Flaw in Popular PDF Creation Library Enabled Remote Code Execution

Polict, a cybersecurity researcher, found a new exploit in PHP that relies on deserialization to 'unpack' malicious code that can be remotely executed.  The original flaw was fixed in September of 2018, but Polict found another method using XSS to inject code and initiate the deserialization process.  He disclosed the flaw privately to the TCPDF developers in September 2018, and that flaw was fixed within a month.  Users of TCPDF are safe as long as they are using version 6.2.22 and above.

Relevant URL(s): https://nakedsecurity.sophos.com/2019/03/21/flaw-in-popular-pdf-creation-library-enabled-remote-code-execution/

PDF Signature Spoofing

PDF signatures are a way to check the authenticity and edits of a PDF document to ensure it is not a fraud attempt.  Recently, PDF-Insecurity.org found a way to edit a PDF after it had been signed and would not reflect that anything had been changed.  To determine how severe the issue was, they tested it against native desktop applications, as well as online validation software and found that 21 out of 22 desktop applications failed to report the changes along with 5 out of the 7 online validation clients.  PDF-Insecurity reached out to the companies that did not recognize the change and have been working with them to get the issue fixed.  It is always advised to check the signature of a PDF, and if something seems off, ask the sender for validation of the information. 


Relevant URL(s): https://www.pdf-insecurity.org/index.html

New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites

A content management software (CMS) flaw exists that can lead to remote code execution attacks in WordPress versions that have not been updated to 5.1.1.  The exploit allows the attacker to take complete control over a compromised WordPress website remotely by injecting a payload via XSS that modifies the template to include a PHP backdoor.  Everything happens in one swift step and without alerting an administrator.  WordPress 5.1.1 fixes the issue, so any users that have not updated are highly encouraged to do so immediately.

Relevant URL(s): https://thehackernews.com/2019/03/hack-wordpress-websites.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29&_m=3n.009a.1946.nk0ao093p4.17bh

Word Bug Allows Attackers to Sneak Exploits Past Anti-Malware Defenses

Anti-malware controls and enterprise sandboxes are being circumvented due to a flaw discovered in the way Microsoft Word processes integer overflow errors for Object Linking and Embedding (OLE) file formats.  By leveraging this flaw, attackers can cloak any payload and trick Microsoft Word into not functioning correctly and delivering regardless of controls.  Microsoft has been alerted about the exploit and acknowledges the abnormal behavior, but has no immediate plan to fix the issue because there is no memory corruption or code execution directly linked to the flaw.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/word-bug-allows-attackers-to-sneak-exploits-past-anti-malware-defenses/d/d-id/1334070

Google Discloses Unpatched 'High-Severity' Flaw in Apple macOS Kernel

Project Zero, a cybersecurity research division at Google, recently disclosed a 'High Severity' flaw in macOS due to the way the XNU kernel allows filesystem image manipulations without informing the operating system.  Copy-On-Write (COW) is a resource management and optimization strategy that allows two processes to access data from the same source without making a copy.  If a change is made, COW makes a copy of the data in the memory so that both processes have the original data accessible.  Project Zero gave a 90 day period to fix the flaw after Apple silently acknowledged the issue.  Apple missed the deadline, causing the exploit to be publicly disclosed.

Relevant URL(s): https://thehackernews.com/2019/03/cybersecurity-macos-hacking.html

WARNING - New Phishing Attack That Even Most Vigilant Users Could Fall For

Antoine Vincent Jebara recently discovered a new phishing campaign to which even the most vigilant users could fall victim.  An increasing amount of websites are offering the ability to log in using Facebook which is a generally safe way to access a website.  An attacker has taken the time to produce a site that looks identical to a Facebook prompt with green HTTPS, shadows, status and navigation bars, and even a link to Facebook.  It is actually a phishing scam that steals the victim's credentials when entered.  The only way to tell it is a phishing scam is to drag the prompt to the edge of the screen to make it disappear.  If the prompt disappears, it is a fake.

Relevant URL(s): https://thehackernews.com/2019/02/advance-phishing-login-page.html


Snapd Flaw Lets Attackers Gain Root Access On Linux Systems

Security researcher Chris Moberly discovered a flaw called "Dirty_Sock" (CVE-2019-7304) that exploits a sever privilege escalation vulnerability and allows an attacker to gain root access on Linux systems.  The REST API for Snapd service is where the vulnerability resides with versions 2.28 through 2.37 being susceptible because of an incorrectly validated and parsed remote socket.  The vulnerability has been addressed in version 2.37.1, and it is highly recommended that Ubuntu users update immediately.

