Month in Breaches: June 2020

Cybersecurity News / Month in Breaches

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. In this issue, breaches and trojans continue to plague the global threat landscape. Part of protecting our clients is also promoting good security practices and raising awareness of current security trends, boosting your overall understanding of current breaches.


State-Sponsored Cyber Attacker on Australia 

On the 19th of June, Australian Prime Minister Scott Morrison announced that Australia was under a cyber-attack that was believed to be carried out by a state-sponsored group. Different levels of government sector organisations, healthcare, educational institutions, industrial organisations etc were targeted. The attackers were seen to have been using a common script and the pattern of attack was also identified. Vulnerabilities like CVE-2019-18935, CVE-2019-19781 and CVE-2019-0604 are actively being used for initial access. It is also imperative that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks.

As part of mitigation, patching internet-facing software and applications is very vital. Vulnerable versions of Microsoft IIS, Microsoft SharePoint, Citrix ADC, and Tereric UI are advised to be patched immediately. Employees should also be aware of spear phishing and credentials harvesting attacks to safeguard their email accounts and high privilege accounts from attackers. CTRL Group are also actively monitoring to detect any intrusions in the form of remote access and backdoor network deployment tools. Implementation of MFA across the network is also highly recommended to protect user accounts against credential abuses.

CISCO WEBEX and Router Bugs Allow for Code Execution (CVE-2020-3342)

Cisco has identified three high severity flaws in their web conferencing app (Webex) and one of them could allow an unauthenticated attacker to perform RCE (Remote Code Execution). The flaw stems from improper validation of cryptographic protections, on files that are downloaded by the application as part of a software update, according to Cisco. An attacker could exploit this vulnerability by urging a user to access a website that returns malicious files to the client. These are similar to files that are returned from a valid Webex website. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the user.

Remote code execution is the ability an attacker has, to access someone else’s computing device and make changes, no matter where the device is geographically located. Versions of the Webex Meetings Desktop App for Mac app earlier than Release 39.5.11 are affected; a fix is available in releases 39.5.11 and later. Windows versions of the app are not affected. CTRL Group recommend applying the fixes available from Cisco’s website after validating the cryptographic protections.

Palo Alto Network Bug

A critical vulnerability has been identified in a series of Palo Alto network devices and enterprise-level VPN appliances. This vulnerability can allow the attacker to take over devices without any authentication requests. PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL) are the affected ones. PAN-OS 7.1 is not affected by this vulnerability. This vulnerability allows attackers to bypass authentication only when SAML authentication is enabled on the Palo Alto devices and the “Validate Identity Provider Certificate” is unchecked.

This vulnerability does not require any advanced technical skills and attackers are not required to infiltrate the device or the network, rather target the exploit to gain access to the device via the internet. Remedial actions require updating all the affected versions. While doing so, administrators should ensure that the signing certificate for their SAML identity provider is configured as the “Identity Provider Certificate”. Palo Alto has officially released steps to mitigate this issue. Please click here to go through the steps. CTRL Group also suggest implementing strong patch management. Security upgrades for software rely on patch management to fix any existing security glitches which may be exploited by the attackers.

Related Articles

Cyber Compliance / Cyber Advisory, Cyber Compliance
Cyber Regulations and Australian Compliance Overview 2022
Read more
Cyber Breach and Cyber Incident response and cyber insurance are fundamental to an organisation's cybersecurity.
Cyber Insurance / Incident Response
Are you Cyber Ready for Cyber Insurance?
Read more
data breaches, cyber incident response
Data Breach / Incident Response
How to Minimise Financial Damages from a Cyber Incident?
Read more