CYBERSECURITY NEWS V. 06.17 – yet another Microsoft vulnerability, gamers in danger

Microsoft Windows wormable flaw exploit

Exploit code for a Microsoft Windows wormable security flaw was published. Dubbed SMBGhost (CVE-2020-0796), it can spread from system to system without user interaction. The flaw is present in unpatched Windows 10 versions 1903 and 1909 and in Windows Server versions 1903 and 1909. Although there are no stable exploits yet, the vulnerability poses a serious threat. Microsoft security team advises applying patches. Disabling SMB compression and blocking port 445 could help mitigate the risks and make IT security audits easier.

hexway comment:

Yes, this is yet another Microsoft vulnerability, and it allows attackers to execute arbitrary code. But the reality is that it's quite hard to build a stable remote exploit for this vulnerability, and it's very easy to fix it. Most likely, it will be used to elevate local user privileges on the computers that were not updated by system administrators. We recommend that system administrators patch this vulnerability (CVE-2020-0796) and finally block port 445.

News FYI

Attacks and vulnerabilities

Zoom security flaws in chat and GIFs

Cybersecurity researchers have found two critical path traversal vulnerabilities in Zoom. Both of them allow uploading arbitrary files to execute malicious code on the affected systems. In one case its embedded GIFs from third-party servers, and in the other unsafe snippets shared in chats. The latest version of Zoom is 4.6.12 for Linux, Windows, and Mac OS operating systems. Many companies refuse to use Zoom products following their internal cybersecurity risk assessment guidelines.

Conduent data breach

Conduent, an IT services provider, was hit by a ransomware attack on May 29. The company managed to restore all its systems in eight hours. The official statement says that internal systems identified the ransomware attack and security protocols were engaged to address the intrusion. However, some of the company’s customers’ data was leaked to the Dark Web.

Hackers target gaming industry 

Gamers’ credentials could be of big interest to cybercriminals. Besides fraud and data theft, gamers are vulnerable to bot activity and DDoS attacks. While the industry continues to grow rapidly, it’s important that developers incorporate different types of security solutions to protect the users. Pentests will help find security flaws and prevent potential attacks.

German personal protective gear company under attack 

A phishing campaign against one of the German companies supplying personal protective equipment was detected by security specialists. Phishing messages were sent to its employees in an attempt to trick them into sharing login credentials. The investigation is still ongoing, and there is public information about the attack or the company itself.

Endeavor Business Media websites compromised

Three Endeavor Business Media websites were compromised through misconfigured AWS S3 buckets. Hackers inserted malicious JavaScript code to sniff users’ credit card data. Misconfiguration issues should be observed by security teams to enhance web application security.

Security updates and patches

New Firefox versions include fixes for several memory management problems including CVE-2020-12410 and CVE-2020-12411. These memory corruption bugs allowed arbitrary code execution. Up-to-date products Firefox 76.0 and Firefox 68.9.0ESR have enhanced web security capabilities.

More than twenty different vulnerabilities were fixed by Cisco. The flaws affected Cisco IOS, IOS XE, IOS XR, and NX-OS. They include a command injection vulnerability (CVE-2020-3205), arbitrary code execution flaws (CVE-2020-3198 and CVE-2020-3258) and a privilege escalation vulnerability (CVE-2020-3227). Security analysis shows that none of the discovered were actively exploited, but it is highly recommended to apply the patches as soon as possible.

Ransomware news

A new ransomware type was first observed in the wild in December 2019. This new ransomware dubbed Tycoon tends to use uncommon programming languages; the observed samples are written on Java. Threat actors deploy malware in the form of a Trojanized Java Runtime Environment build. Tycoon seems to be highly targeted and attackers connect to systems using an RDP server on the network.

Maze Ransomware operators successfully breached the systems of VT San Antonio Aerospace company in April. They were able to encrypt some data and steel 1.5 TB worth of unencrypted files including financial information. The company’s representatives state that the threat has been contained. However, the company takes steps to strengthen the overall security and uses third-party cybersecurity services and forensic advisors to get information about the attack.

Meanwhile, Maze operators have partnered with the Ragnar Locker group.