Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:
- Drupal Update
- Contagious WebEx
- USB Stick of Death
1. Drupal Update
A critical vulnerability has been discovered in a popular open-source Content Management System (CMS) called Drupal. The platform is now being actively exploited by hackers to install cryptocurrency miners and also to launch Distributed Denial of Service (DDoS) attacks from the systems that they have compromised.
In the wake of the discovered exploit a botnet has been identified as Muhstik. The Muhstik botnet is piggybacking off the Drupal bug, accessing URLs and injecting publicly available exploit code. The method by which the botnet injects code is allowing hackers to execute commands on targeted servers that are running Drupal.
For the second time this month, websites utilizing the Drupal content management system have come under siege. The bug exists within multiple subsystems of Drupal 7.x and 8.x. While Drupal maintainers did not release the details of how the vulnerability can be exploited, they have confirmed that attacks are coordinated remotely.
A new strain of Android malware named HenBox has been masquerading as a variety of legitimate Android apps. HenBox impersonates applications such as VPN and Android system apps and often installs genuine versions of these apps along with HenBox, fooling users into thinking they downloaded the valid app. While some of the legitimate apps HenBox uses as decoys can be found on Google Play, HenBox applications themselves have only been found on third-party (non-Google Play) app stores. Users with company phones with access to company information would be a prime target for these malicious third-party apps.
A hostname is an indicator of compromise commonly used as a target for communicating with malware, hosting malware, or serving as a vector for attacking targets in watering hole attacks. Malicious hostnames may exist within non-malicious domains, and usually indicate that the hostname’s domain has been compromised as part of a previous attack. This particular indicator of compromise is 3w.tcpdo.net.
- Blocking all DNS entries for these domains: https://otx.alienvault.com/indicator/hostname/3w.tcpdo.net
- Business smartphones should NOT use third-party party apps
3. Contagious WebEx
Cisco’s popular web conferencing software, WebEx, can be exploited by an attacker to spread malware directly to other meeting participants, tricking them into executing it on their computers. Cisco’s vulnerability allows a maliciously laced Flash file (.swf) to be uploaded to a WebEx conference meeting attendee because there is by the WebEx client software. This means that within the software there is a lack of proper testing of an input that is supplied by either the user or the application. The point of input validation is to prevent any malformed data from entering a device, system, or process, that would otherwise cause damage.
The vulnerability is deemed critical as many businesses utilize the conference software and a breach could most certainly prove disastrous. A threat actor interested in targeting a particular organization could take advantage of this flaw to introduce malware to their designated victim’s network. Typically, malware intended for a company arrives by way of a phishing email, making WebEx an unexpected entry point. When a file is shared among a trusted colleague over WebEx, the file is expected to be trustworthy as well.
We recommend updating your WebEx client to its most current version. The most recent updates address the vulnerability by simply no longer allowing the shared usage of Flash (.swf) files. This should not be too disruptive as it is not common to share such files in a WebEx meeting.
4. USB Stick of Death
USB sticks outfitted with a maliciously crafted image of a Windows NT file system (NTFS), can be used to crash a Windows machine by simply inserting the USB stick into the appropriate port on the device without any further user interaction. The crashed system will display what is commonly referred to as the Blue Screen of Death (BSOD).
A function known as auto-play is activated by default, leading to the automatic crash of the system once the USB stick is inserted. Regardless of whether autoplay has been disabled, the system will still crash so long as the file is accessed. The file access could from a user clicking on the file, or from passive access: Windows Defender scans, other Microsoft services or tool, etc. All of this can be accomplished even if the machine is locked.
Microsoft seemed hesitant, if not uninterested, when the issue was discovered. While it appears that a patch or update will not be possible, we still recommend the following to protect against malicious USB sticks:
- It is always best practice to lock one’s workstation before leaving. This particular threat can still be activated even when locked, therefore we advise taking a mental note of your desk and device before leaving.
- Do not accept any USB sticks from anyone that you do not know or trust. It is a common social engineering tactic among malicious actors to impersonate legitimate agencies and will stop by with trinkets like that of pens or USB sticks, in hopes that someone in the company will plug one of them into their computers.
- Practice proper physical security of your If there are any visitors, whether they are present for a short or extended amount of time, they should not be left unattended anywhere in the office or building. An unsupervised, unauthorized individual may plug malicious USB sticks into workstations, servers, or even set up their own rouge access point, granting them access to the network.
- Affected versions of Windows includes: Windows 7 Enterprise 6.1.7601 SP1, Build 7601 x64; Windows 10 Pro 10.0.15063, Build 15063 x64; and Windows 10 Enterprise Evaluation Insider Preview 10.0.16215, Build 16215 x64.
How can Netizen help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.