Month in Breaches: April 2020

Cybersecurity News / Month in Breaches

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. Part of protecting our clients is also promoting good security practices and raising awareness of current security trends, boosting your overall understanding of current breaches.

Cisco Phishing Attack Steals Webex Credentials

A mass ‘spray and pray’ phishing campaign in which emails pretending to be a Cisco ‘critical security advisory’ are sent to victims to steal Webex Web Conferencing Platform credentials. The users were urged to update the platform to protect them from critical vulnerability, hence leveraging the remote workers who rely heavily on tools such as Webex, Zoom and Teams, in the midst of Covid-19 pandemic. Researchers said the phishing emails are being sent with various eye-catching subject lines like “Critical Update” or “Alert!” and come from the spoofed email address, “[email protected]”. The body of the email contains content from a real Dec 2016 Cisco Security Advisory, along with Cisco Webex branding. The advisory is for CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco’s management tool for applications in multiple data centre, private-cloud and public-cloud environments. The attackers also have acquired a valid SSL certificate to accomplish this campaign.

Last few months have seen a drastic spike in phishing emails leveraging the unfortunate Covid-19 situation. It is highly recommended to educate the employees about such scenarios and familiarise them about the ill effects of clicking a malicious link and entering their credentials or other sensitive information. It is also recommended to employ an email filter which can filter malicious email before it even reaches the users. Also, strengthening the basic security tools like firewall and anti-virus can also mitigate such risks if the mail filter fails.

CVE-2020-3952 – Sensitive Information Disclosure Vulnerability In The VMware Directory Service

VMware has patched a critical vulnerability that can be exploited to compromise vCenter Server or other services that rely on the Directory Service for authentication. The flaw, tracked as CVE-2020-3952 with a CVSS score of 10, was disclosed by VMware. A malicious actor with network access to port 389 on an affected vmdir deployment1 may be able to extract highly sensitive information such as administrative account credentials which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication. Variant attack vectors such as creating new attacker-controlled administrative accounts are also possible.

The weakness impacts vCenter Server 6.7 on Windows and virtual appliances, and it has been patched with the 6.7u3f update. However, the company noted that vCenter Server is affected only if the installation was upgraded from a previous version; the product is not impacted if the user directly installed version 6.7. CTRL Group strongly recommend adhering to patch management. Implementing this will greatly reduce the risk of unpatched vulnerabilities which acts as the main point of entry for attackers.

ESET Takes Down VictoryGate Botnet

ESET has announced that it took down a botnet which was responsible in infecting more than 35000 computers. The VictoryGate botnet which was active for more than a year attacked mostly devices belonging to South America. The primary design ideology of this botnet is to infect victims with malware that is responsible for mining cryptocurrency. Per ESET, the server which acted as a Command & Control was hidden behind the NO-IP dynamic DNS service. ESET took down this malicious server and instead replaced another server usually called a sinkhole. Thus, all infected systems started connecting to the sinkhole server and the mass of infection was estimated as 35000.

The source of infection according to ESET is believed to be a tainted batch of USB devices. This had allowed the attack to propagate via removable devices. After the malicious USB is connected to the victim’s computer, the malware is installed on the device. VictoryGate also contains a component that copies the USB infector to new USB devices connected to a computer, helping it spread to new devices. To curb such spread of malware it is always recommended to use whitelisted official USB devices on the network. Also monitoring the web server for file changes is also crucial because the file servers are infected with crypto mining code and anyone who accesses it will be infected with it.

Related Articles

Cyber Compliance / Cyber Advisory, Cyber Compliance
Cyber Regulations and Australian Compliance Overview 2022
Read more
data breaches, cyber incident response
Data Breach / Incident Response
How to Minimise Financial Damages from a Cyber Incident?
Read more
Cybersecurity Resilience, Cyber Threat Intelligence
Cybersecurity / Cyber Advisory
Cybersecurity Threat Intelligence: What’s all the hype about?
Read more