Advisory on Global Phishing Campaigns Targeting COVID-19 Vaccine Cold Chain Companies

The Cybersecurity Infrastructure and Security Agency has published a warning regarding a worldwide spear phishing campaign directed at companies supplying cold storage and are engaged with COVID-19 vaccine distribution.

The first two vaccines developed should be stored and transported at low temperatures before administering. The Pfizer/BioNTech vaccine should be stored at -94°F (-70°C) while the Moderna vaccine should be stored at -4°F (-20°C). Therefore cold chain suppliers are an important component of the supply chain.

At the beginning of the pandemic, IBM X-Force organized a cyber threat task force to monitor threats directed at companies engaged in fighting against COVID-19. The task force lately shared a report regarding a continuous spear-phishing campaign that began in September 2020 that is focusing on companies involved in the Cold Chain Equipment Optimization Platform program. The United Nations Children’s Fund and partner agencies introduced the program in 2015 to deliver vaccines around the world.

Phishing emails were dispatched to managers in sales, purchasing, finance, and information technology who are probably engaged in work assisting the vaccine cold chain. Targeted companies are considered suppliers of material resources to satisfy the transport requirements of the COVID-19 cold chain.

The phishing emails seem to be from a Haier Biomedical account manager, a Chinese certified merchant of the Cold Chain Equipment Optimization Platform program. Haier Biomedical is the only company on the planet that offers complete cold chain services, therefore it is being impersonated in the phishing campaigns.

The IBM X-Force researchers intercepted emails with malicious HTML attachments that open and cues the person to key in his/her information to open the file. The snagged credentials are then employed to spy on internal communications regarding the process, methods, and projects to deliver COVID-19 vaccines. When the attackers obtain the credentials, they could move laterally through linked systems, perform cyber surveillance, and steal more data to be used in other attacks.

IBM stated that there are phishing campaigns running in 6 countries and, to date, 10 international organizations had been targeted, including the European Commission’s Directorate-General for Taxation and Customs Union. The targeted organizations belong to varied industry sectors like manufacturing, energy, information technology and software. The researchers could not confirm the extent of the success of the campaigns.

According to the accurate targeting of executives in particular global companies engaged in vaccine storage and transportation and the absence of a distinct path to cash out, the campaign is probably being carried out by a nation-state threat actor. IBM X-Force recommends that cybercriminal agencies would probably not invest the time, funds, and resources into these campaigns targeting a lot of global companies.

IBM X-Force advises companies engaged in the cold storage and transportation chain to take measures to mitigate the threats from phishing such as developing and evaluating incident response programs, sharing and absorbing threat intelligence, evaluating their third-party ecosystems, implementing a zero-trust strategy to security, employing multi-factor authentication throughout the company, utilizing endpoint protection and response solutions, and performing frequent email security awareness training.

Besides the phishing threats, companies engaged in the cold storage chain ought to set up protection against ransomware attacks since they will be a probable target any time. In November, cold storage firm Americold Realty Trust based in the U.S. suffered a cyberattack believed to have involved ransomware. The firm was reported as asking Chicago Rockford international Airport for assistance in the COVID-19 vaccine distribution.

Majority of Microsoft 365 Administrators Have Not Activated Multi-Factor Authentication

CoreView released a new report showing that most Microsoft 365 admins have not enabled multi-factor authentication to secure their accounts from unapproved remote access and are not implementing other standard security measures. According to the study, 78% of Microsoft 365 administrators haven’t activated multi-factor authentication while 97% of Microsoft 365 users do not use MFA.

This is a big security risk especially when most of the workers are remote. The IT teams should recognize this issue and deal with it so as to successfully prevent cyberattacks and reinforce their organization’s security posture.

The SANS Institute states that 99% of data breaches could be prevented by utilizing MFA, whereas Microsoft mentioned in an August 2020 blog article that MFA is a very important measure to put in place to avert unauthorized account access, detailing that 99.9% of account breaches may be averted by employing MFA.

The CoreView study additionally pointed out that 1% of Microsoft 365 administrators fail to utilize strong passwords, even if hackers are skilled at guessing passwords using programmed brute force attacks. Even when using strong passwords, there is no assurance that a breach will be avoided. A strong password gives no safety when a user becomes a victim of a phishing scam. In the case of stolen passwords, MFA provides protection and should prevent those passwords from being utilized to get account access.

The CoreView M365 Application Security, Data Governance and Shadow IT Report showed that Microsoft 365 admins are granted excessive control and they have got access to high-value sensitive information. 57% of Microsoft 365 admins were discovered to have too many permissions to access, change, and share business-critical data. Also, 36% of Microsoft 365 administrators are international administrators. They get complete control over their organization’s overall Microsoft 365 environment. 17% of Microsoft 365 admins are additionally Exchange admins and have access to the entire organization’s email accounts, which include C-Suite accounts. If ever Microsoft 365 admin accounts become compromised, attackers could access the whole Microsoft 365 environment as well as the massive volumes of sensitive information. The Microsoft 365 environment does not only contain a large amount of readily monetized data, the accounts are furthermore linked to other networks and can be employed for a much wider attack on the company.

The study furthermore revealed that organizations have put in heavily in productivity and operations programs that allow personnel to communicate, collaborate, and work more effectively, however, there has been an increase in shadow IT, particularly SaaS applications. SaaS apps are usually utilized by employees without the IT department’s knowledge. A lot of those SaaS apps lack proper security and allow preventable cyberattacks to happen.

At a fundamental level, malicious applications can siphon off critical information. Users may additionally possibly be disclosing sensitive organization data by means of these programs to compromised parties so that organizations are at substantial risk of a data breach. It’s critical that companies appropriately keep track of these programs for probable security gaps.

Companies that move to Microsoft 365 frequently underrate their security and governance responsibilities, wrongly believing that Microsoft 365 is protected by default and includes the required protections to avoid data breaches. Although Microsoft 365 can be safe, companies need to be proactive and make certain that security is dealt with, there is adequate monitoring of shadow IT, and adequate data governance.

Active Threat Warning Given Regarding SharePoint RCE Vulnerability

The UK National Cyber Security Centre (NCSC) has lately released a security warning that companies should patch a critical remote code execution vulnerability identified in Microsoft SharePoint. The DHS Cybersecurity and Infrastructure Security Agency is likewise advising companies to apply the patch immediately to avoid being exploited.

The vulnerability, monitored as CVE-2020-16952, is caused by the inability of SharePoint to test an application package’s source markup. When exploited, an attacker can possibly use administrator privileges to execute arbitrary code in the SharePoint server farm account and the framework of the SharePoint application pool.

