Cyber Weekly Flash Briefing for 20 March 2020 – Working from home brings security challenges, COVID-19 scams and malware, VPNs and MFA, broadband strain, critical patches
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Working from Home: COVID-19’s Constellation of Security Challenges
Organisations are sending employees and students home to work and learn — but implementing the plan opens the door to more attacks, IT headaches and brand-new security challenges.
As the threat of coronavirus continues to spread, businesses are sending employees home to work remotely, and students are moving to online classes. But with the social distancing comes a new threat – a cyber-related one.
As organisations rush to shift their businesses and classes online, cybercriminals are ramping up their tactics to take advantage of those who may have inadequate or naive security postures as a result. Given the challenges in securing work- and learn-from-home environments, the attack surface represents an attractive opportunity for threat actors
Read more here: https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/
Thousands of COVID-19 scam and malware sites are being created on a daily basis
Malware authors and fraudsters aren't letting a tragedy go to waste.
In the midst of a global coronavirus (COVID-19) pandemic, hackers are not letting a disaster go to waste and have now automated their coronavirus-related scams to industrial levels.
According to multiple reports, cybercriminals are now creating and putting out thousands of coronavirus-related websites on a daily basis.
Most of these sites are being used to host phishing attacks, distribute malware-laced files, or for financial fraud, for tricking users into paying for fake COVID-19 cures, supplements, or vaccines.
EU warns of broadband strain as millions work from home
The EU has called on streaming services such as Netflix and YouTube to limit their services in order to prevent the continent’s broadband networks from crashing as tens of millions of people start working from home.
Until now, telecoms companies have been bullish that internet infrastructure can withstand the drastic change in online behaviour brought about by the coronavirus outbreak.
But on Wednesday evening, Thierry Breton, one of the European commissioners in charge of digital policy, said streaming platforms and telecoms companies had a “joint responsibility to take steps to ensure the smooth functioning of the internet” during the crisis.
Read more on the FT here: https://www.ft.com/content/b4ab03db-de1f-4f98-bcc2-b09007427e1b
COVID-19: With everyone working from home, VPN security has now become paramount
With most employees working from home amid today's COVID-19 (coronavirus) outbreak, enterprise VPN servers have now become paramount to a company's backbone, and their security and availability must be the focus going forward for IT teams.
It is critical that the VPN service is patched and up to date because there will be more scanning against these services.
It is also critical that multi factor authentication (MFA or 2FA) is used to protect connections over VPN.
What do you not want right now? A bunch of Cisco SD-WAN, Webex vulnerabilities? Here are a bunch of them
Cisco has issued a series of security updates for its SD-WAN and Webex software, just when they're most needed.
SD-WAN is host to five vulnerabilities ranging from privilege escalation to remote code injection.
Meanwhile, the Webex video-conferencing software also needs some sorting out right when everyone's working from home amid the coronavirus pandemic.
The patch bundle includes a fix for Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows. A hacker can send a suitably crafted file in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF), and if the recipient clicks on it on a vulnerable computer, they get pwned. iOS users also need to patch an information-disclosure bug.
The other fixes mention SQL injection and cross-site scripting flaws.
More on The Register here: https://www.theregister.co.uk/2020/03/19/cisco_sdwan_bugs/
Windows 10 or Mac user? Patch Adobe Reader and Acrobat now to fix 9 critical security flaws
Adobe has released an important security update for its popular PDF products, Adobe Acrobat and Reader after missing its usual release aligned with Microsoft Patch Tuesday.
The company has released an update for the PDF software for Windows and macOS machines. The update addresses nine critical flaws and four vulnerabilities rated as important.
The critical flaws include an out-of-bounds write, a stack-based overflow flaw, a use-after-free, buffer overflow, and memory corruption bug.
All the critical flaws allow for arbitrary code execution, meaning attackers could use them to rig a PDF to install malware on a computer running a vulnerable version of the software.
WordPress and Apache Struts account for 55% of all weaponized vulnerabilities
Comprehensive study looks at the most attacked web technologies of the last decade.
A study that analysed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress and Apache Struts.
The Drupal content management system ranked third, followed by Ruby on Rails and Laravel, according to a report published this week.
In terms of programming languages, vulnerabilities in PHP and Java apps were the most weaponized bugs of the last decade.
Read the full article here: https://www.zdnet.com/article/wordpress-and-apache-struts-account-for-55-of-all-weaponized-vulnerabilities/
Trickbot malware adds new feature to target telecoms, universities and finance companies
Researchers uncover a Trickbot campaign with new abilities that looks like it's being used in an effort to steal intellectual property, financial data - and potentially for espionage.
The new form of the infamous Trickbot malware is using never-before-seen behaviour in attacks targeting telecommunications providers, universities and financial services in a campaign that looks to be going after intellectual property and financial data.
Trickbot has been in operation since 2016 and, while it started life as a banking trojan, the modular nature of the malware means it can be easily re-purposed for other means, which has led to it becoming one of the most advanced and capable forms of malware attack delivery in the world today.
And now it has been updated with yet another new capability, with a module that uses brute force attacks against targets mostly in telecoms, education, and financial services in the US and Hong Kong. These targets are pre-selected based on IP addresses, indicating that the attackers are going after them specifically.
Most organizations have yet to fix CVE-2020-0688 Microsoft Exchange flaw
Organisations are delaying in patching Microsoft Exchange Server flaw (CVE-2020-0688) that Microsoft fixed with February 2020 Patch Day updates.
The CVE-2020-0688 flaw resides in the Exchange Control Panel (ECP) component, the root cause of the problem is that Exchange servers fail to properly create unique keys at install time.
A remote, authenticated attacker could exploit the CVE-2020-0688 vulnerability to execute arbitrary code with SYSTEM privileges on a server and take full control.
More here: https://securityaffairs.co/wordpress/99752/hacking/companies-cve-2020-0688-fixed.html
Two Trend Micro zero-days exploited in the wild by hackers
Hackers tried to exploit two zero-days in Trend Micro antivirus products, the company said in a security alert this week.
The Japanese antivirus maker has released patches on Monday to address the two zero-days, along with three other similarly critical issues (although, not exploited in the wild).
According to the alert, the two zero-days impact the company's Apex One and OfficeScan XG enterprise security products.
Trend Micro did not release any details about the attacks.
These two zero-days mark the second and third Trend Micro antivirus bugs exploited in the wild in the last year.
Read more here: https://www.zdnet.com/article/two-trend-micro-zero-days-exploited-in-the-wild-by-hackers/
Most ransomware attacks take place during the night or over the weekend
27% of all ransomware attacks take place during the weekend, 49% after working hours during weekdays
The vast majority of ransomware attacks targeting the enterprise sector occur outside normal working hours, during the night or over the weekend.
According to a report published this week, 76% of all ransomware infections in the enterprise sector occur outside working hours, with 49% taking place during night-time over the weekdays, and 27% taking place over the weekend.
The numbers were compiled from dozens of ransomware incident response investigations from 2017 to 2019.
The reason why attackers are choosing to trigger the ransomware encryption process during the night or weekend is because most companies don't have IT staff working those shifts, and if they do, they are most likely short-handed.
If a ransomware attack does trigger a security alert within the company, then there would be nobody to react right away and shut down a network, or the short-handed staff would have a hard time figuring what's actually happening before the ransomware encryption process ends and the company's network is down & ransomed.
Read more here: https://www.zdnet.com/article/most-ransomware-attacks-take-place-during-the-night-or-the-weekend/