Month in Breaches: July 2020

Cybersecurity News / Month in Breaches

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. In this issue, breaches and trojans continue to plague the global threat landscape. Part of protecting our clients is also promoting good security practices and raising awareness of current security trends, boosting your overall understanding of current breaches.

F5 Big IP Vulnerability CVE-2020-5902

The Traffic Management User Interface (TMUI) of F5 Big IP has a Remote Code Execution (RCE) vulnerability in undisclosed pages. This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration utility to conduct malicious activities and even system breaches. Through the BIG-IP management port and/or self IPs, disguised hackers may execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. It can also result in a full system compromise. The BIG-IP system in Appliance mode is also vulnerable. While this issue is not exposed on the data plane, only the control plane is affected.  Please check the source below to find vulnerable versions.

Researchers said that as of July 15, there were at least 8,041 vulnerable TMUI instances still exposed to the public internet. To ensure that your version of F5 Big IP is secure, CTRL Group highly recommend installing the patched version immediately. This will eliminate the vulnerability. If installing a patch is not possible, block all access to the Configuration utility of your BIG-IP system using self IPs. In addition, you should permit management access to F5 products only over a secure network. Further alternates can be found in the link provided in the source below.

Microsoft OAuth Attacks Against Cloud App Users 

OAuth is an open standard for access delegation. It is generally used as a way for people to sign in to services without entering a password. The most evident instance might be the “Sign in with Google” or “Sign in with Facebook” that many websites use. These “Sign in” or “Log in” prompts are called consent prompts. According to Microsoft, a type of application-based attack is on the rise that takes advantage of OAuth authentication. These attacks are categorised as Consent Phishing. Instead of stealing passwords, this attack focuses on seeking permission for an attacker-controlled application to access sensitive information. It begins by registering a malicious app with an OAuth2 provider. This application looks and feels trustworthy but in reality, it’s not. The link of this application is then distributed using conventional phishing methods such as emails. If a user clicks accept, they will grant the bad app permissions to access their credentials and potentially other sensitive data.

It might feel like an extra step but ensuring the legitimacy of the application you are signing into, could protect you from these spiking attacks. Attackers spoof app names and make them look genuine, so always make sure you recognize the app name and URL before you commit consenting to it. These times are especially critical because of the global pandemic we are facing. People working from home are making more use of cloud-based apps and authenticating to them via OAuth. If the organisations and their employees are trained well to be more diligent in their actions, it can prove to be highly valuable for the security of sensitive data.

Emotet Malware

Emotet malware threat has resurfaced after a five-month hiatus, with more than 250,000 malspam messages being sent to email recipients worldwide. Emotet is a Trojan that is primarily spread through spam emails. The infection may arrive either via a malicious script, document files, or a malicious link. Emotet emails may contain familiar branding designed to look legitimate. For instance, there is an email containing a word document called “Invoice – 24 Jul, 2020.doc”. The document contains a script that asks recipients to enable it.

Once the script launched, it will generate PowerShell scripts to download Emotet malware from remote malicious websites. It can steal data, such as user credentials stored on the browser, by eavesdropping on network traffic. Once Emotet has infected a network machine, it will propagate by enumerating network resources and write to share drives as well as brute force user accounts.

To protect from Emotet, patch any unsecured machines, and ensure everything has the latest endpoint protection, then you can dramatically reduce the risk of infection. Also, it is safe to double-check the email sender and be cautious in opening up the links and attached files. There is a recommendation if you suspect that one of the machines in the network is infected by Emotet. First, disconnect the infected machines from the network immediately. Second, run a virus scan and patch for Eternal Blue as Emotet drops Trcikbot which uses Eternal Blue to propagate. Last, disable administrative shares and change account credentials. More information can be found at the following link.

Related Articles

Cyber Compliance / Cyber Advisory, Cyber Compliance
Cyber Regulations and Australian Compliance Overview 2022
Read more
Cyber Breach and Cyber Incident response and cyber insurance are fundamental to an organisation's cybersecurity.
Cyber Insurance / Incident Response
Are you Cyber Ready for Cyber Insurance?
Read more
data breaches, cyber incident response
Data Breach / Incident Response
How to Minimise Financial Damages from a Cyber Incident?
Read more