An attacker could exploit the vulnerability after being able to persuade a user to upload a specifically created SharePoint application package to an unsecure version of SharePoint. This is possible through a phishing campaign employing social engineering techniques.

The vulnerability’s assigned CVSS v3 base score is 8.6 out of 10. It impacts these SharePoint products:

  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Foundation 2013 Service Pack 1

The vulnerability did not affect SharePoint Online.

Hackers target SharePoint vulnerabilities because SharePoint is often employed by enterprise companies. Past SharePoint vulnerabilities were broadly exploited, including two that were mentioned in CISA’s top 10 list of most exploited vulnerabilities from 2016 to 2019.

This week, Microsoft released an out-of-band patch to fix the vulnerability. The patch should be utilized to fix the vulnerability because no mitigations can stop the exploitation of the vulnerability. The patch alters the way SharePoint inspects the source markup of downloaded application packages.

Security researcher Steven Seeley released a proof of concept exploit for the vulnerability that is publicly available on GitHub. Seeley discovered the vulnerability and informed Microsoft about it. The PoC can quickly be weaponized and so there is a high probability of developing exploits and using it in attacks on companies. When the patch was released, Microsoft was not aware of any instances of vulnerability exploitation in the wild.

NCSC stated that this PoC could be discovered by looking at HTTP headers that contain the string runat=’server’ and reviewing SharePoint page creations.

According to Rapid7 researchers, the vulnerability is highly valuable to hackers because of the simplicity of exploiting the vulnerability to get privileged access. An authenticated user having page creation privileges can exploit the bug through SharePoint’s standard permission, and could leak an arbitrary file, remarkably the application’s web.config file that could be utilized to bring about remote code execution (RCE) via .NET deserialization. The patch must be applied immediately to avoid exploitation.

Treasury Department Gives Warning of Sanctions Risks if Facilitating or Paying a Ransomware Payment

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has cautioned that organizations that pay ransom to cyber actors on behalf of attack victims may have to confront sanctions risks for breaking OFAC regulations. Ransomware attack victims that pay ransom demands to threat actors could also face high fines from the federal government in case it is found out that the hackers responsible for the attacks are actually under economic sanctions.

OFAC explained that ransomware payment demands have gone up throughout the COVID-19 pandemic as cybercriminals focus on online systems that U.S. individuals depend on to keep on doing business. Organizations that facilitate ransomware payments to cybercriminals on behalf of victims, such as financial companies, cyber insurance companies, and companies engaged in electronic forensics and incident response, not just promote future ransomware payment demands but furthermore may risk infringing OFAC rules.

OFAC sanctioned many people involved in ransomware attacks in the last few years:

  • two Iranians thought to be behind the SamSam ransomware attacks that began in late 2015
  • the Lazarus Group of North Korea behind the May 2017 WannaCry 2.0 ransomware attacks
  • Evil Corp and its head, Maksim Yakubets, who are responsible for the Dridex malware
  • Evgeniy Mikhailovich Bogachev, who was identified as the creator of Cryptolocker ransomware, first launched in December 2016

Making ransom payments to sanctioned individuals or jurisdictions endanger U.S. national security pursuits. Facilitating a ransomware payment that is required due to malicious cyber activities might allow hackers and enemies with a sanctions nexus to get profit and move forward their dubious objectives.

U.S. people are usually forbidden from doing direct or indirect dealings, with people or agencies on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked people, and those under the extensive region or country embargoes.

Civil monetary penalties may be charged for sanctions infringement, even though the individual violating sanctions was not aware that they were doing a transaction with an individual that’s banned under sanctions rules and regulations enforced by OFAC. Any individual facilitating or paying ransom demands to sanctioned persons, groups, or regimes could get a financial fine as much as $20 million.

A lot of entities never make known ransomware attacks or report them to authorities to steer clear of bad publicity and legal problems, however by not filing a report they are hindering attack investigations by authorities. OFAC mentioned in its alert that the financial intelligence and enforcement firm will look at a company’s prompt and full report of a ransomware attack to law enforcement to be a substantial mitigating factor in identifying a proper enforcement result when the situation is afterward established to have a sanctions nexus.

The alert additionally contains contact data for victims of ransomware attacks to find out in case there are sanctions enforced on cyber attackers, and if a ransom payment may entail a sanctions nexus.

OFAC has given warning against paying a ransom. Not only does it mean breaking OFAC policies, but it also does not give certainty that ransom payment will end in the valid keys being provided. The attackers also might not delete the stolen information, and they could demand more ransom. Ransom payment could also embolden attackers to carry out other attacks.

OFAC has merely given advice and cautioned of sanctions risks when payments are made to some threat actors. Besides enforcing a restriction on paying a ransom, the attacks are most likely to stay because of being lucrative. Only if the attacks stop being profitable will cybercriminals probably stop carrying out attacks.

CISA Advisory on the LokiBot Malware Activity Spike

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) published a warning immediately after observing a rising trend in LokiBot malware activity within the last two months.

LokiBot, which is also called Loki-bot, Lokibot, and Loki PWS, had its first appearance in 2015. It was used for stealing data, for instance, credentials and other sensitive data. The malware strikes Android and Windows OS’s and utilizes a keylogger to record login details. It likewise monitors the activities of the browser and desktop of victim devices. LokiBot is able to steal credentials from various applications and data sources, including Firefox, Chrome and Safari web browsers. It takes credentials employed for sFTP and FTP clients and email accounts.

The malware is used for stealing other sensitive information and cryptocurrency wallets by setting up backdoors in devices to get sustained access, permitting the attackers to put in even more malicious payloads.

The malware connects with its Command and Control Server and exfiltrates data by way of HyperText Transfer Protocol. The malware uses process hollowing to get itself into Windows processes such as vbc.exe to avoid discovery. The malware can also replicate itself and store itself in a hidden file and directory.

The LokiBot is a fairly basic malware, still, a number of threat actors prefer using this malware. It is utilized in many instances of data compromise. By July, the EINSTEIN Intrusion Detection System of CISA has identified a substantial growth in LokiBot activity.

LokiBot is commonly transmitted as a malicious file attachment in email messages; but, beginning in July, cybercriminals are distributing malware in a variety of ways like hyperlinking to web pages that host the malware and sending through SMS or text messaging applications.

Data stealers have come to be popular during the COVID-19 outbreak, specifically LokiBot. F-Secure said that in the first six months of 2020, LokiBot was the most commonly found data stealer.

