Here are some of the headlines for the end of the week on 11/29.
Digitally Signed Malware which goes by the name Bandook, which literally means , Shotgun in Arabic and Hindi, a retooled version of a decade old Backdoor Trojan, unleashes a new wave of attacks against multitudes of Industries. These include Governments, financial, energy , healthcare, IT and Legal institutions located primarily in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey & the US. The attackers behind this malware are linked to Lebanese and Kazakh Governments. For a detailed report, check out Checkpoint’s research website and search for Bandook for more details.
WordPress, that started its Journey in 2003 from the death of its predecessor version of blogging software called b2/cafelog, has come a long way from few hundreds of installations in 2004 to nearly 35% of the internet powered by it. Which obviously interests the bad actors. Attackers probe the internet for vulnerable plugins on these wordpress sites, the pieces of codes that makes the wordpress so useful and popular and using techniques such as SQL injection, broken access control, Cross-site request forgery and 10s of more types of exploitation of various application security risks, these attackers are then able to compromise these websites for their benefit. So if you are interested in keeping upto date on these vulnerabilities, check out WebARX’s WordPress Vulnerability NEWS, which seems to be kept upto date frequently.
Now for some Fake News and by the way it is real. It has always been there while its affects were minimal with Print media and televisions and more over the NEWS people took it upon themselves to verify the news before they blurted it out. While most NEWS outlets continue to follow this strict regime of verifications, the millions of online news outlets, which include mom and pop type blogs, to Facebook groups and some even affiliated to major print and television news outlets, have started promoting or pushing fabricated NEWS. With COVID-19, this problem has grown to cost more money and most importantly affecting lives of people.
In UK, a member of parliament, Mr Khalid Mahmood, during a Westminster Forum Conference on tackling fake news and online misinformation, said, that I quote ” is totally negated from platforms where someone can put whatever they want and move forward” and trying to trace that back and address that is becoming increasingly difficult as platforms take time to deal with it.” he said. It will be interesting to see other countries take more steps to deal with Fake news. I believe it is not just the responsibility of the service providers such as google, facebook, twitter, etc but policies and guidelines from various governments and law enforcement working together with Healthcare organizations to publish and provide accurate and correct information so users can verify and make the right choice whether it is deciding to take precautions or to make the right choice when dealing with COVID-19 and its challenges.
If you are interested in learning more about Misinformation and how to deal with it, check out New York Times guide on how to deal with misinformation.
Before we head into CVEs or latest from US CERT’s latest notifications, we are going to cover one more headline, which is more of a good NEWS and definitely worth the mention especially due to nature of the cybercrimes and the challenges there is in nabbing the suspects.
Business Email Compromise, something that we have been dealing since email became the primary medium for businesses to communicate. So I first found out about this from Graham Cluley’s article on tripwire.com. Three were arrested after an year long investigation , which was code named Falcon, into Phishing emails, mass mailing campaigns which these attackers used to carryout extensive Business Email compromise scams. These attackers, who are Nigerian Nationals, were involved in various criminal activities. Criag Jones, INTERPOLs cybercrime director, said, I quote ” This group was running a well-established criminal business model. From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits. We look forward to seeing additional results from this operation”. Check out Interpols NEws and Events page for more details such as the tools, malware and other malicious activities that this group was involved.
Now lets get a little more useful shall we, in this segment, I will go over some of the new security alerts and information that you can digest and actually use for your security needs.
We have the following to cover,
Fortinet FortiOS System File Leak
This is CVE 2018-13379, Base Score is 9.8 Critical, that was issued by Fortinet Inc in May of 2019, after two DEVCORE Security researchers, Meh Chang and Orange Tsai, discovered and reported this vulnerability. A path traversal vulnerability in the FortiOS SSL VPN Web portal may allow an Unauthenticated Attacker to download FortiOS System Files through specially crafted HTTP resource requests.
Fortinet has issued some mitigation steps for the affected FortiOS versions. So if you are on the FortiOS 6.0 (6.0.0-6.0.4) or 5,6 (5.6.3 – 5.6.7) and FortiOS 5.4 – (5.4.6-5.4.12) then you have an option to upgrade to the latest in each of the main versions, namely 6.0, 5.6 and 5.4.
The temporary workaround, which will affect the functionality of your VPN service, is to totally disable SSL-VPN Service.
Drupal Releases Security Updates for Tar and other vulnerabilities
CVE-2020-28949 & CVE-2020-28948, released by Drupal, by the way the analysis for these CVE’s are still being processed, however from Drupal’s Security Advisory, they have deemed it Critical. Multiple vulnerabilities are possible if Drupal is configured to allow
.tlz file uploads and processes them.
To mitigate this vulnerability, Drupal advises its users to upgrade to the latest versions. If you are using Drupal 8 or prior then you will most likely continue to be vulnerable as this version and prior are end of life. For more details, check out Drupal’s security advisory page:
VMware Releases Workarounds for
CVE-2020-4006, which is still being analyzed by NIST. VMWare’s Security Advisory, VMSA, has issued it to be a critical vulnerability. A command injection vulnerability was privately reported to VMware.
A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system.
Workarounds are available to address this vulnerability in affected VMware products. And the impacted products include VMWare Workspace one Access and Access Connector, VMWare Identity Manager and Connector, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.
VMware is currently working on patches which are forthcoming. For details on this Vulnerability and patches check out the security advisory page of VMware.
Ok. That was all the important headlines and its details but now let me take you to the first recorded DoS Attack of 1988 by Robert Morris. Robert Morris, a student of Cornell University. He released the worm from MIT rather than his alma mater.
The worm exploited several vulnerabilities to gain entry to targeted systems,. According to Morris, the purpose of the worm was to gauge the size of the precursor “Internet” of the time – ARPANET – although it unintentionally caused denial-of-service (DoS) for around 10% of the 60,000 machines connected to ARPANET in 1988.
So what did the worm exploit?
- A bug in debug mode of the Unix sendmail program
- A buffer overflow bug in the fingerd network services
- Remote Shell or Remote Shell execution in Unix by guessing weak passwords or no passwords.
In 1989, Morris was indicted for violating United States Code Title 18 (18 U.S.C.§ 1030), the Computer Fraud and Abuse Act (CFAA). He was the first person to be indicted under this act. In December 1990, he was sentenced to three years of probation, 400 hours of community service, and a fine of $10,050 plus the costs of his supervision. While Morris did not write the worm to cause damage but it replicated excessively, causing damages estimated upwards of $100,000.
That’s all I have time for this First Episode. Next week, I will get you some interesting security bits and continue to evolve. Please provide me your feedback by reaching out on my twitter. All the links to anything I have described is in episode is in the description below.
Make sure you subscribe to simplified security episodes available as podcast and on youtube. Go to icsbits.com/simplified for more details. I am your host Durgesh Kalya. Catch me on my next episode on your favorite podcast app or youtube, until then be safe and think before you click.