English

Professional Service, Advanced Manufacturing Technology, Excellent Product Quality And Good Reputation.

View All Products

Complete Facilities; Excellent Quality; And Well Serve All Over The World

View All Products

Have A Strong Technical Force In Research And Development And Production Team

View All Products

VERT's Cybersecurity News for the Week of May 2, 2022

2022-05-14 20:33:14 By : Ms. Susy Lv

Skip to content ↓ | Skip to navigation ↓

Home » News » Extra, Extra, VERT Reads All About It: Cybersecurity News for the Week of May 2, 2022

All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of May 2, 2022. I’ve also included some comments on these stories.

Microsoft on Thursday disclosed that it addressed a pair of issues with the Azure Database for PostgreSQL Flexible Server. If untended, these issues could result in unauthorized cross-account database access in a region, reports The Hacker News.

Microsoft disclosed vulnerabilities to their Azure Databases this week that were found in January. They mitigated the vulnerabilities rapidly after disclosure but waited to disclose them to the public until now. This gives them more time to analyze and protect against the vulnerability before publicizing it. The pair of vulnerabilities allowed for databases to be replicated by people with a forged certificate, thus giving access to stored data to attackers.

In 2020 cybercriminals launched a spear phishing attack against Twitter that successfully scammed victims out of $180,000 worth of Bitcoin, reports Bleeping Computer. The attacker used a phone-based social engineering scam against Twitter employees in order to gain access to privileged accounts.

Sometimes the path of least resistance actually works. Almost every company has an IT helpdesk, and cybercriminals are targeting them, seeing them as a potential ingress into a company’s network. When phishing and reconnaissance are done correctly, it allows cybercriminals to build data profiles and information which will help them achieve their eventual goal of data breach/ransomware/malware/data destruction etc.; take your pick.

Once enough personal information has been obtained, the next step in the social engineering attack is to pose as a legitimate user and request a password reset. If successful, the criminal will then be “handed” a password to the user’s account, which could potentially be a privileged account, and from there cause real damage.

Having a Red Team Exercise performed periodically will help leaders and cybersecurity professionals to determine how strong or weak that specific line of defense actually is. What is a Red Team Exercise you ask? For starters, it’s not a pen-test. The goal of a pen-test is to identify and exploit as many security gaps as possible. The goal of a Red Team Exercise (which is sanctioned by the company) is to simulate a security incident, and the objective is that they only need to find one way in, exploit it as much as possible, potentially moving laterally across different networks to obtain sensitive information and achieve a specific goal. The underlying goal of the Red Team Exercise is to test the organization’s detection and response capabilities.

Let me be clear in saying that this is not an “attack” against IT Helpdesks everywhere, as I have worked on Helpdesks previously and they helped me build strong technical skills. The idea here is to highlight that helpdesks are only one of many ways cybercriminals may try to exploit in order to achieve their goals.

The pictures show neatly trimmed fiber optic cables dug up from underground behind what appears to be a well-hidden grate, notes CyberScoop. The apparent simplicity of the sabotage is all the more harrowing in light of how extensively it disrupted Internet service in France, experts said.

Here is an example of a brazen attack on critical infrastructure, which disrupted internet service throughout much of France late last week.

The article highlights that the targeted fiber optic cables were cut on both sides, complicating the repairs. Fiber optic cables are notoriously difficult to repair, if they can be at all. Remember, fiber optic cables are made up of thin strands of glass fibers. According to what I could find, there are two methods of repair: 1) Fusion Splicing, which requires an expensive tool and proper training, or 2) Mechanical Splicing, which involves aligning the fiber cores, which is difficult to do, and results in higher-loss splices.

