Cyber Pulse: Edition 128 | 8 September 2020

Here is our cyber security news round-up of the week:

Newcastle University attacked

UK research university Newcastle University says it will take several weeks to get IT services back online after DoppelPaymer ransomware operators breached its network and took systems offline on the morning of 30 August. The attack is now investigated by the Police and the National Crime Agency in cooperation with the Newcastle University IT Service (NUIT). The university said:

"On Sunday 30 August 2020, we became aware that the University had suffered a serious cyber incident which is causing operational disruption across our networks and IT systems. All University systems - with the exceptions of those listed in the communications (Office365 – including email and Teams, Canvas and Zoom) are either unavailable or available but with limitations."

Currently, many of its IT services are still offline and will remain down "for the duration", while those that are operating could be taken down without notice during the recovery efforts. The university advised students and staff to copy essential files from the university shared drive to their OneDrive accounts. The university hasn't yet decided if account passwords will also be reset but it says that it may do so based on recommendations from internal support teams and third-party consultants.

The investigation into the incident is still at an early stage. A spokesperson for Newcastle University explained:

"The nature of the problem means this will be an on-going situation for some time and it will take several weeks to address. IT colleagues continue to work hard on the systems recovery plan and to support the Police and the National Crime Agency with their enquiries. However, we will not be able to share further detail on the incident until this initial investigation has concluded. The ICO and Office for Students were notified within 72 hours of the cyber incident being detected."

While Newcastle University has only shared that they have suffered a cyber attack, the DoppelPaymer ransomware operators are claiming to be responsible. They have also shared 750Kb worth of stolen data as proof on their data leak site Dopple Leaks, a tactic they've adopted from Maze Ransomware since February 2020.

Cisco Jabber security flaw

An attacker can execute remote code with no user interaction, thanks to CVE-2020-3495. Researchers are warning of a critical remote code-execution (RCE) flaw in the Windows version of Cisco Jabber, the networking company’s video-conferencing and instant-messaging application.

Attackers can exploit the flaw merely by sending targets specially crafted Extensible Messaging and Presence Protocol (XMPP) messages to vulnerable end-user systems running Cisco Jabber for Windows – no user interaction required on the part of the targeted victim, and the vulnerability can be exploited even when Cisco Jabber is running in the background.

The flaw (CVE-2020-3495) has a CVSS score of 9.9 out of 10, making it critical in severity, Cisco said in a Wednesday advisory. Researchers who discovered the flaw said that with remote workforces surging during the coronavirus pandemic, the implications of the vulnerability are especially serious. They state:

“Given their newfound prevalence in organizations of all sizes, these applications are becoming an increasingly attractive target for attackers. A lot of sensitive information is shared through video calls or instant messages, and the applications are used by the majority of employees, including those with privileged access to other IT systems.”

The issue stems from Cisco Jabber improperly validating message contents; the application does not properly sanitise incoming HTML messages. It instead passes the messages through a flawed cross-site scripting (XSS) filter. Systems using Cisco Jabber in phone-only mode (without XMPP messaging services enabled) are not vulnerable to exploitation, Cisco’s advisory said. In addition, the vulnerability is not exploitable when Cisco Jabber is configured to use messaging services other than XMPP messaging.

The vulnerabilities affect all currently supported versions of the Cisco Jabber client (12.1 – 12.9). Cisco has released updates for different releases of affected Cisco Jabber. 

Outlook credential-stealing campaign

Researchers discovered a phishing campaign that uses overlay screens and ‘quarantine policy' emails to steal Microsoft Outlook credentials from their targets. The overlay screens are displayed on top of legitimate webpages to trick victims into providing their credentials.

“Message quarantine phish are back, this time with a new tactic utilising the targeted company’s homepage as part of the attack. Researchers have identified this campaign which attempts to steal employee credentials by posing as a message quarantine email,” reads the analysis.

However, further analysis has determined that the page shown is actually the company’s website home page with a fake login panel covering it. Displaying a familiar page gives the employee a greater comfort level. It is also possible to interact with this page by moving outside of the overlay, showing that it is the actual page they have seen and used before, states the analysis. The overlay itself is attempting to prompt the user to sign in to access the company account.

The credentials entered by the employees are then sent to the attackers. Each malicious link employed in this campaign used specific parameters to determine the page pull to use, and then overlay the fake login on top. Depending on what company the threat actor is targeting, the link will populate the address of the original recipient of the email, concludes the report.

