Microsoft Exchange Vuln Enables Attackers to Gain Admin Privileges

A vulnerability exists within Microsoft Exchange that enables a general user to escalate their permissions to Domain Administrator. The problem is due to a default privilege that is enabled with Microsoft Exchange 2013 and later. All an attacker needs to achieve Domain Admin is access to an Exchange account without an altered registry, and they can escalate to full control of the domain. It is highly recommended that the fix published by Microsoft be applied to all users of Microsoft Exchange. The below links describe the vulnerability in greater detail and offer the steps for implementation of the fix.

Relevant URL(s):

https://www.darkreading.com/microsoft-exchange-vuln-enables-attackers-to-gain-domain-admin-privileges/d/d-id/1333758

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581

New Exploit Threatens Over 9,000 Hackable RV320/RV325 Routers Worldwide

Cisco recently released a patch for the RV320 and RV325 routers that fixes two separate high-severity vulnerabilities. The vulnerabilities are remotely executable and contained within the web-based management interface. One of the vulnerabilities is a command injection flaw, while the other is information disclosure. If an attacker utilized both exploits, they can achieve full control of the device. Firmware release 1.4.2.20 can be applied to both the RV320 and RV325 to fix the vulnerabilities. Organizations with either of the two routers are urged to update immediately.

Relevant URL(s): https://thehackernews.com/2019/01/hacking-cisco-routers.html

Cyberattackers Bait Financial Firms with Google Cloud Platform

Attackers are leveraging Google Cloud Platform to trick victims and deliver payloads of malware. At least 42 organizations, mostly in the financial sector, have been targeted with this attack due to Google App Engine being whitelisted by most organizations for business functions. Attackers create a decoy PDF and attach it to a convincing email that tries to get the reader to click the file. Upon opening the PDF and clicking the link, the user is redirected to a failed website where a malicious word document is downloaded. If the user opens the word document and enables editing, the document executes a macro, and the malware is downloaded. It is recommended to continually instill best practices with phishing email recognition and ensure only required individuals have access to enable macros.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/cyberattackers-bait-financial-firms-with-google-cloud-platform/d/d-id/1333729#

DHS Issues Emergency Directive on DNS Security

On January 22, 2019, the US-CERT released an emergency notice with regards to DNS Security. Details have been published that a .gov user account was fully compromised and that the attack could have been happening since 2017. Any personnel that manages a .gov domain has been mandated to provide DNS audit documents, enable two-factor authentication, change the password of any DNS Admin privileged account, and all within ten days. The applicability of this notice is not only .gov domains, as it stresses the importance and precaution that all domain managers should take when looking at DNS security. 

Relevant URL(s): https://www.darkreading.com/vulnerabilities-and-threats/dhs-issues-emergency-directive-on-dns-security/d/d-id/1333716


Bug in Widespread Wi-Fi Chipset Firmware can Lead to Zero-Click Code Execution

Denis Selianin, a security researcher, discovered a zero-click code execution vulnerability in a popular Wi-Fi chipset that is used in a variety of devices. Marvell Avastar driver code is used to load proprietary ThreadX firmware to Wi-Fi SoC (System on Chip). Selianin discovered that the Wi-Fi system scans for networks every five minutes whether it is connected or not. He then demonstrated how during the scan, "an attacker could chain that exploit with an escalation of privilege vulnerability to execute code on the application processor of SteamLink, a desktop streaming device that sports the vulnerable Marvell Avastar Wi-Fi SoC." Marvell has since released an update and alerted users of the exploit advising them to update. This vulnerability is not known to have been exploited outside of a controlled environment.


Relevant URL(s): https://www.helpnetsecurity.com/2019/01/21/marvell-avastar-wi-fi-vulnerability/

Microsoft Issues Emergency Fix for IE Zero Day

Microsoft recently released an emergency patch to fix an exploit in their Internet Explorer (IE) Web Browser. Microsoft received an alert from Google regarding the exploit (CVE-2018-8653). When an attacker utilizes the exploit, they are able to install programs, create accounts, and manipulate data. The exploit currently affects Internet Explorer 11 on Windows 7 through 10 and on Windows Server 2012, 2016, and 2019; Internet Explorer 9 on Server 2008; and Internet Explorer 10 on Server 2012. All users of the aforementioned systems are urged to update their systems as soon as possible.

