A Month In Breaches: June

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

STATE SPONSORED CYBER ATTACK ON AUSTRALIA

On the 19th of June, Australian Prime Minister Scott Morrison announced that Australia was under a cyber-attack which was believed to be carried out by a state sponsored group. Different levels of government sector organisations, healthcare, educational institutions, industrial organisation etc were targeted. The attackers were seen to have been using a common script and the pattern of attack was also identified. Vulnerabilities like CVE-2019-18935, CVE-2019-19781 and CVE-2019-0604 are actively being used for initial access. It is also imperative that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks.

As part of mitigation, patching internet-facing software and applications is very vital. Vulnerable versions of Microsoft IIS, Microsoft SharePoint, Citrix ADC, and Tereric UI are advised to be patched immediately. Employees should also be aware of spear phishing and credentials harvesting attacks to safeguard their email accounts and high privilege accounts from attackers. CTRL Group is also actively monitoring to detect any intrusions in the form of remote access and backdoor network deployment tools. Implementation of MFA across the network is also highly recommended to protect user accounts against credential abuses.

CISCO WEBEX AND ROUTER BUGS ALLOWS FOR CODE EXECUTION (CVE-2020-3342)

Cisco has identified three high severity flaws in their web conferencing app (Webex) and one of them could allow an unauthenticated attacker to perform RCE (Remote Code Execution). The flaw stems from an improper validation of cryptographic protections, on files that are downloaded by the application as part of a software update, according to Cisco. An attacker could exploit this vulnerability by urging a user to access a website that returns malicious files to the client. These are similar to files that are returned from a valid Webex website. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the user.

Remote code execution is the ability an attacker has, to access someone else’s computing device and make changes, no matter where the device is geographically located. Versions of the Webex Meetings Desktop App for Mac app earlier than Release 39.5.11 are affected; a fix is available in releases 39.5.11 and later. Windows versions of the app are not affected. CTRL Group recommends applying the fixes available from Cisco’s website after validating the cryptographic protections.

PALO ALTO NETWORK BUG

A critical vulnerability has been identified in a series of Palo Alto network devices and enterprise level VPN appliances. This vulnerability can allow the attacker to take over devices without any authentication requests. PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL) are the affected ones. PAN-OS 7.1 is not affected by this vulnerability. This vulnerability allows attackers to bypass authentication only when SAML authentication is enabled on the Palo Alto devices and the “Validate Identity Provider Certificate” is unchecked.

This vulnerability does not require any advanced technical skills and attackers are not required to infiltrate the device or the network, rather target the exploit to gain access to the device via internet. Remedial actions require updating all the affected versions. While doing so, administrators should ensure that that the signing certificate for their SAML identity provider is configured as the “Identity Provider Certificate”. Palo Alto has officially released steps to mitigate this issue. Please click here to go through the steps. CTRL Group also suggests implementing strong patch management. Security upgrades for software’s rely on patch management to fix any existing security glitches which may be exploited by the attackers.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS, M-Singh & V-MSK