Netizen Cybersecurity Bulletin 06 February 2019

In This Issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

  • Microsoft Exchange Vulnerability
  • 2019 Already Marred by a Slew of Data Breaches
  • Linux Backdoor Trojan Set For Major Attack
  • Linux APT Flaw
  • Phish Tale of the Week
  • How Can Netizen help?

Microsoft Exchange Vulnerability

Versions of Microsoft Exchange 2013 and newer are vulnerable to an attack that can give someone administrator rights at potentially 90% of organizations that run Active Directory and Exchange. This attack is made possible by the fact that Exchange has extensive default privileges that can’t be patched. If a malicious actor has a foothold in a Windows network, they can exploit the vulnerability and get domain administrator rights, which are the effectively the keys to the kingdom.

CERT has released an advisory that identifies the problem as Exchange not authenticating NTLM traffic properly, which is what allows an attacker to give themselves privileges. Exchange 2010 is unaffected due to not using NTLM traffic, which is generally opposite of how things work.

Recommendations:

  • Remove the unnecessary high privileges that Exchange has on the Domain object
  • Block Exchange servers from making connections to workstations on arbitrary ports.
  • Enable Extended Protection for Authentication on the Exchange endpoints in IIS
  • Remove the registry key which makes relaying back to the Exchange server possible, as discussed in Microsoft’s mitigation for CVE20188518.
  • Enforce SMB signing on Exchange servers to prevent cross-protocol relay attacks to SMB.

2019 Already Marred by a Slew of Data Breaches

We are one month into the new year, and so far 2019 has shown no sign of decline in data incidents. Just alone last week companies including Airbus, Discover Financial, IT management giant Rubrik, the City of St. John in New Brunswick, Canada and the State Bank of India all reported exposures.

Discover Financial has reported a possible merchant data breach that could have compromised user accounts to the State of California Attorney General’s office, in compliance with that state’s data breach rules. “We can confirm this incident did not involve any Discover systems, and we are forwarding this to the appropriate parties for review,” the company said in a media statement issued on Twitter. “We’re aware of a possible merchant data breach & are monitoring accounts. Our members can rest assured they’re never responsible for unauthorized purchases on their Discover card accounts.”

The incident appears to have taken place on August 13, 2018, but Discover has stated how much personal information was compromised or how many individuals were affected. Those that were affected by the data breach will be getting new cards to replace the compromised cards.

The next set of data breaches occurred due to misconfigured servers coming from Rubrik, the IT security and cloud data management giant. This breach exposed tens of gigabytes of customer information which was caused by improperly storing the data on an Amazon Elasticsearch database. The server wasn’t properly protected and had no passwords to secure it, leaving it accessible to the whole world. The compromised data dates back to October 2018 and contained the following information:

  • Customer Names
  • Contact Information
  • Contents of customer service emails
  • Customer IT/Cloud setup and configuration information
  • Email signatures with names
  • Job titles
  • Phone numbers

No comments were every stated by the company.

The other similar data breach occurred at the State Bank of India, which India’s largest financial institution. This breach exposed millions of customer data containing text messages, account balances, recent transactions, partial bank account numbers, and customers’ phone numbers. This breach was caused by an unsecured server (aka missing a password).

The final breach occurred in the Canadian city of St. John where the credit card information of 6000 people were being sold on the dark web. This breach was caused by a skimmer being install on the third-party parking system that the city uses. This breach collected data fro roughly 18 months until being discovered.

Recommendations:

  • For credit/debit cards, always check your bank statements to verify that all purchases made were authorized by you. Should you find a transaction not authorized by you, contact your card company immediately to have the transaction canceled and reissue different cards to replace the old ones.
  • For the server breaches, make sure your systems are configured with a strong password consisting of a minimum of 10 characters with a mix of alphanumeric and special characters; if a particular system does not support ten character passwords, then the maximum number of characters allowed by that system shall be used
  • For the card skimmer, sometimes the skimming devices are placed over the original and doesn’t sit flush with the frame of the device. Give the card slot a hard tug. If the card slot comes off, then you found a skimmer. From there alert the owner of the device and contact local authorities. Also, the same recommendation for the credit/debit cards applies as well.

Linux Backdoor Trojan Set For Major Attack

A recent backdoor trojan name “SpeakUp” has been discovered exploiting multiple Linux servers, which run more than 90 percent of the top 1 million domains in the United States. Using a complex set of tools, the trojan is capable of infecting hosts and propagating, which analysts say could indicate that it’s poised for a major cyber offensive on a vast number of infected hosts.

The research was released by Check Point on Monday at the recent CPX360 event in Las Vegas, detailing that the trojan is being used in a cryptomining campaign that is gaining momentum and has targeted more than 70,000 servers worldwide. The Trojan looks to target on-premises servers as well as cloud-based servers as well.

The initial infection vector begins with targeting a recently reported vulnerability in ThinkPHP (CVE-2018-20062) and injecting a PHP shell that allows execution of a Perl backdoor. After control of the server is obtained, the Trojan continues to ask the command server for any new tasks, which can include downloading and executing a file from any remote server, or even kill and uninstall the program.

SpeakUp is capable of propagation as well by brute-forcing administrative panels using pre-defined lists of usernames and passwords, along with scanning of the network environment of the infected server. By scanning for the availability of specific ports on servers that share the same internal and external subnet masks, it can look to infect additional servers on the network.

“SpeakUp’s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making,” according to the analysis. “It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware.”

Linux APT Flaw

Security research has revealed a critical remote code execution flaw in Linux APT. Vulnerability dubbed CVE-2019-3462 is within the APT package manager; an extremely popular utility and tool when it comes to installation, updates, and upgrades, and the removal of software on many flavors of Linux distributions including Debian and Ubuntu. The issue lies with APT’s failure to sanitize particular parameters during HTTP redirects; this failure opens up the potential for a man-in-the-middle (MiTM) attack in which the attacker can inject malicious content and trick the host system into installing tampered packages.

HTTP redirects are utilized in APT, specifically the “apt-get” command, to help Linux machines to automatically request packages from proper mirror servers where others may not be available for distribution. In short, if one source fails to respond, the APT will then redirect or respond with another location of the next available source where the client should request the desired package. Not only would the attacker be able to insert themselves in the middle with a malicious mirror and execute arbitrary code, but they could do so with the highest level of privileges (i.e., root). While it has not been confirmed, it is possible that this vulnerability affects all package downloads, whether it be a new package or updating an old one.

Recommendations:

APT has since released a patch for the flaw in patch number 1.4.9. So it is imperative that systems be updated as soon as feasible, while also considering some other layers of security:

  • Utilize signature-based verification to protect the integrity of packages.
  • Implement HTTPS to prevent active exploitation (HTTP with SSL/TLS Encryption).

Phish Tale of the Week

This week we are featuring a phishing email that was received in our office.  The message asks the reader to download an attachment that appears to be PDF.  As the sender is unknown to the recipient, this was easy to avoid.  However, it is easy to imagine anyone of us busily reviewing our inbox and downloading the file without taking a moment to consider who sent it.  A closer examination of the file revealed it did contain malware.

The advice here is perhaps the oldest rule: Never download an attachment from an unknown person.

Recommendations:

phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

  • Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  • Verify that the sender is actually from the company sending the message.
  • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
  • Do not give out personal or company information.
  • Review both signature and salutation.
  • Do not click on attachments.
  • Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
  • Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.


Netizen is an ISO 27001:2013 (Information Security Management) certified company.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s