Relevant URL(s): https://thehackernews.com/2019/02/snapd-linux-privilege-escalation.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&_m=3n.009a.1928.nk0ao093p4.16u0

Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions

Credit Unions along with other financial organizations became the target of a phishing campaign in February that has sparked a fear that a regulatory agency may have been compromised.  Bank Secrecy Act (BSA) contacts received emails that appeared to be from other BSA officers and claimed a member of their credit union had received a suspicious money transfer and the account was being locked.  The email included a PDF that was not malicious according to a scan by virustotal.com but contained a malicious link.  Only BSA officers were targeted which introduced the question of what agencies hold that data and might have been compromised.  The NCUA and CUNA have released statements that they were not breached and left the situation as a lingering mystery.  It is essential never to click embedded links or open files that are sent from an unknown / untrusted source.

Relevant URL(s): https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/

Cybercriminal Exploit Gmail Feature to Scale Up Attacks

Security vendor Agari announced in February that attackers are taking advantage of a long-standing Gmail feature to create multiple accounts rapidly.  Google believes that "dots don't matter" and therefore treats certain variations of an email as the same.  For example, Johndoe@gmail.com is treated the same as john.doe@gmail.com and jo.hn.do.e@gmail.com, but johndoe@gmail.com will receive the correspondence sent to the variations.  Attackers have used this trick to submit 48 credit card applications and conduct $65,000 in fraudulent credit charges.  It has also been used to file tax returns; submit a change-of-address; apply for unemployment; and submit for FEMA disaster assistance.  Organizations are urged to watch for the rapid creation of accounts that contain dots(.) in the username to help mitigate this threat.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/cybercriminals-exploit-gmail-feature-to-scale-up-attacks-/d/d-id/1333800

SpeakUp Linux Backdoor Sets Up for Major Attack

A backdoor trojan dubbed "SpeakUp" is a new threat that has been targeting Linux servers.  CVE-2018-20062 was the initial infection vector that targeted a remote code execution vulnerability.  It has infected over 70,000 servers worldwide and is currently being used for crypto mining campaigns.  The trojan is capable of infecting on-premises and cloud-based servers.  While it is presently affecting Linux machines, it also has the capabilities to infect MacOS.  Given its broad spectrum of capabilities, researchers are wondering what it will ultimately be used for, fearing that it may have other threat factors.  One of the fears is that once the trojan has infected a host, the attacker will sell the capabilities to the highest bidder.  It is recommended to consistently scan for trojans and apply patches when they are released.

Relevant URL(s): https://threatpost.com/speakup-linux-backdoor/141431/

Microsoft Exchange Vuln Enables Attackers to Gain Admin Privileges

A vulnerability exists within Microsoft Exchange that enables a general user to escalate their permissions to Domain Administrator. The problem is due to a default privilege that is enabled with Microsoft Exchange 2013 and later. All an attacker needs to achieve Domain Admin is access to an Exchange account without an altered registry, and they can escalate to full control of the domain. It is highly recommended that the fix published by Microsoft be applied to all users of Microsoft Exchange. The below links describe the vulnerability in greater detail and offer the steps for implementation of the fix.

Relevant URL(s):

https://www.darkreading.com/microsoft-exchange-vuln-enables-attackers-to-gain-domain-admin-privileges/d/d-id/1333758

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581

New Exploit Threatens Over 9,000 Hackable RV320/RV325 Routers Worldwide

Cisco recently released a patch for the RV320 and RV325 routers that fixes two separate high-severity vulnerabilities. The vulnerabilities are remotely executable and contained within the web-based management interface. One of the vulnerabilities is a command injection flaw, while the other is information disclosure. If an attacker utilized both exploits, they can achieve full control of the device. Firmware release 1.4.2.20 can be applied to both the RV320 and RV325 to fix the vulnerabilities. Organizations with either of the two routers are urged to update immediately.

Relevant URL(s): https://thehackernews.com/2019/01/hacking-cisco-routers.html

Cyberattackers Bait Financial Firms with Google Cloud Platform

Attackers are leveraging Google Cloud Platform to trick victims and deliver payloads of malware. At least 42 organizations, mostly in the financial sector, have been targeted with this attack due to Google App Engine being whitelisted by most organizations for business functions. Attackers create a decoy PDF and attach it to a convincing email that tries to get the reader to click the file. Upon opening the PDF and clicking the link, the user is redirected to a failed website where a malicious word document is downloaded. If the user opens the word document and enables editing, the document executes a macro, and the malware is downloaded. It is recommended to continually instill best practices with phishing email recognition and ensure only required individuals have access to enable macros.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/cyberattackers-bait-financial-firms-with-google-cloud-platform/d/d-id/1333729#

DHS Issues Emergency Directive on DNS Security

On January 22, 2019, the US-CERT released an emergency notice with regards to DNS Security. Details have been published that a .gov user account was fully compromised and that the attack could have been happening since 2017. Any personnel that manages a .gov domain has been mandated to provide DNS audit documents, enable two-factor authentication, change the password of any DNS Admin privileged account, and all within ten days. The applicability of this notice is not only .gov domains, as it stresses the importance and precaution that all domain managers should take when looking at DNS security. 

