A Month In Breaches: February

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

 

PayPal Phishing Scam

A recent phishing scam targets PayPal users to give away a full spectrum of private data like social security numbers (SSN) and uploaded passport photos. The campaign begins with an email from PayPal notification center warning the target victims that their account has been logged into from a new browser or device. The recipients then are required to verify their identity by clicking on a button. This button redirects the victim to a webpage used by the attacker to jot down all the personal data of the victim. The landing page that mimics the actual PayPal page first retrieves user’s credit card and billing information but later asks the victim to enter SSN and card PIN and then finally photo of a valid government ID.

Phishing attacks are becoming more common day by day. In this particular instance, PayPal has said that the genuine emails will always come from PayPal.com and will address their customers by the given name and the last name. They have also mentioned that the emails from them will never contain any attachments and will not ask for sensitive details like bank accounts and passwords. CTRL Group recommends users to always be aware of their email behaviour. Clicking on links, downloading attachments from suspicious emails are considered risky as they pose a serious threat of infecting the device and compromising.

 

Cisco Bug – CVE-2020-3158 

A vulnerability in the High Availability (HA) service of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to access a sensitive part of the system with a high-privileged account. This is due to default and static password of a service account that is not controlled by the system admin. An attacker could log on to this account using default credentials and can then connect to the Cisco Smart Software Manager On-Prem Base. Cisco said. “A successful exploit could allow the attacker to obtain read-and-write access to system data, including the configuration of an affected device.”

This is a high severity issue and has been rated 9.8 on the CVSS bug severity scale. There has been no permanent fix at the moment, but Cisco was quick enough to release a temporary patch (Cisco Smart Software Manager On-Prem release 7-202001). The vulnerability only affects systems if the HA feature is enabled. HA is not enabled by default. CTRL Group recommends updating your Cisco gear as soon as updates are received and ensure that the HA feature is disabled.

 

Cloud Snooper Attack

This attack uses a combination of intricate techniques to allow malware to gain foothold on the network. The attack allows malware on infected servers to communicate freely with a C&C server through firewalls. This incident was first discovered on AWS. The security groups on AWS were properly tuned to allow inbound HTTP/HTTPs traffic. The cloud snooper attack actually allowed maliciously crafted packets to bypass the firewall without being blocked. This was achievable because the infection allowed the attackers to communicate with the rootkit by sending innocent-looking requests that the firewall was not able to detect. This allowed the hackers to take control of the web server.

When it comes to prevention against this attack, AWS SGs provide a robust boundary firewall for the EC2 instances. It is however to be noted that this firewall does not eliminate the need for all external facing services fully patched. Following a strong patch management is also highly regarded. This helps all endpoints stay updated on existing patches and also verify if certain devices are falling behind on updates. Any unpatched device on the network is an invite for the attacker to
break in.

 

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS, M-Singh & V-MSK