A Month In Breaches: June

Cyber criminals and attackers continue to lurk in the month of June. Subscribe to CTRL for latest attack news and cyber trends.

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. In June, we continue to see attack vectors prone to malicious activities.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening on the expansive and scary internet.

Atlassian Bugs Could Lead to 1-Click Takeover   

Atlassian, a platform used by 180,000 customers to engineer software and manage projects, could have been hijacked with a single click due to security flaws. Researchers published a report showing how an attacker could have exploited the bugs to access Atlassian’s Jira. Subdomains under atlassian.com were vulnerable to account takeover. These are the subdomains found to be vulnerable:

  • atlassian.com
  • atlassian.com
  • atlassian.com
  • atlassian.com
  • atlassian.com
  • atlassian.com
  • atlassian.com

The vulnerable domain issues included a poorly configured Content Security Policy (CSP), parameters vulnerable to XSS, SameSite, and HTTPOnly mechanism bypass, and a weak spot that allowed cookie fixation which could be deployed through a victim clicking on a malicious link. A payload would then be sent on behalf of the victim and a user session would be stolen.

The vulnerabilities outlined impact a limited set of Atlassian-owned web applications as well as a third-party training platform. Atlassian has shipped patches to address these issues and none of these vulnerabilities affected Atlassian Cloud (e.g. Jira or Confluence Cloud) or on-premise products (e.g. Jira Server or Confluence Server). CTRL Group urges customers to update their cloud solutions to mitigate against this threat.

 

Cisco Vulnerability (CVE-2020-3580) is Actively Exploited  

Tenable has received a report that Cisco ASA vulnerability, tracked as CVE-2020-3580, is actively exploited in the wild. There are a great number of cases where the appliance is unpatched even after Cisco releasing the patch for it back in October. The Cisco ASA is a cybersecurity perimeter-defense appliance that combines firewall, antivirus, intrusion prevention and virtual private network (VPN) capabilities, all meant to stop threats from breaching corporate networks. A compromise of the device is akin to unlocking the front door of the castle for storming cyber adversaries.

XSS attacks occur when malicious scripts are injected into otherwise benign and trusted websites; any visitors to the compromised websites are thus subject to drive-by attacks. Successful exploitation, in this case, means that unauthenticated, remote attackers could execute arbitrary code within the [ASA] interface and access sensitive, browser-based information. Once in, they could modify the device’s configuration. However, the target would need to be logged into the ASA for the adversaries to be victorious.

The flaw was patched on October 2020 as part of a group of XSS issues in Cisco’s ASA as well as the Firepower Threat Defense (FTD) software, which is a unified firewall image that includes ASA management. Updating the latest versions of the affected devices’ software is of course recommended.

However, there’s more that can be done to mitigate the vulnerability. Organisations can ask their internal teams if they need to use the web management interface, and if so, confirm whether it is available to everyone on the internet or just internally to the organisation. If the web management interface isn’t needed, then it should be disabled. CTRL Group would suggest all its customers who are using Cisco ASA to ensure the mitigations are well in place for a better security posture.

 

NVIDIA Patches High-Severity GeForce Spoof-Attack Bug  

NVIDIA gaming graphics software called GeForce Experience, bundled with the chipmaker’s popular GTX GPU, is flawed and opens the door to a remote attacker that can exploit the bug to steal or manipulate data on a vulnerable Windows computer.

The bug is tracked as CVE‑2021‑1073, with a CVSS severity rating of 8.3 (high). The company warned: NVIDIA GeForce Experience software contains a vulnerability where, if a user clicks on a maliciously formatted link that opens the GeForce Experience login page in a new browser tab instead of the GeForce Experience application and enters their login information, the malicious site can get access to the token of the user login session. Such attacks may lead to these targeted users’ data being accessed, altered, or lost.

The prerequisites for the attack, known as a spoofing attack, include an adversary with network or remote access to the vulnerable PC. According to NVIDIA details, because the victim must be coaxed into clicking on a malicious link, the attack is considered complex, reducing the risk of successful exploitation.

Those affected are advised to download and install the software update via the GeForce Experience Download page or to simply open the software client, which will then automatically update the software. NVIDIA notified customers of the bug and released a software patch for the flaw, which is present in its GeForce Experience (versions 3.21 and prior) Windows software. A 3.23 GeForce update is available now to mitigate the bug. CTRL Group also recommends employing strong patch management. This enables us to always keep in check for zero-day exploits and applying the best mitigative patches against them.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS,  Jae, Manharsh & Vic.