CYBERSECURITY NEWS V. 27.11 – 50k Fortinet VPN Services Vulnerable, New Zoom features, Facebook Messenger bug

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates with comments from our experts

News for discussion

Hacker posts Exploits for about 50,000 Vulnerable Fortinet VPN Services

A hacker has published a list of one-line exploits aimed at stealing VPN credentials from nearly 50,000 Fortinet VPN devices. Most of the domains are owned by banks and government agencies around the world. The reported vulnerability is CVE-2018-13379, a workaround that affects many unpatched Fortinet FortiOS SSL VPN devices. By exploiting this vulnerability, hackers could acquire access to system files through specially processed HTTP requests. It's worth noting that hackers have recently exploited the same vulnerability to disrupt the US election. Therefore, network administrators and security professionals are advised to address this issue immediately to prevent potential attacks. The published exploits target Fortinet VPN's sslvpn_websession files to steal connection credentials. Although the vulnerability was disclosed in 2018, researchers have identified nearly 50,000 targets that are still vulnerable to attacks.

hexway commentary:

So, the classics. The catchy headline should be rewritten as "List of 50,000 IP Addresses for Companies with World's Slowest Patching Process."

What we have:

1. Common software – Fortinet FortiOS SSL VPN;
2. A critical and straightforward vulnerability, CVE-2018-13379, disclosed two years ago;
3. A public and understandable exploit for it.

As a result, we get a list of 50,000 IPs that don't care about security so much that even a bunch of press releases and official notices didn't force them to update. This news won't help either.

News FYI

New Zoom features improve user safety

Earlier this week, Zoom announced security improvements. Since April, Zoom has been protecting all conferences with a mandatory six-digit numeric password, a measure that was introduced due to Zoom-Bombing. Trolls are still a big problem for Zoom users. Now, the developers present the new At-Risk Meeting Notifier feature. It runs on the Zoom backend and monitors publicly accessible social media posts. Suppose the URL for a Zoom meeting is found among the messages. In that case, At-Risk Meeting Notifier will automatically send an email to the organizers and alert them that outsiders might gain access to the meeting and disrupt it. Recently, Zoom-Bombing cases have been mostly due to conference participants sharing links online (along with the password) on social networks. Sometimes this happens out of ignorance, but sometimes people post the links intentionally and ask others to disrupt the conference. The new feature is enabled by default, and users do not need to take any action to activate it.

Now, Zoom users can also remove offending participants. "Suspend Participant Activities" allows you to stop video, audio, and chat during a meeting, stop screen sharing and recording, and report a person. After a complaint is made, the user is removed from the meeting. This feature is enabled by default for all Zoom users. The second feature, Report by Participants, allows meeting attendees to report trolls by clicking the "Security" icon in the upper left corner. "Report by Participants" can be enabled by administrators and account owners in the web settings.

Vulnerability in Facebook Messenger for Android allowed spying on users

Facebook has patched a critical vulnerability in the Facebook Messenger Android app that could be used to eavesdrop on the callee's surroundings. The vulnerability is caused by an incorrect implementation of the Session Description Protocol (SDP). This protocol is an essential part of the WebRTC (Web Real-Time Communication) technology that enables conferences. When a WebRTC connection is established between mobile devices, a brief exchange of messages occurs. The callee presses the button to answer a call, thereby confirming their consent to connect and broadcast audio. Attackers could exploit this issue by sending an SdpUpdate message. This SDP message is not used when establishing a WebRTC connection, but throwing it in will allow the attacker to hear everything that happens near the callee. The attacker must have permission to call the victim: for example, the attacker must be on their Facebook friends list. The problem was discovered in the Android version of Facebook Messenger 284.0.0.16.119 last month, and Facebook has fixed it with a server update.

Turkish hacker ruined Joe Biden's campaign website

The vote.joebiden.com subdomain, used by Joe Biden's official campaign website, was corrupted last week. On November 18th, a message in Turkish appeared on the subdomain. The hacker claims to be "RootAyy1ld1z", aka Turkish And Muslim Defacer. The hacker claims that he works alone and is not part of a group or organization. The message had threats to Turkey's opponents as well as US-backed Turkish political parties. It is unknown which security flaw caused the attack, which is not the first time a presidential campaign website has been exploited.

Website defacement is usually done using SQL injections and logging in with an administrator account. Government or political party websites often become targets of such attacks carried out by hacktivists most of the time.