CISA has given recommendations to support protection against LokiBot as well as other data stealers:

  • Using antivirus software program and updating the virus definition listings
  • Not using file and printer sharing services. If it cannot be avoided, set strong passwords or utilize ID authentication
  • Patching vulnerabilities promptly
  • Securing the accounts with multi-factor authentication
  • Use only strong passwords
  • Control user permissions to install software apps
  • Train employees appropriately and motivate them to maintain careful attention when opening email attachments
  • Employ a spam filtering program
  • Use workstations with a personal firewall and set it up to deny unsolicited interconnection requests
  • Track web activity and utilize a web filter so that employees can’t visit disagreeable sites
  • Scan all software downloaded online before letting it run

CISA Gives Warning On the Public Exploit for Windows Netlogon Remote Protocol Vulnerability

CISA has issued an advisory on a critical vulnerability identified in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) because there is a public exploit for the vulnerability now released. An attacker could exploit the vulnerability and get domain controller access using administrator privileges.

MS-NRPC is a key part of Active Directory that authenticates users and accounts. Microsoft explained that MS-NRPC is an RPC interface that is employed specifically by domain-joined devices. It consists of an authentication process and a method of setting up a Netlogon secure channel.

The vulnerability, monitored as CVE-2020-1472, is a higher privilege vulnerability that an attacker could exploit by establishing an insecure Netlogon secure channel link to a domain controller. MS-NRPC reutilizes an identified, fixed, zero-value initialization vector (IV) in AES-CFB8 mode This is going to permit an unauthenticated attacker to imitate a domain-joined computer, which includes a domain controller, and acquire domain administrator privileges.

Microsoft is dealing with the vulnerability in two phases. Microsoft first introduced a patch on August 2020 Patch Tuesday. The patch alters Netlogon client behavior to utilize secure RPC with Netlogon protected channel involving member computer systems and Active Directory (AD) domain controllers (DC). The next phase is scheduled for Q1 2021, some time on February 9, 2021, and is going to be available automatically.

Microsoft mentioned that the modifications to the Netlogon protocol were made to keep Windows devices secure by default, record events for non-compliant device discovery, and include the capability to activate protection for all domain-joined devices having specific exceptions.

The patch implements safe RPC usage for machine accounts on gadgets that are Windows-based, trust accounts, as well as Windows and non-Windows DCs. There is a new group policy included to permit non-compliant device providers.

Mitigation includes updating all DCs and RODCs, tracking for new activities, and handling non-compliant devices that use vulnerable Netlogon secure channel networks. It is allowed for machine accounts on non-compliant devices to utilize vulnerable Netlogon secure channel connections; but, they must be up to date to secure RPC for Netlogon and enforce the account immediately to get rid of the possibility of an attack.

After implementing the patch, keeping track is necessary to recognize warning events and decide the actions needed on each one of those events. All warning events should be fixed prior to the start of the February 2021 enforcement phase.

Read the deployment guidelines for the patch released in August 2020 on this link.

The February patch is going to move into the enforcement stage and is going to put DCs into enforcement mode irrespective of the enforcement mode registry key so that all Windows and non-Windows devices will use secure RPC with Netlogon secure channel or clearly enable the account by including an exemption for the non-compliant gadget.  The update is going to eliminate logging since all vulnerable connections are going to be rejected as well.

Systems that have not used the August 2020 patch are going to be prone to attack. CISA cautions that the vulnerability is an appealing target for threat actors and quick patching is highly advised. If the vulnerability is exploited compromising the Active Directory infrastructure, there might be considerable damage, it will be very costly to mitigate the attack.

Philips Patient Monitoring Devices Found to Have 8 Vulnerabilities

There were 8 vulnerabilities with low to moderate severity found in Philips patient monitoring equipment. Attackers could exploit the vulnerabilities resulting in data disclosure, denial of service, disrupted monitoring, and an escape from the limited setting with restricted privileges.

The following Philips patient monitoring devices were affected by the vulnerabilities:

  • Version A.01 of PerformanceBridge Focal Point
  • Versions N and earlier versions of IntelliVue X3 and X2
  • Versions B.02, C.02, C.03 of Patient Information Center iX (PICiX)
  • IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and earlier versions

The 8 Vulnerabilities Identified

CVE-2020-16212 with a CVSS base score of 6.8/10; rated as Moderate Severity. An unauthorized person could access a resource that is exposed to a wrong control sphere and allow him/her to escape the limited environment with restricted privileges. The attacker needs physical access to an unsecured device to exploit the vulnerability.

CVE-2020-16214 with a CVSS base score of 4.2/10; rated as Moderate Severity. User-provided data is stored in a CSV file, however, because special elements are not properly neutralized, they may be viewed as a command upon the opening of the CSV file using a spreadsheet software program.

CVE-2020-16216 with a CVSS base score of 6.5/10; rated as Moderate Severity. The device fails to validate or improperly validates input or information to make certain it has the required properties to permit its safe use. When exploited, a denial of service may occur via a system restart.

CVE-2020-16218 with a CVSS base score of 3.5/10; rated as Low Severity. The product improperly neutralizes user-controlled input prior to placing it in output and then uses it as a webpage that other users could access. An attacker could exploit this flaw to get read-only access to patient information.

CVE-2020-16220 with a CVSS base score of 3.5/10; rated as Low Severity. The product doesn’t validate or inappropriately validates the input data to comply with the syntax. An attacker could exploit this vulnerability and cause the system to crash.

CVE-2020-16222 with a CVSS base score of 5.0/10; rated as Moderate Severity. When persons assert to have a certain identity, there is inadequate authentication to verify that person’s identity, potentially permitting unauthorized data access.

CVE-2020-16224 with a CVSS base score of 6.5/10; rated as Moderate Severity. Whenever the software program parses a formatted structure or message, it can’t cope or inappropriately handles a length field that’s not consistent with the exact length of the related data. Such a problem could result in restarting the surveillance station that interrupts monitoring.

CVE-2020-16228 with a CVSS base score of 6.0/10; rated as Moderate Severity. The software erroneously checks a certificate’s revocation status then potentially allows the use of a compromised certificate.

ERNW Enno and Rey Netzwerke GmbH, security researchers at ERNW Research GmbH, discovered the vulnerabilities and reported them to Philips. Philips sent a report about the vulnerabilities to CISA and other federal agencies following the company’s coordinated vulnerability disclosure policy.

Philips received no reported cases of exploitation of the vulnerabilities in the wild and will issue updates beginning in 2020; nonetheless, for the time being, Philips advises users to do the following mitigations so that attackers will have a harder time to exploit the vulnerabilities:

  • Physically or logically separate the vulnerable devices from the local area network (LAN) of the hospital.
  • Use access control lists that limit access to the patient monitoring network just for required ports and IP addresses.
  • Restrict exposure by not running the SCEP service if not actively used to register new devices.
  • Key in a unique password made of 8-12 unknown and randomized digits when registering new devices utilizing SCEP
  • Keep the devices secure to block unauthorized persons’ login attempts and make sure to put servers in secured data centers.
  • Limit access to patient monitors located at the nurses’ stations
  • Do not allow remote access to PIC iX servers when not needed; if remote access is required, only allow remote access when needed
  • Follow the rule of least privilege and just permit trusted users to access bedside monitors.
  • Users must get in touch with Philips service support teams in their locality or region for more information on upgrading their vulnerable patient monitoring devices and implementing mitigation measures.

