image
Proof-of-concept exploit code has been published for critical flaws impacting the Cisco Data Center Network Manager (DCNM) tool for managing network platforms and switches. The three critical vulnerabilities in question (CVE-2019-15975, CVE-2019-15976, CVE-2019-15977) impact DCNM, a platform for managing Cisco data centers that run Cisco’s NX-OS — the network operating system used by Cisco’s Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches. The flaws, patched on Jan. 3, could allow an unauthenticated, remote attacker to bypass endpoint authentication and execute arbitrary actions with administrative privileges on targeted devices. Fast forward to this week, the security researcher who initially discovered the flaws, Steven Seeley, released public PoC exploits for the flaws. “In this post, I share three (3) full exploitation chains and multiple primitives that can be used to compromise different installations and setups of the Cisco DCNM product to achieve unauthenticated remote code execution as SYSTEM/root,” he explained in a blog post. “In the third chain, I (ab)use the java.lang.InheritableThreadLocal class to perform a shallow copy to gain access to a valid session.” The Flaws Two of the flaws (CVE-2019-15975 and CVE-2019-15976) are authentication bypass vulnerabilities in the REST API and SOAP API endpoints for Cisco DCNM. Representational State Transfer (REST) is an architecture style for designing networked applications,…

Source

image
Google has extended its Advanced Protection Program for account security to the iPhone platform, aimed at those that are the most-targeted by cybercriminals: Members of political campaign teams, journalists, activists, executives, employees in regulated industries such as finance or government, and others. It has also made the program simpler to sign up to for Android users. The idea is to add another log-in factor to the sign-in process for Google accounts – one that can’t be intercepted by a phisher. Specifically, the Advanced Protection Program uses security keys, which make use of public-key cryptography to verify a user’s identity and URL of the login page. These can either be a physical security key or a smartphone’s built-in security key. In the case of iPhone, those running iOS 10.0+ with the Google Smart Lock app installed can enroll in the program. “Unlike other two-factor authentication (2FA) methods that try to verify your sign-in, security keys are built with FIDO standards,” explained Christiaan Brand, product manager at Google Cloud and Kaiyu Yan, Google software engineer, in a posting on Wednesday. In the FIDO framework, authentication is done by the client device, which must prove that it has in its physical possession a private key to a given service. To prove this, the client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by swiping a finger, entering a PIN, speaking into a…

Source

image
A ransomware with the un-snappy moniker of “5ss5c” has emerged on the scene and appears to be in active development. According to independent researcher Bart Blaze, the malware is the successor to the Satan ransomware, and its authors are still experimenting with focused targeting (China, for now) and features. Blaze said in a blog posted Tuesday that 5ss5c and Satan share many code characteristics. Satan, he noted, disappeared from the ransomware scene a few months ago, right after adding an EternalBlue exploit to its bag of tricks. 5ss5c appears to be picking up where Satan left off. “The group has been working on new ransomware – 5ss5c – since at least November 2019,” Blaze noted. “There are several Satan ransomware artefacts [and shared tactics, techniques and procedures (TTPs)]. One of these is, for example, the use of multiple packers to protect their droppers and payloads.” He said that like Satan before it, 5ss5c is a second-stage malware that is downloaded by a dropper. That same dropper also downloads the EternalBlue exploit (i.e., a spreader package); Mimikatz (the Windows password stealer) plus a second credential stealer; and the ransomware itself. It also creates logs, noting whether SMB shares are available (the target of the EternalBlue exploit); and whether the downloads were successful or not. But 5ss5c advances the previous Satan approach in a few different ways. For one, the dropper provides hardcoded credentials for the command-and-control (C2) server…

Source

image
Two proof-of-concept (PoC) exploits have been publicly released for the recently-patched crypto-spoofing vulnerability found by the National Security Agency and reported to Microsoft. The vulnerability (CVE-2020-0601) could enable an attacker to spoof a code-signing certificate (necessary for validating executable programs in Windows) in order to make it appear like an application was from a trusted source. The flaw made headlines when it was disclosed earlier this week as part of Microsoft’s January Patch Tuesday security bulletin. It marked the first time the NSA had ever publicly reported a bug to Microsoft. The two PoC exploits were published to GitHub on Thursday. Either could potentially allow an attacker to launch MitM (man-in-the-middle) attacks – allowing an adversary to spoof signatures for files and emails and fake signed-executable code inside programs that are launched inside Windows. One PoC exploit was released by Kudelski Security and the other by a security researcher under the alias “Ollypwn”. [Listen to further analysis of the Microsoft crypto flaw, below, on the Threatpost Podcast] According to Microsoft’s advisory, the spoofing vulnerability exists in the way Windows CryptoAPI (Microsoft’s API that enables developers to secure Windows-based applications using cryptography) validates Elliptic Curve Cryptography (ECC) certificates. Kudelski Security in a blog post said they launched the PoC using a “curve P384” certificate, which uses ECC (specifically,…

Source

image
Google has made a concerted effort in recent months to try to eliminate bad apps for its Android mobile platform on the Google Play store—something the company historically has battled. However, fleeceware apps—which trick users into paying excessive amounts of money for simple apps with functionality that’s available free elsewhere—are still getting past Google’s radar in significant numbers, according to security researchers. These type of apps have been installed nearly 600 million times on 100 million plus devices, according to a Sophos report, which said it pulled the numbers from Google’s own Google Play marketplace. While researchers are skeptical the high installation numbers reported on Google Play are completely legitimate, they do believe that the download numbers of some of the apps–including a popular keyboard app that allegedly transmits the full text of whatever its users type back to China— are likely on the money. “As we saw last fall, there were a wide variety of entertainment or utility apps, including fortune tellers, instant messengers, video editors and beauty apps,” researchers wrote in a blog post published Tuesday. “And just like last time, user reviews reveal serious complaints about overcharging, and that many of these apps are substandard, and don’t work as expected.” “Free Trials” That Come With a Price Fleeceware appears to be so successful on the Google Play marketplace because it takes advantage of a business model used widely throughout the…

