responsible for Trickbot are no exception. They sent hundreds of emails related to alerts and tests about COVID-19, containing malicious documents that install Trickbot Malware. Computers are infected with keyloggers, trojans and ransomware.