CISA Publishes Technical Guidance on Discovering and Responding to Malicious Network Activity

The Cybersecurity and Infrastructure Security Agency (CISA) has lately released guidance for network defenders and incident response teams on determining malicious activity and remediating cyberattacks. The guidance shares suggestions for discovering malicious activity and detailed information for looking into possible security problems and protecting compromised systems.

The objective of creating the guidance is to improve incident response among partners and network facilitators and also work as a playbook for investigating incidents. The information can support incident response groups gather the data required to check out suspicious activity throughout the network, host-based artifacts, perform a host analysis evaluation and analysis of network actions, and take the appropriate steps to minimize a cyberattack.

The guidance document was made together with cybersecurity specialists in the United States, United Kingdom, Canada, Australia and New Zealand and consists of technical support for security staff to help them determine in-progress malicious attacks and minimize attacks while minimizing the prospective unfavorable effects.

If incident response teams recognize the malicious activity, the target is frequently on ending the access of hackers to the network. Although it is crucial to ending a threat actor from gaining access to a device, or network, it is very important that the appropriate process is used to prevent alarming the attacker concerning the discovery of their presence.

Though well-intentioned to restrict the harm of the compromise, a few of those steps could have an unfavorable impact by changing volatile information that could provide a sense of what was done and informing the threat actor that the target organization knows the compromise and making the threat actor to either conceal their tracks or have more terrible actions (such as deploying ransomware.

When replying to a supposed attack it is first of all needed to gather and get rid of related artifacts, records, and information that will permit the comprehensive analysis of the incident. When these elements aren’t acquired prior to rendering any mitigations, the data can simply be missing, which will hinder any attempts to look into the breach. Systems furthermore should be secured, as a threat actor may know that the attack was discovered and modify their strategies. When systems are safeguarded and artifacts acquired, mitigating measures can be undertaken with care in order not to notify the threat actor that their presence in the system has been identified.

Any time suspicious activity is discovered, CISA suggests getting assistance from a third-party cybersecurity firm. Cybersecurity firms have the required competence to eliminate an attacker from a system and make sure that security problems are averted that may be used in further breaches on the company as soon as the incident is remediated and closed off.

Addressing a security breach demands a number of technical methods to reveal malicious activity. CISA suggests performing a lookup for identified indicators of compromise (IoCs), utilizing verified IoCs from a broad variety of sources. A frequency evaluation is helpful for discovering anomalous activity. Network defenders ought to determine regular traffic patterns in network and host systems which may be utilized to recognize the inconsistent activity. Algorithms could be employed to determine if there is an activity that isn’t in line with normal patterns and determine a variance in timing, source area, the destination area, port usage, protocol observance, file location, integrity through hash, file size, determining convention, and other characteristics.

Pattern analysis is helpful for finding programmed activity by malware and malicious scripts, and regular duplicating activities by human threat actors. An analyst review ought to likewise be done depending on the security team’s understanding of system management to recognize mistakes in collected artifacts and discover an anomalous activity that can be an indication of attacker activity.

The guidance details several of the common errors that are made whenever addressing incidents and provides technical measures and guidelines for exploration and remediation processes.

CISA in addition makes standard suggestions on defense strategies and programs that could make it more difficult for an attacker to obtain access to the system and stay there unnoticed. While these steps may not prevent an attacker from compromising a network, they will help to delay any attack that will allow incident response groups the time they needed to recognize and react to an attack.

You can see the CISA guidance Technical Approaches to Uncovering and Remediating Malicious Activity (AA20-245A) on this link.

Zero Day Vulnerabilities Found in IOS XR Software Utilized by Cisco Carrier-Grade Routers

Hackers are actively exploiting two zero-day vulnerabilities found in the IOS XR software that is used in Cisco Network Converging System carrier-grade routers. Cisco discovered the initial attempts of exploiting the vulnerabilities on August 25, 2020.

While Cisco has not released patches yet to resolve the vulnerabilities, there are ways to minimize the chances of vulnerabilities exploitation.

The CVE-2020-3566 and CVE-2020-3569 vulnerabilities are identified in the distance vector multicast routing protocol or DVMRP. They affect all Cisco devices installed with the IOS XR version of the Internetworking Operating System that is configured to utilize multicast routing. The purpose of using multicast routing is to save bandwidth and to use a single stream to send some data to several recipients.

An unauthenticated hacker can exploit the vulnerabilities by wirelessly sending a specific internet group management protocol or IGMP packets to the device and drain its process memory. If the hacker succeeds at exploiting the vulnerabilities, the device will suffer memory exhaustion, which results in a denial of service. That could make the other process like the exterior and interior routing protocols unstable.

The vulnerabilities have an assigned CVSS v3 base rating of 8.6 out of 10, which means a high risk of exploitation. Therefore, patches must be applied immediately upon release. In the meantime, implement the mitigations until the patches are available. Cisco suggested mitigations, not complete workarounds, which can minimize the risk of exploitation.

End-users of vulnerable Cisco products must restrict the rate of IGMP traffic. Administrators need to know the normal IGMP traffic rate first in order to set a rate below the average rate. Although vulnerabilities exploitation won’t be prevented, it will help reduce the traffic rate and delay the exploitation of vulnerabilities. That would give administrators more time to implement recovery steps.

To help block attacks, end-users could likewise use an access control entry (ACE) to the current existing interface control list (ACL). It’s also possible to create a new ACL for a particular interface that blocks inbound DVMRP traffic using that interface.

Cisco has issued a security advisory to help users know if their devices have multicast routing enabled and implement the mitigations. The company is also creating patches that would fix the vulnerabilities. Cisco is currently working on patches to correct the vulnerabilities.

Millions of Devices Impacted by Vulnerability Found in Thales Wireless IoT Modules

There’s a vulnerability identified in a component that is utilized in countless IoT devices. Hackers could exploit this vulnerability for stealing sensitive data and manipulating vulnerable devices to attack internal networks. Over 30,000 companies use Thales components for a wide range of industries which include energy, telecom, and healthcare.

The vulnerability exists in the Cinterion EHS8 M2M module, together with some other products in a similar category (BGS5, EHS5/6/8, ELS81, PDS5/6/8, ELS61, PLS62). The embedded modules give processing power and enable devices to transmit and receive information via wireless mobile connections. They are also employed as an electronic secure repository for sensitive data like credentials, passwords, and operational code. The vulnerability could make it possible for an attacker to access the files in that repository.