Source

image
Two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from the same critical authorization bypass bug that allows adversaries to access a site’s backend with no password. All an attacker needs is the admin username for the WordPress plugins and they are in, according to researchers from WebArx who created proof-of-concept attacks to exploit the vulnerabilities. “[Both] contain logical issues in the code that allows you to login into an administrator account without a password,” wrote WebArx in a blog post outlining the discovery on Wednesday. According to the WordPress plugin library, 300,000 websites are running a version of the vulnerable InfiniteWP Client plugin. The WP Time Capsule plugin is active on 20,000 websites, according to library tallies. Both plugins are designed to allow users to authenticate to multiple WordPress installations from one central server. That allows site owners to “perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously,” according to a WordFence description. The vulnerabilities were first reported on Jan. 7, 2020. The next day the developers released new versions of the plugins. On Tuesday, WebArx publicly disclosed the bugs. The InfiniteWP Client Bug Specifically impacted are versions of the InfiniteWP Client plugin below 1.9.4.5, WebArx said. The proof of concept is simple, earning…

Source

image
Employees are demanding that employers enable flexible workstyles. Apps are moving to the cloud. A company’s device and application mix are increasingly heterogeneous. All of these factors are breaking down the enterprise security perimeter, rendering traditional security approaches obsolete, and paving the way for zero-trust approaches. Traditional security methods broadly classify everything (users, devices and applications) inside the corporate network as trustworthy. These models leverage legacy technologies, such as virtual private networks (VPNs) and network access control (NAC), to verify the credentials of users outside the network before granting access. The focus therefore is on strengthening the network perimeter and then granting full access to corporate data once credentials are successfully validated. This is sometimes referred to as the “castle and moat” approach, in which the castle refers to the enterprise holding valuable data and applications, while the moat refers to layers of protection aiming to keep potential threats out. However, in today’s complex IT world, in which users access all types of apps (software-as-a-service, on-prem, native, virtual) from all types of devices (mobile, desktop, internet of things) and from many locations both inside and outside the corporate network, organizations need a security model that is dynamic, flexible and simple. Perhaps the most notable of the emerging security models is zero trust. “Zero trust” is a phrase…

Source

image
A major Microsoft crypto-spoofing bug impacting Windows 10 made waves this Patch Tuesday, particularly as the flaw was found and reported by the U.S. National Security Agency (NSA). Microsoft’s January Patch Tuesday security bulletin disclosed the “important”-severity vulnerability, which could allow an attacker to spoof a code-signing certificate, vital to validating executable programs in Windows, and make it appear as if an application was from a trusted source. Threatpost talked to Pratik Savla, senior security engineer at Venafi, about the vulnerability, whether the hype around the flaw was warranted, and what the disclosure means for the NSA. For direct download click here. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/12754238/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) Also, check out our podcast microsite, where we go beyond the headlines on the latest…

Source

image
The operators behind the notorious Emotet malware have taken aim at United Nations personnel in a targeted attack ultimately bent on delivering the TrickBot trojan. According to researchers at Confense, a concerted phishing campaign has been using emails purporting to be from the Permanent Mission of Norway, which maintains the Scandinavian country’s diplomatic presence in New York. The emails were sent to 600 staffers and officials across the U.N., claiming that there was a problem with a supposed “signed agreement” attached to the mails. The endgame however was to steal login credentials. According to a report confirmed by Threatpost with Cofense, if a victim opened the document, a pop-up warning appeared saying, “document only available for desktop or laptop versions of Microsoft Office Word.” Users were then prompted to click a button to “enable content,” which, if clicked, actually enabled malicious Word macros. In turn, these downloaded and installed Emotet, which would then run in the background. Emotet started life as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism. It can install a collection of malware on victim machines, including information stealers, email harvesters, self-propagation mechanisms and ransomware. In the case of the U.N. attacks, Emotet was seen attempting to send out spam emails to additional victims and download second-stage malicious payloads, including the TrickBot trojan, which can…

Source

image
A Georgia court granted final approval for an Equifax settlement in a class-action lawsuit, after the credit-reporting agency was hit by its massive 2017 data breach. Equifax will pay $380.5 million to settle lawsuits regarding the 2017 data breach, the Atlanta federal judge reportedly ruled this week. In addition, Equifax may be required to dole out an additional $125 million “if needed to satisfy claims for certain out-of-pocket losses.” “We are pleased that the Court approved the settlement, which provides significant benefits for consumers whose information was impacted in the 2017 breach,” an Equifax spokesperson told Threatpost. The $380.5 million will be placed into a fund for consumers affected who are part of the class outlined in the lawsuit. The settlement cost will also cover attorneys’ fees, expenses and administration costs. The $380.5 million for affected consumers is slightly more than the $300 million proposed previously by the Federal Trade Commission (FTC) in July 2019. The July 2019 proposal was subject to the federal court’s Monday approval. Other Costs As part of the settlement, the company will also need to pay at least $1 billion for improved security, as well as $175 million to 48 states in the U.S and and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB). Equifax will also need to pay $1.4 billion in litigation expenses and $77.5 million as a percentage based fee, according to Bloomberg. It should also be noted…

Source