Quoted in the article is Bob Kolasky, who recently served as Director of CISA’s National Risk Management Center, who highlighted a couple of key important points:

Other countries in Europe have taken notice of what happened in France, and one can only assume they are taking increased necessary measures to protect their CI and fiber optic networks. While it would be next to impossible to secure every single cable from physical attack, I think what matters here is a couple of things:

Switches used by organizations around the world are affected by critical vulnerabilities, according to enterprise device security company Armis. If unchecked, these vulns could allow malicious actors to gain remote access to enterprise networks and steal valuable data, notes Security Weekly.

This is a prime example of why Vulnerability Management is an important part of your overall cybersecurity strategy.

Network switches made by Avaya and Aruba, which are used by organizations in all sizes and verticals are affected by two types of critical vulnerabilities, which lead to REC (Remote Code Execution).

The root cause of this issue is related to a previously discovered flaw, by Armis Security, which was related to vulnerabilities in APC Smart-UPS devices, which misused NanoSSL, a popular TLS library. In Avaya and Aruba’s cases, researchers found their network switches suffered from a similar flaw, as those products also appear to misuse the same TLS Library. This flaw is dubbed as TLStorm 2.0, and if properly exploited, it will allow an attacker to take full control of the switch, which can lead to:

Aruba devices affected by TLStorm 2.0:

Avaya devices affected by TLStorm 2.0:

Patches from Avaya and Aruba are available from their support portals. From what the article reports, Armis Security worked with the vendors proactively to disclose the issues so they could be patched.

For those businesses using the Avaya and Aruba network products mentioned above, take immediate action and follow your company’s patching guidelines (notifying users, scheduling downtime, taking backups of configs, establishing a rollback plan etc.). Remember that these devices may require downtime to patch and reboot, so I doubt it would be applied during regular business hours. For general best practices, consider the following:

The U.S. Department of Justice (DoJ) has announced the conviction of Sercan Oyuntur, 40, a resident of California, for multiple counts relating to a phishing operation that caused $23.5 million in damages to the U.S. reports Bleeping Computer.

The headline itself is almost unbelievable to read: U.S DoD tricked into paying $23.5M to a phishing actor, but as the saying goes “it’s not a matter of if, it’s just a matter of when” as it relates to a business experiencing some sort of cyberattack, be it phishing, ransomware, data exfiltration/cyber espionage, data destruction (and the list goes on).

I think the consensus would be that the DoD would have the best tools and people to thwart cyberattacks against their systems, and while that may be true, the reality is that phishing scams have always and will continue to rely on humans, who are fallible.

The phishing operation as explained in the article appears to be quite simple in some respects and sophisticated in others. The attacker was able to carry out the following:

A pre-authenticated remote code execution vulnerability has been disclosed in dotCMS, an open-source content management system written in Java and “used by over 10,000 clients in over 70 countries around the globe, from Fortune 500 brands and mid-sized businesses,” describes The Hacker News. 

dotCMS is subject to a code execution vulnerability. This vulnerability allows attackers to utilize a directory traversal and a file upload vulnerability. An attacker could upload a malicious file that gives them access to a shell on an affected system. To exploit this issue an attacker could overwrite files to upload the web shell. The vendor has released versions 22.03, 5.3.8.10, and 21.06.7 to fix this issue.

An unpatched Domain Name System (DNS) bug in a popular standard C library can allow attackers to mount DNS poisoning attacks, researchers have found. Threat Post notes that this bug could affect millions of IoT devices and routers, potentially taking control of them.

Increasing numbers of Internet of Things devices in our daily lives come with increased vulnerability. An example of this is the unpatched DNS bug that affects routers and IoT devices that use the C standard libraries uClibc and uClibc-ng. There is a flaw in the libraries that allow for the predictability of the transaction IDs. The transaction IDs being predictable can allow attackers that win a race condition to successfully execute a DNS poisoning attack. There is currently no fix for this bug at this time.

Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.

Categories Featured Articles, VERT, VERT News

Tags Azure, Bug, Critical Infrastructure, DoD, Enterprise Networks, Phishing, RCE

Featured Products

News & Blog