Researchers of X-Force Red found a way to circumvent the security that protect the code and data in the EHS8 module. The information stored in the module includes the Java code, which usually contain confidential data such as encryption keys, passwords, and certificates.

Attackers exploiting this vulnerability could possibly compromise hundreds of thousands of devices and gain access to networks or VPNs that support those devices by leveraging the backend network of the provider. Consequently, the attacker could get access to credentials, passwords, intellectual property, and encryption keys. Malicious actors could also use the stolen information from the modules to manipulate a device or get access to the central control system to carry out even more attacks – possibly remotely through 3G in certain cases.

With medical devices, exploiting the vulnerability could allow changes to readings in patient monitoring devices, whether to create false alerts or conceal crucial changes in the vital signs of a patient. If changes are made to a drug pump, it is possible to give an overdose or halt a dose when administering critical medication.

The researchers furthermore state that the vulnerability in smart meters employed by energy firms can be exploited to wrongly report energy consumption. This would bring about a higher or lower bills, however if an attacker controls enough numbers of devices, it could lead to grid damage and cause blackouts.

The researchers discovered the vulnerability, monitored as CVE-2020-15858, in September 2019 and notified Thales immediately. Thales, together with IBM X Force Red team worked to create, test, and supply a patch. The patch was available last February 2020. Thales is making sure that its customers know about the patch so as to apply it promptly.

Device manufacturers are taking a while to apply the patches. The patching process is noticeably slower for units employed in extremely controlled industry areas. For example, medical devices will call for recertification following patching, which is a time-consuming procedure.

Dealing with the vulnerability is mostly down to device companies, who need to prioritize patching. IBM X Force Red states that operation has been in progress for 6 months, yet there are still a lot of vulnerable devices. Patches can be applied using a USB device connected directly into the vulnerable gadget utilizing the management system or through a remote update. The latter is better, however that depends on whether the unit has internet access.

Patches Available to Resolve Critical Vulnerabilities in Citrix Endpoint Management / XenMobile Server

Two critical vulnerabilities, tracked as CVE-2020-8208 and CVE-2020-8209, were identified in Citrix Endpoint Management (CEM) / XenMobile Server. An unauthenticated attacker could exploit the vulnerabilities to access the credentials of a domain account, take complete control of an insecure XenMobile Server, and gain access to email, VPN, and web apps and get sensitive company and patient records.

A lot of businesses use CEM/ XenMobile Server to take care of employees’ mobile gadgets, install updates, control security configurations, and to support various in-house software programs. The makeup of the vulnerabilities makes it possible for hackers to move to create exploits immediately, therefore prompt patching is necessary.

There is only information about the critical vulnerability CVE-2020-8209. It is a path traversal vulnerability caused by inadequate input verification. If an unauthenticated attacker exploits this vulnerability, he could view the arbitrary files running an application on the server. Those files consist of configuration files, so the attacker could obtain the encryption keys allowing the decryption of sensitive information. The vulnerabilities can be exploited by persuading a user to go to a specially designed page online.

Andrey Medov of Positive Technologies who discovered the vulnerability said that this vulnerability enables hackers to get data that could be used to breach the perimeter since the configuration file usually keeps the credentials to the domain account meant for LDAP access. Having domain account access allows a remote attacker to get data used for authentication on accessing other external organization resources, such as company email, VPN, and web apps. Moreover, an attacker who had viewed the configuration file could obtain sensitive information, including a database password.

There are three more vulnerabilities identified rated as medium and low severity. Citrix has not released information on the vulnerabilities tracked as CVE-2020-8210, CVE-2020-8211 and CVE-2020-8212.

The critical vulnerabilities were found to impact the following devices:

XenMobile Server 10.12 prior to RP2
XenMobile Server 10.11 prior to RP4
XenMobile Server prior to 10.9 RP5
XenMobile Server 10.10 prior to RP6

The vulnerabilities with medium and low severity impact the following devices:

XenMobile Server 10.12 prior to RP3
XenMobile Server prior to 10.9 RP5
XenMobile Server 10.11 prior to RP6
XenMobile Server 10.10 prior to RP6

Citrix is convinced that hackers won’t take long to create exploits and begin exploiting the vulnerabilities, therefore it strongly recommends prompt patching.

Citrix has introduced patches recommended for XenMobile Server versions 10.9, 10.10, 10.11, and 10.12. Consumers that use version XenMobile Server 10.9x should upgrade to the software’s supported version before applying the patch. Citrix recommended an upgrade to 10.12 RP3. The XenMobile cloud versions get automatic updates, so there is no need to take any action.

FBI Prompts Companies to Upgrade Windows 7 Devices to a Supported OS

The FBI Cyber Division has released a Private Industry Notification informing businesses that continue to use Windows 7 in their system to shift to a supported operating system because of the potential exploitation of security vulnerabilities identified in the Windows 7 operating system.

The FBI has noticed a rise in cyberattacks on unsupported operating systems as soon as their end-of-life is reached. Any company that continues to use Windows 7 have a greater risk of being exploited by cybercriminals to gain remote network access. This is because of the lacking security updates and the discovery of new vulnerabilities.

The operating system of Windows 7 hit its end-of-life on January 14, 2020. Since then, Microsoft discontinued launching free patches to fix identified vulnerabilities. Microsoft is just offering security updates for the following Windows 7 products: Enterprise, Professional, and Ultimate; and only when consumers have registered for the Extended Security Update (ESU) program, which is only available until January 2023. The support cost increases as a customer participate longer in the ESU program. Although security updates are being launched for clients that have opted for the ESU program, the FBI and Microsoft firmly recommend the upgrade of Windows 7 to Windows 10 or another supported operating system.

It’s not easy to update an operating system. It may be necessary to buy new devices. New software programs have a price tag, however, the cost is minimal in comparison to the price of losing intellectual property and the risk from continually using an unsupported operating system.

A lot of companies all over the world continue to use Windows 7 on a few of their Windows gadgets. Information from Statcounter shows about 20% of all Windows units are still using Windows 7, though free security updates are not issued any longer. An open-source report released in May 2019 discovered that 71% of Windows units employed in healthcare used Windows 7 or some other operating systems that were also unsupported since January 2020. The FBI cautioned that more successful cyberattacks in healthcare occur upon as soon as the operating systems have gotten to its end of life.

The FBI stated that cybercriminals are searching for ways to access legacy Windows operating systems so as to take advantage of Remote Desktop Protocol (RDP) exploits. Last May 2019, right after discovering the BlueKeep vulnerability, Microsoft introduced patches for all supported OS’s along with a patch for Windows XP and for the unsupported OS as a way to avoid a WannaCry-style attack. Considering that the vulnerability was identified, working exploits were created to take advantage of the vulnerability and up to now, there are attacks to unpatched Windows devices.

