Grey and white long fured cat

CVE-2020-1938 – Apache Tomcat AJP Request Injection and potential Remote Code Execution

Published by Apache: 2020-02-24
MITRE CVE-2020-3158

“When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising.”

There is not enough details available yet, but the vulnerability has at least a CVSS Base score of 8.1, High. This depends on how hard it is to exploit, etc.

There is proof of concept published, but as of writing no known public exploitation of this vulnerability.

Basefarm customers will be upgraded as part of normal patching routines.

Using two laptops

Insider threats

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

This week we have seen multiple cases of one of the harder issues in security, the insider threat.
Two former employees of twitter have been charged with spying on Twitter users for Saudi Arabia, together with a third man with ties to the Saudi royal family. According to court documents they were working together, using twitters internal systems to unmask  critics of the Kingdom and other users of Twitter.
Trend Micro also suffered from an insider attack where an employee accessed and sold customer data to a malevolent third party. Trend started getting suspicious after customers started getting calls from scammers claiming to be from Trend Micro support. The employee was fired after a three month investigation by Trend micro, and is now investigated by law enforcement.  You can read more about both cases here.

The Cybersecurity Insiders 2020 Insider Threat Report came out, and found that more than half of the organizations that participated believes that insider threats are harder to follow up in cloud environments. Meaning that the trend of offloading to the cloud could increase risk on unexpected levels.

Insider threats are one of the more complex issues in security with different challenges depending on a lot of factors, and organizations need to focus on what the challenges are for their specific organization, and find preventive measures that works in their environment.

Top 5 Security News

BlueKeep Attacks Have Arrived, Are Initially Underwhelming
Cybersecurity Skills Shortage Tops Four Million
Bug Hunters Hack Samsung Galaxy S10, Xiaomi Mi9 at Pwn2Own
Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
Facebook reveals another privacy breach, this time involving developers

White mailbox on mountain.

CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Published: 02/11/2020 | Last Updated : 02/11/2020
MITRE CVE-2020-0688

“A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.

Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.”

Zero Day Initiative recently published a write-up about this vulnerability, and some key points to know is “Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState.” and “Due to the use of static keys, an authenticated attacker can trick the server into deserializing maliciously crafted ViewState data. With the help of YSoSerial.net, an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel web application, which runs as SYSTEM.”

So this is bad. On the bright side it requires an authenticated user, but considering the amount of leaked credentials these days it could be better.

We agree with Zero Day Initiative when they say “if you’re an Exchange Server administrator, you should treat this as a Critical-rated patch and deploy it as soon as your testing is complete. Microsoft lists this with an Exploit Index of 1, which means they expect to see exploits within 30 days of the patch release. As demonstrated, that certainly seems likely.”

Update 2020-03-04: Exploit for this vulnerability is now a part of the metasploit framework and exploitation is very easy, just needs any domain user.

Internally Basefarm is tracking this as BF-VLN-1994667.

Visa Warns of New JavaScript Skimmer ‘Pipka’

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

A new JavaScript skimmer targets data entered into the payment forms of ecommerce merchant websites, Visa Payment Fraud Disruption (PFD) warns.

Visa notes in a security alert (PDF).

“In September 2019, Visa Payment Fraud Disruption’s (PFD) eCommerce Threat Disruption (eTD) program identified a new JavaScript skimmer that targets payment data entered into payment forms of eCommerce merchant websites. PFD is naming the skimmer Pipka, due to the skimmer’s configured exfiltration point at the time of analysis (as shown below in the Pipka C2s).” reads the advisory published by VISA. “Pipka was identified on a North American merchant website that was previously infected with the JavaScript skimmer Inter, and PFD has since identified at least sixteen additional merchant websites compromised with Pipka.”

read more

 

Top 5 Security News

Website, Know Thyself: What Code Are You Serving?

GitHub gathers friends for a security code cleanse to scrub that software up to spec

New Group of Hackers Targeting Businesses with Financially Motivated Cyber Attacks

AI wordsmith too dangerous to be released… has been released

Flaws in Qualcomm chips allows stealing private from devices

Reality Check: The Story of Cybersecurity

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

“Often, hackers are portrayed as “technical sorcerers” while defenders are “hapless techies focused on zero-day vulnerabilities and only the most advanced threat vectors,” but in reality, that’s not true.
Cybercriminals are not always sophisticated, and in fact, more script kiddies exist than technically savvy hackers.
The difference is that cybercriminals are more organized and create tools and exploit kits that allow less sophisticated actors to become well equipped in launching attacks.”

said Rohit Ghai, president of RSA, in his keynote at the RSA Conference in San Francisco this week.