Relevant URL(s): https://krebsonsecurity.com/2018/12/microsoft-issues-emergency-fix-for-ie-zero-day/

RCE in Windows DNS Server

Windows Domain Name System (DNS) servers have a remote code execution vulnerability when the server improperly handles a request, allowing arbitrary code to be run in the context of the Local System Account. An attacker may try and exploit this vulnerability by sending a malicious request that will not be handled properly. It is recommended that all users apply the latest update to address the vulnerability.


Relevant URL(s): https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626

Criminals Use Locally Connected Devices to Attack

Kaspersky lab has named a new string of hacks the "DarkVishnya" campaign. During the campaign, attackers would plant devices within a bank's infrastructure and would then access them remotely to launch their attacks. The devices were configured to "hide" with like systems on the network, making them difficult to find. The attackers used this system to infiltrate at least eight different banks in Eastern Europe and steal more than ten million dollars. It is imperative that organizations be alerted when a new system accesses the network and to investigate every occurrence.

Relevant URL(s): https://www.darkreading.com/attacks-breaches/criminals-use-locally-connected-devices-to-attack-loot-banks/d/d-id/1333439


FSSCC, Financial Trade Associations Unveil New Cybersecurity Profile

The Financial Services Sector Coordinating Council (FSSCC) has unveiled a new Profile that is designed to allow cybersecurity experts more time on "protecting global financial platforms, rather than compliance activity." It will help organizations to understand and assess their "cybersecurity risk management governance, processes, capabilities, and regulatory compliance posture as expected against the various Impact Tier levels to which they correspond." The Profile is still under development and is awaiting approval, but promises to help institutions reduce the time it takes to complete a comprehensive assessment. 

Relevant URL(s): https://www.fsscc.org/Financial-Sector-Cybersecurity-Profile

Microsoft Office Account Hijacking Bug

A bug was recently discovered that allowed a researcher to hijack a Microsoft subdomain. The researcher was able to control the domain "success.office.com" including any data that was processed. He was also able to "trick" Microsoft Office into sending authenticated login tokens through "success.office.com" after a user entered and submitted their credentials. With this bug, a successful phishing attack would have provided a hacker with full access to the Office account. The bug was fixed, but it is still advised that organizations mitigate risk by pushing the importance of recognizing a phishing scam.

Relevant URL(s): https://techcrunch.com/2018/12/11/microsoft-login-bug-hijack-office-accounts/

ISACA Refreshes COBIT Framework to Address the Latest Business Technology Trends and Standards

ISACA has released the first update in over five years to the COBIT framework. COBIT 2019 offers guidance to organizations that will help with information technology management and governance. The guidance is being released in four phases that focus on technological trends and priorities, updates aligned with current industry standards, and a guide that will help organizations build a governance system that meets their specific needs.

Relevant URL(s): https://www.helpnetsecurity.com/2018/11/14/isaca-cobit-2019-framework/

Lazarus 'FASTCash' Bank Hackers Wield AIX Trojan

Lazarus, a North Korean hacking group, has been tied to an attack known as 'FASTCash' which they execute by breaching a bank's network and injecting a Trojan. The trojan intercepts the cash withdrawal request from Lazarus and sends a fake approval which allows the attackers to withdraw the cash. The attack is known to have been behind fraudulent withdrawals in excess of $10 million. FASTCash has been utilized since 2016 and has been targeting institutions in Asia and Africa. The attackers were exploiting outdated versions of AIX, an IBM program. It is recommended that banks ensure all systems are appropriately updated to minimize the risk of an attack.

Relevant URL(s): https://www.bankinfosecurity.com/lazarus-fastcash-bank-hackers-wield-aix-trojan-a-11694

New Bluetooth Vulnerabilities Exposed in Aruba, Cisco, Meraki Access Points

A vulnerability has been uncovered in Aruba, Cisco, and Meraki Access Points. There is an exploit in the Bluetooth Low Energy (BLE) chips. An attacker can load packets of data containing malicious code to the chip and then load an execution packet that makes the system execute the previously loaded data packets. The executed data provides the attacker full access to the device. The Aruba device has over-the-air updating capabilities which allow the attacker to drop a larger payload. Cisco has already published an update for their devices and Meraki has released guidance to help the user disable this functionality.