There will vulnerabilities identified and taken advantage of unpatched operating systems. When Microsoft launched the MS17-010 patch to deal with a number of SMBv1 vulnerabilities in March 2017, a lot of companies failed to apply the patch, despite the high-risk exploitation. In May 2017, the WannaCry ransomware attacks started infecting 98% of systems, which were running Windows 7.

If companies use a supported OS, patches are instantly made accessible to resolve newly found security vulnerabilities. Using a supported OS is the most essential step for improving security.

Protecting against cybercriminals demands a multilayered strategy, which includes validation of existing software used on the computer system and approval of access controls and network settings.

Besides modernizing the operating system and using patches immediately, companies need to install antivirus software, use spam filters, and implement firewalls, that are appropriately set up and kept updated.

Network settings must be reviewed and computer systems that are not up-to-date must be singled out. The FBI additionally recommends reviewing the network systems that use RDP and disabling unused RDP ports. Implement 2-factor authentication as much as possible and log all RDP login attempts.

If there be any Windows 7 device that cannot be updated or isolated, be sure to block access over the web. Also, the company must sign up to Microsoft’s ESU program.

Allergy and Asthma Clinic of Fort Worth Hacking Incident Impacts 69,777 Patients

Allergy and Asthma Clinic of Fort Worth has uncovered an unauthorized person who obtained access to its computer programs and possibly obtained the billing details of patients. The clinic found the incident on June 4, 2020 and immediately took steps to stop even more unauthorized access. As per the breach investigation, the hacker acquired access to the network on May 20, 2020.

An evaluation of the breached computer systems showed that the attacker possibly accessed records that contain patients’ names, phone numbers, addresses, birth dates, Social Security numbers, insurance data, and details concerning the reasons for appointments.

Cybersecurity experts came to investigate the safety measures of the Allergy and Asthma Clinic of Fort Worth. Additional protections will be implemented, as necessary, to strengthen network security to prevent further data breaches.

The breach report filed with the Department of Health and Human Services’ Office for Civil Rights shows that the breach affected 69,777 people.

Chinese Hackers Targeted Biotech Company Studying COVID-19 Vaccine

Hackers targeted the biotech company Moderna based in Massachusetts to look for COVID-19 research information. Moderna was doing research on a vaccine for COVID-19 and declared its vaccine candidate in January. Reuters stated that the company found “information reconnaissance activities” in January and has contacted the FBI concerning the alleged attack.

The company is thought to have been targeted by the Chinese attackers which the Department of Justice indicted in July for carrying out an 11-year campaign of cyber espionage attacks on companies and government institutions in the U.S.

The reconnaissance is considered to have been an attempt to steal information associated with the mRNA COVID-19 vaccine developed by Moderna, which has lately entered a stage III clinical trial.

Moderna continues to be extremely cautious about possible cybersecurity threats, having an internal squad, external support services, and good work interactions with outside regulators to continually evaluate threats and safeguard its valuable data.

FBI Alert About Malware Backdoors Created by Chinese Tax Software

The FBI released a private industry warning concerning the danger of malware infection from using the Chinese tax software program after discovering two backdoors brought in by the tax software required by the Chinese government. The backdoor malware was found in the software program created by two Chinese firms to process the value-added tax (VAT) paid to the Chinese government. The two technology companies approved by the Chinese government to deliver the VAT software are Aisino and Baiwang. Any firm doing business in the PRC needs to use this software.

The FBI alert comes after Trustwave published two reports regarding backdoor malware variants known as GoldenSpy and GoldenHelper. These malware software programs offer a backdoor to access corporate networks, change privileges to an administrator, permit stealing of intellectual property by the operators, execute code remotely and install more malware payloads.

Two U.S. firms were already infected by the backdoors subsequent to getting tax software program updates, which were introduced in 2018 right after implementing modifications to the Chinese VAT regulations. The first is a U.S. pharmaceutical company found to have the GoldenHelper backdoor within its network last April 2019. The Baiwang Tax Control Invoicing software had been downloaded by an employee in July 2018. But it seems that the backdoor was only brought in in March 2019 after updating the software. Besides the software updates in the primary tax program, the installation of a driver produced the backdoor.

The second firm downloaded the Intelligent Tax software program from Aisino Corporation. According to a private cybersecurity company, the GoldenSpy backdoor was most likely brought in by the software program and implies that GoldenSpy was a new version of GoldenHelper.

The FBI identified the businesses that are most vulnerable as those belonging to the finance, healthcare, and chemical industries since state-sponsored hackers targeted those businesses in the past. The FBI made no accusation against China about adding malware to the software program. However, the FBI has mentioned that a private, state-owned business known as NISEC (National Information Security Engineering Center) that has associations to China’s People Liberation Army is supervising the two Chinese firms.

The warning came after a number of companies that read the two Trustware reports came out to say they were also infected with the malware.

Emotet Botnet Reactivated and Sending Huge Volumes of Malicious Emails

After a 5-month period of dormancy, the reactivated Emotet botnet is being utilized to send big volumes of spam emails to companies in the United Kingdom and the United States.

The Emotet botnet is a network of compromised computers that have been installed with Emotet malware. Emotet malware is an information thief and malware downloader that has been utilized to distribute various banking Trojans, such as the TrickBot Trojan.

Emotet hijacks email accounts and works by using them to send out spam emails having malicious hyperlinks and email attachments, normally Word and Excel files having destructive macros. When the macros are able to run, a PowerShell script is released that downloads Emotet malware silently. Emotet malware may likewise pass on to other devices found on the network and all malware-infected devices become a part of the botnet.

The emails being utilized in the campaign are much like earlier campaigns. They utilize pretty simple, yet effective baits to target companies, usually bogus invoices, purchase orders, shipping notifications, and receipts. The messages frequently just include a single line of text asking the recipient to click a hyperlink or open the email attachment. The emails are usually individualized and include the name of the targeted business and normally have a subject line “RE:” that indicates the email message was a response to an email sent previously by the targeted person – RE: Invoice 422132, for example. A few of the emails in this campaign have an attachment labeled as “electronic.form.”

Several security companies detected the most recent campaign. The first test emails were dispatched on July 13, and the spam email campaign started on July 17. Proofpoint discovered 30,000 messages on July 17, however right now about 250,000 emails are being sent each day.

Malwarebytes considers Emotet as the greatest malware threat of 2018 and 2019, despite having usual gaps in botnet activity. Generally, activity ceases about holiday times for several days or weeks, however, the most recent hiatus is the longest break in activity from the time the malware first came out.

