This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. In this issue, malware continue to plague the global threat landscape. Part of protecting our clients is also promoting good security practices and raising awareness of current security trends, boosting your overall understanding of current breaches.
Adrozek
A new strain of malware has spread to thousands of Windows PCs in an attempt to add unwanted advertisements to users’ search results. “Adrozek,” a malware family capable of modifying several browsers, targetted to take over browser activities. Through which, they may push illegitimate advertisers in return for affiliate advertisements or stealing personal details.
This malware targets the browser and disables all security functions. It then proceeds to reboot persistence with the aid of the registry key. The malware scans for locally installed browsers such as Microsoft Edge, Google Chrome, Mozilla Firefox to change the browser’s DLL libraries. Therein, to inject unauthorised advertisements into what you believe are typical search results. Eventually, Adrozek could also redirect you to unsolicited websites. The advertisements appear to be harmless, but ‘advertisers’ are merely a shield for hackers to obtain access to sensitive information.
The most successful way to get rid of any malware on your machine, like Adrozek, is to use an effective, professional antivirus software application. It can fix an array of issues, such as confirming the authenticity of the source of the programs and applications downloaded. It is recommended to:
- Always keep antivirus applications and software security up to date.
- New virus definitions are issued daily such that antivirus makers regularly upgrade their threats-fighting tools.
- Block PUPs in antivirus software, turn on the switch to identify potentially unwanted programs (PUPs).
Adrozek and other malware can infect your machine through suspicious websites that you may unknowingly access. Therefore, clicking the ‘wrong’ link will lead to an application that you never intended to use. If a pop-up banner emerges while browsing the website, avoid clicking on it. If the site inundates you with pop-up advertisements, leave the site immediately and run the antivirus software to confirm that there is nothing nefarious on the device.
Critical Bug in Dell Wyse Thin Allow Code Execution, Client Takeovers
Dell Wyse Thin client models are vulnerable to critical issues that could be exploited by a remote attacker to run malicious code and gain access to arbitrary files. The two critical bugs (CVE-2020-29491 and CVE-2020-29492) are rated 10 out of 10 on the vulnerability-severity scale.
By default, ThinOS is maintained remotely using a local File Transfer Protocol server which pulls new firmware, packages, and configurations to devices. The bug CVE-2020-29491 stems from the Wyse Thin Client devices, which periodically ping the server to pull their latest versions without authentication. Herein, the issue is that the configuration for all thin clients is found on a remote server, accessible for anyone on the network. Therefore, a third party in the network could also access those configuration files.
On the other hand, the bug CVE-2020-29492 exists as the server permits read-and-write access to its configuration files. Therein, enabling anyone within the network to read and alert them using FTP. According to CyberMDX, the below models running ThinOS 8.6 are vulnerable to this bug.
| 3020 | 3030 LT | 3040 |
| 5010 | 5040 AIO | 5060 |
| 5070 | 5070 Extended | 5470 |
| 5470 AIO | 7010 |
While Dell has released ThinOS9 to address the two critical vulnerabilities. However, the following Wyse models can no longer be updated.
| 3020 | 3030 LT | 5010 |
| 5040 AIO | 5060 | 7010 |
It is recommended to disable the use of FTP for updates and securing the environment by using a secure protocol (HTTPS) and ensuring that the file servers have read-only access in case the Wyse model can’t be updated.
Kawasaki Discloses Cyber Breach
Recently, Kawasaki Heavy Industries revealed that they were subjected to a cyber breach. It is identified to be unauthorised access by attackers to Kawasaki’s servers, affecting multiple domestic and international offices. It is determined that perpetrators have leaked and shared some information with external entities.
Thereon, Kawasaki performed an internal audit on their network and later identified that a connection from Thailand was detected entering the server in Japan. Following this, connections from Indonesia, the Philippines and the US were also subsequently discovered.
To mitigate this situation, a thorough security check was conducted on 26,000 terminals across its global networks and international offices. Wherein, Kawasaki blocked all communication from the branch offices to its headquarters in Japan until the situation was brought under control. The malicious connection was blocked, and access control policies were revisited.
Since then, Kawasaki has established a cybersecurity group that is overseen by the corporate president. As such, CTRL Group suspects improper privilege access control and loose security policies around domain administrator user accounts to be the reason behind the breach. It is always imperative to devise cyber policies for branch offices as they are considered vulnerable by attackers because a company’s headquarters is most likely to be well protected.
