A Month In Breaches: December

A month in Breaches December issue, Breaches, breach data

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

Adrozek

A new strain of malware has spread to thousands of Windows PCs in an attempt to add unwanted advertisements to users’ search results. “Adrozek,” a malware family capable of modifying several browsers, such as Google’s Chrome, Microsoft’s Edge, and Mozilla’s Firefox target is to take over browser activities to push illegitimate advertisers so that they can gain money from affiliate advertisements or steal personal details in other ways. This malware targets the browser, disables all security functions, and then proceeds to reboot persistence with the aid of the registry key. The malware scans for locally installed browsers such as Microsoft Edge, Google Chrome, Mozilla Firefox to change the browser’s DLL libraries to inject unauthorised advertisements into what you believe are typical search results. Eventually, Adrozek could also redirect you to websites never asked for. The advertisements appear to be harmless, but ‘advertisers’ are merely a shield for hackers to obtain access to sensitive information, including financial information.

The most successful way to get rid of any malware on your machine, like Adrozek, is to use an effective, professional antivirus software application that can fix a wide range of issues. Often confirm the authenticity of the source of the programs and applications downloaded. Always keep antivirus applications and software security up to date. New virus definitions are issued daily such that antivirus makers regularly upgrade their threats-fighting tools. Block PUPs in antivirus software, turn on the switch to identify potentially unwanted programs (PUPs). Adrozek and other malware can infect your machine through suspicious websites that you may unknowingly access. Therefore, clicking the ‘wrong’ link will lead to an application that you never intended to use.  If a pop-up banner emerges while browsing the website, avoid clicking on it. If the site inundates you with pop-up advertisements, leave the site immediately and run the antivirus software to confirm that there is nothing nefarious on the device.

Critical Bug in Dell Wyse Thin Allow Code Execution, Client Takeovers

Dell Wyse Thin client models are vulnerable to critical issues that could be exploited by a remote attacker to run malicious code and gain access to arbitrary files. The two critical bugs (CVE-2020-29491 and CVE-2020-29492) rate 10 out of 10 on the vulnerability-severity scale.

ThinOS can be maintained remotely by default using a local File Transfer Protocol server, from which devices pull new firmware, packages, and configurations. The bug CVE-2020-29491 comes from the fact that Wyse Thin Client devices periodically ping the server to pull their latest configurations with no authentication. The issue is that the configuration for all thin clients is found on a remote server, accessible for anyone on the network to read. Therefore, a third-party in the network could also access those configuration files. The second bug CVE-2020-29492 exists because the server where those configurations are stored permits read-and-write access to its configuration files, enabling anyone within the network to read and alert them using FTP. According to CyberMDX, the below models running ThinOS 8.6 are vulnerable to this bug.

3020 3030 LT 3040
5010 5040 AIO 5060
5070 5070 Extended 5470
5470 AIO 7010

While Dell has released ThinOS9 to address the two critical vulnerabilities. However, the following Wyse models can no longer be updated.

3020 3030 LT 5010
5040 AIO 5060 7010

It is recommended to disable the use of FTP for updates and securing the environment by using a secure protocol (HTTPS) and ensuring that the file servers have read-only access in case Wyse model can’t be updated.

Kawasaki Discloses Cyber Breach

Kawasaki Heavy Industries revealed that they were subjected to a cyber breach. This breach is identified to be an unauthorised access by attackers to Kawasaki’s servers. It is determined that some information has been leaked and shared with external entities by the perpetrators. Multiple domestic and international offices were found victims of this attack. Kawasaki performed an internal audit on their network and later identified that a connection from Thailand was detected entering the server in Japan. This was deemed undesirable. Following this, connections from Indonesia, Philippines and the US were also subsequently discovered.

To mitigate this situation, a thorough security check was conducted on 26,000 terminals in Japan and Thailand network. The same check was conducted on Kawasaki’s foreign offices (US, Indonesia and Philippines). Kawasaki blocked all communication from the branch offices to its headquarters in Japan until the situation was brought under control. The malicious connection was blocked, and access control policies were revisited. Since then, Kawasaki has established a cybersecurity group which is overseen by the corporate president. CTRL Group suspects improper privilege access control and loose security policies around domain administrator user accounts to be the reason behind the breach. It is always imperative to devise cyber policies to branch offices as they are considered vulnerable by attackers because a company’s headquarters is most likely to be well protected.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS, M-Singh, V-MSK, Jae, Yvette and Ann