Emotet itself is a risky malware type, however, it is an extra payload that Emotet downloads that result in the biggest ruin. The TrickBot Trojan is a modular malware that may do a variety of malicious capabilities, like stealing login data, sensitive documents and emails, and Bitcoin wallets. The TrickBot Trojan frequently downloads Ryuk ransomware following the operators have attained their own goals.

Upon detection of the Emotet malware, a rapid response is needed to separate the infected device and get rid of the malware. In case Emotet is identified on one device, it is probable that some other devices might have been breached.

To decrease the threat of infection, companies ought to send an advisory to their personnel cautioning them of the risk and advising them to consider extra care, specifically with emails having Word and Excel files, regardless if those emails appear to be coming from reliable contacts.

Critical Vulnerabilities Identified in the OpenClinic GA Integrated Hospital Information Management System

OpenClinic GA recognized 12 vulnerabilities existing in its open-source integrated hospital information management system.

Various hospitals and clinics utilize OpenClinic GA for handling financial, admin, clinical, pharmacy, and laboratory workflows. The system is likewise employed for out-patient and in-patient management, medical billing, ward management, bed management, and other hospital operations duties.

The person who discovered the vulnerabilities was Brian D. Hysell. Three vulnerabilities were rated critical whereas 6 were rated high severity. An attacker taking advantage of the vulnerabilities will be able to elude authentication, acquire access to confidential data, view or alter database information, and execute malicious code remotely.

An attacker having a low level of skill will be able to take advantage of the vulnerabilities. A number of vulnerabilities could be remotely exploited. Certain vulnerabilities got public exploits. The CVSS v3 base codes of the vulnerabilities vary from 5.4 to 9.8.

The following vulnerabilities were seen in OpenClinic GA Versions 5.09.02 and 5.89.05b:

CVE-2020-14495 – Critical with CVSS v3 base rating of 9.8. Using third-party components having reached their end of life and having vulnerabilities might bring about remote arbitrary code execution.

CVE-2020-14487 – Critical with a CVSS v3 base rating of 9.4. An attacker could employ a secret default user account to sign in to the program and apply arbitrary commands, unless if an administrator specifically switched off the account.

CVE-2020-14485 – Critical with a CVSS v3 base rating of 9.4. The client-side access controls can be ignored to commence a session having limited functionality, which provides administrative capabilities to execute SQL commands.

CVE-2020-14493 – High Severity with a CVSS v3 base rating of 8.8. Low privileged end-users could employ SQL syntax to keep arbitrary files in the server and carry out arbitrary orders.

CVE-2020-14488 – High Severity with a CVSS-v3 base rating of 8.8. Due to insufficient verification of uploaded data files, a low privilege user may be able to upload and execute the system’s arbitrary files.

Learn more about the CISA medical advisory here.

OpenClinic GA is already aware of the vulnerabilities and took action to take care of the problem, nevertheless, there is no evidence yet that the vulnerabilities were fixed.

All healthcare companies employing the OpenClinic GA need to upgrade their software to the current version to minimize the likelihood of exploitation.

CISA recommends carrying out the concept of least privilege, decreasing control system devices/systems exposure to networks, and not allowing system access online. All systems should be protected by a firewall and must necessitate a VPN with remote access. VPNs should use the most recent version and implement the patches right away.

Vulnerability Discovered in Capsule Technologies SmartLinx Neuron 2 Medical Data Collection Devices

A vulnerability of high severity was found in Capsule Technologies SmartLinx Neuron 2 medical data collection devices operating on software version 6.9.1. SmartLinx Neuron 2 is a bedside portable clinical computer that records vital signs information on auto pilot and links to the medical device data systems of the hospital.

The vulnerability CVE-2019-5024 is a restricted environment escape vulnerability caused by the incapability of a defense mechanism in the kiosk mode. All versions of Capsule Technologies SmartLinx Neuron 2 before version 9.0 have this vulnerability.

Kiosk mode refers to a restricted environment that inhibits users from leaving the running apps and using the base operating system. An attacker that exploits the vulnerability can leave kiosk mode and use the base operating system with complete admin privileges. That could enable the attacker to have total control of a trusted gadget on the internal network of the hospital.

An attacker must have physical access to the device in order to exploit the vulnerability. The vulnerability may be taken advantage of by linking to the device a keyboard or any HID device via a USB port. The vulnerability may be activated by using a particular sequence of keyboard inputs or, another option is by encoding a code that imitates human keyboard input together with a USB Rubber Ducky.

Patrick DeSantis of Cisco Talos discovered the vulnerability and reported it to Capsule Technologies. An attacker with a low level of skill can exploit the vulnerability as long as the public exploits for the vulnerability are available in the public domain. The CVSS v3 base score of the vulnerability is 7.6 out of 10.

The vulnerability was found in an unsupported software version, however, that version is presently being utilized in a lot of hospitals. Capsule Technologies has fixed the vulnerability in software versions 9.0 and those lower than the present 10.1 version.

All device users were instructed to update the software to the supported versions, which are version 9.0 or later. Restricted physical access to the devices must be implemented as much as can be done and it must stay beyond the organization’s security border. It is furthermore crucial to make certain that the internal systems do not completely trust the devices. When possible, the USB ports must be deactivated or blocked, and logs should be reviewed in order to identify any unauthorized peripherals on the vulnerable devices.

FBI and CISA Release Joint Advisory Concerning Threat of Malicious Cyber Activity Via Tor

The FBI and the DHS’ Cybersecurity Infrastructure Security Agency (CISA) released a joint warning lately concerning cybercriminals employing The Onion Router (Tor) in their cyberattacks.

The U.S. Navy created the Tor as a free, open-source software program in the 1990s. At this time, Tor is being employed to surf the net anonymously. The web activity of a person that is using the Tor network can’t be quickly tracked back to their IP address. Any time a Tor user visits a webpage, the IP address of the exit node he went through is logged instead of his own IP address.

Considering anonymity made available by Tor, as expected, a lot of threat actors have used it to cover their specific location and IP address and perform cyberattacks and other harmful actions without a trace. Cybercriminals are employing Tor to do spy on targets, execute cyberattacks, access and exfiltrate information, and install malware, ransomware, and perform Denial of Service (DoS) attacks. As per the advisory, cybercriminals are employing Tor too to communicate commands to ransomware and malware via their command and control servers (C2).