Relevant URL(s):

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap
https://documentation.meraki.com/MR/Bluetooth/Bluetooth_Low_Energy_(BLE)#Enable_Bluetooth_Scanning

Companies Implementing DevSecOps Address Vulnerabilities Faster Than Others

A recent study promotes that DevSecOps is providing better security with higher efficiency. It is also providing flaw persistence analysis, which "measures the longevity of flaws after first discovery." SOSS has been documenting DevSecOps practices for three years, and the data is showing a direct correlation between "security scanning and lower long-term application risk." Active DevSecOps programs are fixing flaws quicker than a traditional organization. The data also supports that the DevSecOps programs respond "more than 11.5 times faster."


Relevant URL(s): https://www.helpnetsecurity.com/2018/11/05/implementing-devsecops/

SMS Phishing + Cardless ATM = Profit

Cardless ATM's are a new feature being used by banks that allow their customers to withdraw cash from an ATM using their phone. Attackers are pairing that functionality with SMS phishing attacks that are falsely notifying users that their accounts have been locked. The provided link takes the user to a mimicked website and prompts the user for their login credentials. Once the attacker has the user's credentials, they can initiate a withdrawal at an ATM and scan the QR code to acquire the funds. It is recommended to remind customers to never respond to personal finance text messages or emails.


Relevant URL(s): https://krebsonsecurity.com/2018/11/sms-phishing-cardless-atm-profit/

Patch Now! Multiple Serious Flaws Found in Drupal

Drupal maintainers have distributed patches for five security vulnerabilities which includes 2 'critical'. The two critical flaws allow remote code execution in Drupal versions 7.x and 8.x. There are three moderate flaws that also affect Drupal 7 and 8 and can be used for cache poisoning attacks, entering an open redirect path to malicious URLs and a content moderation access bypass. The recommendation is to upgrade 7.x to 7.60, 8.6.x to 8.6.2, and 8.5.x or earlier to 8.5.8.


Relevant URL(s): https://nakedsecurity.sophos.com/2018/10/23/patch-now-multiple-serious-flaws-found-in-drupal/

HIDDEN COBRA - FASTCash Campaign

The DHS, FBI, and Treasury have discovered a 'malware and other indicators of compromise (IOCs)' that the North Korean government used for an ATM cash-out scheme. They have named the project HIDDEN COBRA and refer to the attack as 'FASTCash'. Attackers remain in the victim's network to enable the exploitation. If users or administrators detect malware activity tied to FASTCash, they should report it immediately to DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).


Relevant URL(s): https://www.us-cert.gov/ncas/alerts/TA18-275A

Windows PCs Vulnerable To RID Hijacking; Grants Full System Access To Attackers

Sebastian Castro, a security researcher, discovered an exploit of obtaining admin rights and boot persistence. This exploit is on Windows PCs, is easily executable, and is difficult to stop. Account security identifiers (SIDs) typically have a Relative Identifier (RID) code associated with them. They define the access level of the account and are easily manipulated. The manipulation can be executed from Windows XP to 10 and on Server 2003 to 2016. Microsoft has yet to release a statement or patch for this vulnerability. Luckily, it is not a widely known exploit yet, but users of Windows systems are advised to monitor their access accounts closely and investigate any accounts appearing suspicious.


Relevant URL(s): https://fossbytes.com/windows-pcs-vulnerable-to-rid-hijacking-grants-full-system-access-to-attackers/

FFIEC Launches New BSA/AML InfoBase on its Website

The Federal Financial Institutions Examination Council (FFIEC) has released a redesigned Bank Secrecy Act/Anti-MOney Laundering (BSA/AML) InfoBase website. It shares 'bank examination procedure information with examiners, financial institutions, the public, and other stakeholders.' It was redesigned to better the user experience with improved site navigation, search capabilities, downloadable manuals, and is now mobile-friendly.

Relevant URL(s):

https://www.ffiec.gov/whatsnew.htm
https://bsaaml.ffiec.gov/

Who Is Responsible For Cybersecurity? NBT Bank Has Some Ideas

In honor of National Cybersecurity Awareness Month, NBT's VP and Director of Information Security and Fraud Risk wrote an article about the responsibility of cybersecurity. She highlights that cyber threats are abundant and growing within the financial sector and that cybersecurity is the responsibility of everyone and that it 'takes a village.' She later defines that village as 'a mix of professionals and everyday citizens'. Cybersecurity is important at work and home and safeguarding sensitive information should be practiced at all times. Using secure passwords and learning how to recognize and report suspicious emails are paramount in defending your work and home life. This will help build a safer environment and instill cybersecurity best practices in those around you.

Relevant URL(s): https://www.nbtbank.com/Personal/About-Us/News/NBT-Celebrates-Cybersecurity-Awareness-Month