“The security landscape needs to change the narrative of its story. So we need to reclaim our narrative, reorganize our defense, and rethink our culture.”
this was his solicitation to the cyber security community.

more talks from the RSA Conference 2020 or download the RSAC 2020 Trend Report

 

Top 5 Security News

RSAC 2020: Lack of Machine Learning Laws Open Doors To Attacks

New Wi-Fi Encryption Vulnerability Affects Over A Billion Devices

New LTE Network Flaw Could Let Attackers Impersonate 4G Mobile Users

FBI recommends using passphrases instead of complex passwords

Gmail Is Catching More Malicious Attachments With Deep Learning

 

white printing paper with numbers

Data leaks and breaches

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Today I want to take a look at data leaks and breaches as the last week has had quite a few of those. Unicef Norway had a database exposed to the internet (Paywall) without any form of authentication. Most of the data here was public data about people, but certain sensitive information such as address and phone numbers for people living in hiding, prominent people in the public and young children could be found. Singapore Accountancy Commission (SAC) had a folder containing 6,541 accountants data in sent to multiple parties in a security mishap, that was not discovered until months later.
T-mobile in the United states also suffered a data-breach towards some of its prepaid customers. According to T-mobile no sensitive data was stolen, but they still urged affected customers to change their PIN number and account passwords.

 

Top 5 Security News

Thousands of hacked Disney+ accounts are already for sale on hacking forums

Google Discloses Android Camera Hijack Hack

Twitter will finally let users disable SMS as default 2FA method

French hospital contracts 6,000 PC-locking ransomware infection

AccorHotels subsidiary Gekko Group exposes hotels and travelers data in massive data leak

Man wearing black fedora hat and black suit jacket.

Nation state actors plays the long game

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

“Qihoo 360, one of the most prominent cybersecurity firms, today published a new report accusing the U.S. Central Intelligence Agency (CIA) to be behind an 11-year-long hacking campaign against several Chinese industries and government agencies.”

“According to Qihoo 360, the hacking tools developed by the CIA, such as Fluxwire and Grasshopper, were used by the APT-C-39 group against Chinese targets years before the Vault 7 leak.”

Read more

Top 5 Security News

Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!
Let’s Encrypt is Revoking Three Million Certificates on March 4
670+ Subdomains of Microsoft are Vulnerable to Takeover
Emoji to Zero-Day: Latin Homoglyphs in Domains and Subdomains
CPR evasion encyclopedia: The Check Point evasion repository

Ransomware

Threat Hunting or Efficiency: Pick Your EDR Path?

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Cybersecurity teams face a lot of conflicting objectives—both within their teams and from upper management. But a May 2019 commissioned study conducted by Forrester Consulting on behalf of McAfee really puts a fine point on it: When decision makers were asked which endpoint security goals and initiatives they’re prioritizing for the coming year, the top two responses were “improve security detection capabilities” (87%) and “increase efficiency in the SOC” (76%).

Read more

 

Top 5 Security News

5 scams to watch out for this shopping season

Dexphot Malware Hijacked 80K+ Devices to Mine Cryptocurrency

It’s Way Too Easy to Get a .gov Domain Name

A Cause You Care About Needs Your Cybersecurity Help

Google caught a state hacker crew uploading badness to the Play Store

|||||

Security Software & Tools Tips – December 2019

In this monthly post, we try to make you aware of five different security-related products.
This is a repost from my personal website Ulyaoth

This month we have chosen for the following:
* Azure Arc
* CloudGuard Dome9
* Flan Scan
* Lynis
* Wapiti

Azure Arc

Information from the Azure Arc website:

Azure Arc extends management & security to any infrastructure.

Website:

https://azure.microsoft.com/en-us/services/azure-arc/

CloudGuard Dome9

Information from the CloudGuard Dome9 website:

The Dome9 Arc agentless SaaS platform delivers full visibility and control of security and compliance in AWS, Azure and Google Cloud environments. Minimize your attack surface and protect against vulnerabilities, identify theft and data loss.

Website:

https://dome9.com/

Flan Scan

Information from the Flan Scan website:

Flan Scan is a lightweight network vulnerability scanner. With Flan Scan you can easily find open ports on your network, identify services and their version, and get a list of relevant CVEs affecting your network.

Website:

https://github.com/cloudflare/flan

Lynis

Information from the Lynis website:

Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing.

Website:

https://cisofy.com/lynis/

Wapiti

Information from the Wapiti website:

Wapiti is a vulnerability scanner for web applications. It currently search vulnerabilities like XSS, SQL and XPath injections, file inclusions, command execution, XXE injections, CRLF injections, Server Side Request Forgery, Open Redirects…

Website:

https://sourceforge.net/projects/wapiti/

Image by MasterTux from Pixabay

Ransomware

Basefarm security news

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Florida has been become a target for two serious ransomware attacks. The city of Pensacola reported a cyber incident that reportedly started Saturday morning. The city disconnected much of the city’s network, and affected some payments and other service. The operators behind the Maze Ransomware have claimed responsibility for this attack. Prison Rehabilitative Industries and Diversified Enterprises Inc (PRIDE) in Florida was also targeted with ransomware on the same day. PRIDE is a non-profit that helps inmates transition to a life outside of prison. There are no indications that the two attacks are linked to each-other.

Top 5 Security News

Vietnamese Hackers Compromised BMW and Hyundai

Another Ransomware Will Now Publish Victims’ Data If Not Paid

AirDoS: Hackers Can Block iPhones, iPads Via AirDrop Attack

Attackers now use process hollowing to hide cryptocurrency miners on your PC

Microsoft Security Essentials Will Not Protect Windows 7 PCs After January 14, 2020