Because malicious actions could be executed anonymously, it is tricky for system defenders to act in response to attacks and carry out system recovery. CISA and the FBI suggest that companies carry out a risk evaluation to determine their possibility of compromise by means of Tor. The risk linked to Tor is going to be unique for each company therefore a review ought to ascertain the possibility of an attack by means of Tor, and the likelihood of success granted the mitigations and security controls that were used. Before making a decision whether or not to deter Tor traffic, it is necessary to review the factors why genuine users may be deciding to employ Tor to visit the network. Hindering Tor traffic is going to boost security although it will at the same time stop legit users of Tor from going to the network.

CISA and the FBI stated that a variety of diverse threat actors are making use of Tor in past times. There were nation-state sponsored Advanced Persistent Threat (APT) actors and/or low skill attackers. Businesses that do nothing to either stop inbound and outbound traffic by using Tor or keep an eye on traffic from Tor nodes intently are going to be at a higher danger of getting attacked.

In these Tor attacks, reconnaissance is performed, targets are picked, and active and passive scans are completed to track down vulnerabilities in public-facing programs which may be used in anonymous attacks. Basic security tools aren’t enough to locate and deter attacks, rather a selection of security solutions should be carried out and recording ought to be enabled for reviewing likely malicious activity employing both indicator and behavior-dependent reviews.

The report explained that employing an indicator-based method, network defenders could seek out security information and event management (SIEM) applications and other log review platforms to tag suspicious activities associating with the IP addresses of Tor exit nodes. The Tor Project’s Exit List Service keeps a listing of all Tor exit node IP addresses, which are downloadable. Security teams could utilize the listing to pinpoint any considerable transactions related to those IP addresses by looking at their packet capture (PCAP), web server logs and NetFlow.

When utilizing a behavior-based method, network defenders could show suspicious Tor activity by seeking the operational behavior of Tor client software and protocols, including User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) ports.

FBI and CISA suggest that companies need to research and allow the pre-existing Tor recognition and mitigation capabilities inside their present endpoint and network security options, as these frequently use effective detection logic. Options like web app firewalls, router firewalls, and network/host intrusion detection systems may actually give a certain degree of Tor detection function.

Though lowering the threat is likely by barring all Tor net traffic, this extremely restrictive tactic will not entirely eradicate risk as added Tor network access points aren’t all posted freely. This method will likewise deter legit Tor traffic. Customize monitoring, examination, and rejection of web traffic to and from open Tor entry and exit nodes could be a more effective solution, even though this tactic is very likely to be resource-demanding.

Specifics of how to deter, monitor and review Tor traffic are given in the advisory, a PDF copy may be downloaded on this page.

Apache Guacamole Remote Access Software Has Serious Vulnerabilities

A number of vulnerabilities were discovered in the Apache Guacamole remote access system. Many companies used Apache Guacamole to enable administrators and workers to have remote access to Windows and Linux devices. The system became famous throughout the COVID-19 pandemic for enabling people to work from home and be connected to the company system. Apache Guacamole is embedded in a lot of network access and security solutions like Quali, Fortress, and Fortigate. It is a distinguished tool available with over 10 million Docker downloads.

Apache Guacamole is a clientless service, which means remote employees don’t need any software installed on their devices. A web browser can be used to access their company device. The software will only be installed by system administrators on a server. Depending on the system configuration, a connection is established by using SSH or RDP with Guacamole working as a link to send communications between the web browser and the user’s device.

Check Point Research examined Apache Guacamole and identified a number of reverse RDP vulnerabilities in version 1.1.0 and previous versions, and the same vulnerability in FreeRDP, which is Apache’s free RDP implementation. Remote attackers can exploit the vulnerabilities to gain code execution, enabling them to hijack servers and intercept sensitive information by spying on communications on remote sessions. The researchers observe that in a scenario where all people are working remotely, exploitation of these vulnerabilities would be similar to achieving total control of the whole organizational system.

Check Point Research stated that there are two ways to exploit the vulnerabilities. An attacker who already has a compromised desktop computer and access to the network can exploit the vulnerabilities in the Guacamole gateway as soon as a remote worker tries to sign in and access the gadget. The attacker can control the gateway and its remote networks. A malicious insider can also exploit the vulnerabilities and access the computers of other employees in the network.

The vulnerabilities can permit Heartbleed-style data disclosure and read and write access to the insecure server. The researchers bundled the vulnerabilities, raised privileges to admin, and obtained remote code execution. Check Point Research reported the bundled vulnerabilities CVE-2020-9497 and CVE-2020-9498 to the Apache Software Foundation. and had patches released on June 28, 2020.

The researchers additionally discovered that the vulnerability CVE-2018-8786 present in FreeRDP can be exploited to control the gateway. All FreeRDP versions before January 2020, version 2.0.0-rc4, use vulnerable FreeRDP versions with the CVE-2020-9498 vulnerability.

All companies that have used Apache Guacamole must make sure they have the most recent version of Apache Guacamole set up on their servers.

CISA Warning About an Ongoing Ransomware Campaign Exploiting RDP and VPNs Vulnerabilities

The DHS Cybersecurity & Infrastructure Security Agency (CISA) gave a warning concerning a continuous Nefilim ransomware campaign, subsequent to a security bulletin issued by the New Zealand Computer Emergency Response Team (CERT NZ).

Nefilim ransomware is the replacement of Nemty ransomware, which was initially discovered in February 2020. As opposed to Nemty, the Nefilim ransomware is not spread with the ransomware-as-a-service model. The ransomware developers perform their own attacks and manually deploy the ransomware after getting access to enterprise systems.

Just like other manual ransomware gangs, the victim’s data is stolen prior to installing the ransomware. The gang then threatens the victim that it will publish or sell their stolen data when they do not pay their ransom demand. The gang behind the attacks gets access to enterprise systems through vulnerabilities in virtual private networks (VPNs) and remote desktop protocol (RDP). The gang makes use of brute force strategies to take advantage of weak authentication, the absence of multi-factor authentication, and unpatched flaws in VPN software.

The moment the attackers gain a foothold in the network, they use tools like mimikatz, Cobalt Strike and PsExec for lateral movement, privilege escalation, and exfiltration of sensitive information.

The Nefilim ransomware gang is remarkably skilled and deploys advanced and well-crafted attacks. The magnitude of network infiltration indicates that it is impossible to get back from an attack merely by using backups to restore data. A thorough forensic investigation should be done to completely investigate the attack and make sure to identify and eliminate backdoors and throw out the attackers from the network once and for all.

All companies that employ unsecured remote access systems are susceptible to an attack. To avoid an attack, it is important to address RDP vulnerabilities and to fully patch and update remote access software. Strong authentication must be employed and multi-factor authentication must be activated.

Network segmentation and application whitelisting could help minimize the severity of an attack. It is crucial to monitor networks and remote access systems for indications of unauthorized access. Backups must be routinely done, and there must be one backup copy stored safely on an air-gapped device or media with no access to a network.