hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates with comments from our experts
News for discussion
Apple future updates
At a recent Apple developers conference, privacy was one of the key topics. The upcoming iOS 14.0, iPadOS 14, and tvOS 14 will include an option to decline the apps’ ad tracking. Thus, applications will need users’ permission to track them or access a device’s advertising identifier. Another security improvement concerns the Safari web browser: it will check if the stored passwords have been compromised in a data breach.
Apple continues to focus on user privacy in its latest releases and presentations. Is it a good thing? It seems to be. The users are happy and feel safe; the marketers can’t wait to launch another advertising campaign under the slogan “What Happens on Your iPhone, Stays on Your iPhone”.
However, if we dig a little deeper, we can see that new tools violating the said privacy are emerging. At hexway, we’ve already shown that BLE allows identifying users. And do you remember about Apple’s COVID-19 tracking initiative? It’s working now, and who knows how long it will be active. We’ll keep an eye on it.
Attacks and breaches
New DDoS record
In their blog, Akamai states that they observed the largest packet per second DDoS attack ever. The security team managed to mitigate the attack on an unnamed European bank. DDoS mitigation systems were challenged by a high load peaking at 809 million packets per second. 96.2 % of source IPs were observed for the first time.
US news sites hit by ransomware
New ransomware hit almost a dozen of US news sites owned by the same company. Behind the attack is Evil Corp Gang who has been massively deploys WastedLocker ransomware payloads last months. Usually, Evil Corp Gang focuses on industries like manufacturing, information technology, and telecommunications. To perform the attack, they usually steal the credentials of an employee and escalate their privileges to move freely in the network. They also disable Windows Defender. It is necessary to provide cybersecurity training to all security personnel to avoid such attacks.
Glupteba malware family
Researchers from Sophos Labs made a write-up on the Glupteba malware. It targets Windows systems and forms a botnet with infected devices. Enhanced with stealth capabilities, it is distributed through different sources, like installers and pirated software, and drops malicious files in specific directories. To evade detection by Windows Security System, it shuts down any ongoing processes related to it. Researchers believe that Glupteba’s purpose is cryptocurrency mining, although it is open to various ways of exploiting the infected machines.
Lucifer: Cryptojacking and DDoS
Researchers revealed a new type of malware exploiting CVE-2019-9081. It is capable of DDoS attacks, crypto-jacking, and command and control operations. Dubbed Lucifer, it uses a set of weaponized known vulnerabilities, so it is strongly recommended to apply the latest patches for software like Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows. Lucifer is also capable of brute-forcing, so strict password security guidelines and checklists are a must.
One more malware family has been recently discovered by Trustwave SpiderLabs. Dubbed GoldenSpy, it is embedded in tax software used by companies operating in China. It installs a hidden backdoor on a system and allows operators to execute commands or even upload binary files. GoldenSpy installs two versions of itself (to reinstall if one of them is removed) and operates with system-level privileges. After the research was published, the actors GoldenSpy delivered an uninstaller that deletes registry entries and GoldenSpy data and removes itself from the system. The scope and the purposes of the campaign remain unknown, and cybersecurity specialists recommend having audits performed by third-party cybersecurity providers to ensure that no harm was done to the systems.
Patches and updates
Palo Alto Networks PAN-OS patch
Palo Alto Networks fixed a major flaw in PAN-OS, the software that runs its firewalls. The vulnerability with CVE-2020-2021 is extremely severe due to easy and remote exploitation. This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions. Both CISA and US Cybersecurity command issued an alert to warn administrators about the patches.
VMware released some fixes that address 10 vulnerabilities in their products including ESXi, Workstation, Fusion, and Cloud Foundation. The most severe vulnerability was assigned CVE-2020-3962. It contains a use-after-free vulnerability in the SVGA device and allows the attacker to execute code on the hypervisor if 3D graphics are enabled. Other vulnerabilities patched by VMware include heap overflow affecting the USB 2.0 controller and a vulnerability in the USB 3.0 controller that allows attackers with admin privileges to cause denial of service or execute arbitrary code on the hypervisor.
Microsoft Exchange servers insecurity
Microsoft security specialists warn its customers about the sophisticated attacks on Exchange servers. These attacks have been performed for months since the patch for CVE-2020-0688 vulnerability was issued in February. The flaw allowed attackers to gain access to target emails. Hackers also attempted to disable default protection systems to successfully compromise emails. It is necessary to apply all the latest software updates. But it’s not always enough, so it’s vital to perform cybersecurity assessments to identify weak spots in the critical infrastructure.