Relevant URL(s): https://www.darkreading.com/vulnerabilities-and-threats/dhs-issues-emergency-directive-on-dns-security/d/d-id/1333716


Bug in Widespread Wi-Fi Chipset Firmware can Lead to Zero-Click Code Execution

Denis Selianin, a security researcher, discovered a zero-click code execution vulnerability in a popular Wi-Fi chipset that is used in a variety of devices. Marvell Avastar driver code is used to load proprietary ThreadX firmware to Wi-Fi SoC (System on Chip). Selianin discovered that the Wi-Fi system scans for networks every five minutes whether it is connected or not. He then demonstrated how during the scan, "an attacker could chain that exploit with an escalation of privilege vulnerability to execute code on the application processor of SteamLink, a desktop streaming device that sports the vulnerable Marvell Avastar Wi-Fi SoC." Marvell has since released an update and alerted users of the exploit advising them to update. This vulnerability is not known to have been exploited outside of a controlled environment.


Relevant URL(s): https://www.helpnetsecurity.com/2019/01/21/marvell-avastar-wi-fi-vulnerability/

Microsoft Issues Emergency Fix for IE Zero Day

Microsoft recently released an emergency patch to fix an exploit in their Internet Explorer (IE) Web Browser. Microsoft received an alert from Google regarding the exploit (CVE-2018-8653). When an attacker utilizes the exploit, they are able to install programs, create accounts, and manipulate data. The exploit currently affects Internet Explorer 11 on Windows 7 through 10 and on Windows Server 2012, 2016, and 2019; Internet Explorer 9 on Server 2008; and Internet Explorer 10 on Server 2012. All users of the aforementioned systems are urged to update their systems as soon as possible.

Relevant URL(s): https://krebsonsecurity.com/2018/12/microsoft-issues-emergency-fix-for-ie-zero-day/

RCE in Windows DNS Server

Windows Domain Name System (DNS) servers have a remote code execution vulnerability when the server improperly handles a request, allowing arbitrary code to be run in the context of the Local System Account. An attacker may try and exploit this vulnerability by sending a malicious request that will not be handled properly. It is recommended that all users apply the latest update to address the vulnerability.


Relevant URL(s): https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626

Criminals Use Locally Connected Devices to Attack

Kaspersky lab has named a new string of hacks the "DarkVishnya" campaign. During the campaign, attackers would plant devices within a bank's infrastructure and would then access them remotely to launch their attacks. The devices were configured to "hide" with like systems on the network, making them difficult to find. The attackers used this system to infiltrate at least eight different banks in Eastern Europe and steal more than ten million dollars. It is imperative that organizations be alerted when a new system accesses the network and to investigate every occurrence.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/criminals-use-locally-connected-devices-to-attack-loot-banks/d/d-id/1333439


FSSCC, Financial Trade Associations Unveil New Cybersecurity Profile

The Financial Services Sector Coordinating Council (FSSCC) has unveiled a new Profile that is designed to allow cybersecurity experts more time on "protecting global financial platforms, rather than compliance activity." It will help organizations to understand and assess their "cybersecurity risk management governance, processes, capabilities, and regulatory compliance posture as expected against the various Impact Tier levels to which they correspond." The Profile is still under development and is awaiting approval, but promises to help institutions reduce the time it takes to complete a comprehensive assessment. 

Relevant URL(s): https://www.fsscc.org/Financial-Sector-Cybersecurity-Profile

Microsoft Office Account Hijacking Bug

A bug was recently discovered that allowed a researcher to hijack a Microsoft subdomain. The researcher was able to control the domain "success.office.com" including any data that was processed. He was also able to "trick" Microsoft Office into sending authenticated login tokens through "success.office.com" after a user entered and submitted their credentials. With this bug, a successful phishing attack would have provided a hacker with full access to the Office account. The bug was fixed, but it is still advised that organizations mitigate risk by pushing the importance of recognizing a phishing scam.

Relevant URL(s): https://techcrunch.com/2018/12/11/microsoft-login-bug-hijack-office-accounts/