A Month In Breaches: April

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

Cisco Phishing Attack Steals Webex Credentials

A mass ‘spray and pray’ phishing campaign in which emails pretending to be a Cisco ‘critical security advisory’ are sent to victims to steal Webex Web Conferencing Platform credentials. The users were urged to update the platform to protect them from critical vulnerability, hence leveraging the remote workers who rely heavily on tools such as Webex, Zoom and Teams, in the midst of Covid-19 pandemic. Researchers said the phishing emails are being sent with various eye-catching subject lines like “Critical Update” or “Alert!” and come from the spoofed email address, “[email protected]”. The body of the email contains content from a real Dec 2016 Cisco Security Advisory, along with Cisco Webex branding. The advisory is for CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco’s management tool for applications in multiple datacenter, private-cloud and public-cloud environments. The attackers also have acquired a valid SSL certificate to accomplish this campaign.

Last few months have seen a drastic spike in phishing emails leveraging the unfortunate Covid-19 situation. It is highly recommended to educate the employees about such scenarios and familiarise them about the ill effects of clicking a malicious link and entering their credentials or other sensitive information. It is also recommended to employ an email filter which can filter and sort out malicious email before it even reaches the users. Also, strengthening the basic security tools like firewall and anti-virus can also mitigate such risks if the mail filter fails.

CVE-2020-3952 – Sensitive Information Disclosure Vulnerability In The VMware Directory Service

VMware has patched a critical vulnerability that can be exploited to compromise vCenter Server or other services that rely on the Directory Service for authentication. The flaw, tracked as CVE-2020-3952 with a CVSS score of 10, was disclosed by VMware. A malicious actor with network access to port 389 on an affected vmdir deployment1 may be able to extract highly sensitive information such as administrative account credentials which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication. Variant attack vectors such as creating new attacker-controlled administrative accounts are also possible.

The weakness impacts vCenter Server 6.7 on Windows and virtual appliances, and it has been patched with the 6.7u3f update. However, the company noted that vCenter Server is affected only if the installation was upgraded from a previous version; the product is not impacted if the user directly installed version 6.7. CTRL Group strongly recommends adhering to patch management. Implementing this will greatly reduce the risk of unpatched vulnerabilities which acts as the main point of entry for attackers.

Eset Takes Down VictoryGate Botnet

ESET has announced that it took down a botnet which was responsible in infecting more than 35000 computers. The VictoryGate botnet which was active for more than a year attacked mostly devices belonging to South America. The primary design ideology of this botnet is to infect victims with malware that is responsible for mining cryptocurrency. Per ESET, the server which acted as a Command & Control was hidden behind the NO-IP dynamic DNS service. ESET took down this malicious server and instead replaced another server usually called a sinkhole. Thus, all infected systems started connecting to the sinkhole server and the mass of infection was estimated as 35000.

The source of infection according to ESET is believed to be a tainted batch of USB devices. This had allowed the attack to propagate via removable devices. After the malicious USB is connected to the victim’s computer, the malware is installed on the device. VictoryGate also contains a component that copies the USB infector to new USB devices connected to a computer, helping it spread to new devices. To curb such spread of malware it is always recommended to use whitelisted official USB devices on the network. Also monitoring the web server for file changes is also crucial because the file servers are infected with crypto mining code and anyone who accesses it will be infected with it.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS, M-Singh & V-MSK