WhatsApp addressed six previously undisclosed flaws

WhatsApp addressed six previously undisclosed flaws in its app and disclosed them on a new dedicated security advisory website. The company announced more transparency about the vulnerabilities affecting its app and will publicly disclose them to the users. Some of the vulnerabilities were reported through the Facebook bug-bounty program, while the others were discovered during code reviews. Additional vulnerabilities recently patched by WhatsApp could have been exploited by remote attackers.

One of the flaws, tracked as CVE-2020-1894, is a stack write overflow that could have allowed arbitrary code execution when playing a specially crafted push-to-talk message. The vulnerability affects WhatsApp for Android prior to v2.20.35, WhatsApp Business for Android prior to v2.20.20, WhatsApp for iPhone prior to v2.20.30, and WhatsApp Business for iPhone prior to v2.20.30.

Another flaw, tracked as CVE-2020-1891, is an out-of-bounds write on 32-bit devices. The bug affects WhatsApp for Android prior to v2.20.17, WhatsApp Business for Android prior to v2.20.7, WhatsApp for iPhone prior to v2.20.20, and WhatsApp Business for iPhone prior to v2.20.20.

The third flaw, tracked as CVE-2020-1890, is an URL-validation issue that could have caused the recipient of a sticker message containing deliberately malformed data to load an image from a sender-controlled URL without user interaction. The vulnerability affects Android versions of WhatsApp and WhatsApp Business for Android.

The remaining bugs are:

• A security feature bypass issue, tracked as CVE-2020-1889 that affects Desktop versions prior to v0.3.4932.
• A buffer overflow, tracked as CVE-2020-1886 that resides in WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2.
• An input validation issue, tracked as CVE-2019-11928 that resides in Desktop versions prior to v0.3.4932.

The company revealed that five of the six flaws recently disclosed have been patched immediately after their discovery. The sixth flaw was addressed in a few days after its disclosure.

Remote Access Trojan (RAT) targeting fintech sector

An adversary known for targeting the fintech sector since at least 2018 has switched up its tactics to include a new Python-based remote access Trojan (RAT) that can steal passwords, documents, browser cookies, email credentials, and other sensitive information.

In an analysis published by researchers yesterday, the Evilnum group has not only tweaked its infection chain but has also deployed a Python RAT called "PyVil RAT", which possesses abilities to gather information, take screenshots, capture keystrokes data, open an SSH shell and deploy new tools. The cyber-security firm says:

"Since the first reports in 2018 through today, the group's TTPs have evolved with different tools while the group has continued to focus on fintech targets. These variations include a change in the chain of infection and persistence, new infrastructure that is expanding over time, and the use of a new Python-scripted Remote Access Trojan (RAT) to spy on its infected targets."

Over the last two years, Evilnum has been linked to several malware campaigns against companies across the UK and EU involving backdoors written in JavaScript and C# as well as through tools bought from the Malware-as-a-Service provider Golden Chickens. Back in July, the APT group was found targeting companies with spear-phishing emails that contain a link to a ZIP file hosted on Google Drive to steal software licenses, customer credit card information, and investments and trading documents.

While the modus operandi of gaining an initial foothold in the compromised system remains the same, the infection procedure has witnessed a major shift. Besides using spear-phishing emails with fake know your customer (KYC) documents to trick employees of the finance industry into triggering the malware, the attacks have moved away from using JavaScript-based Trojans with backdoor capabilities to a bare-bones JavaScript dropper that delivers malicious payloads hidden in modified versions of legitimate executables in an attempt to escape detection.

"This JavaScript is the first stage in this new infection chain, culminating with the delivery of the payload, a Python-written RAT compiled with py2exe that Nocturnus researchers dubbed PyVil RAT," the researchers said.

WordPress security: Zero-day flaw in File Manager plugin actively exploited

Some 700,000 WordPress sites are thought to be impacted by a remote code execution bug. Users of File Manager, a popular WordPress plugin, have been urged to update to the latest version amid the active exploitation of a critical zero-day vulnerability. The remote code execution (RCE) flaw, which was assigned the highest possible CVSS score of 10, allows unauthenticated attackers to execute arbitrary code and upload malicious files on vulnerable websites.

The flaw was unearthed by Ville Korhonen, systems team lead at Finnish WordPress hosting company Seravo, who documented the discovery in a blog post. “An attacker could potentially do whatever they choose to – steal private data, destroy the site or use the website to mount further attacks on other sites or the infrastructure,” said Korhonen.

A firewall deployed by Wordfence has blocked over 450,000 exploit attempts targeting the vulnerability in recent days, according to a blog post published by the WordPress security outfit on 1 September. Attackers appear to be probing for the flaw by attempting to inject empty files, the company said. The vulnerability was found in elFinder, an open-source file manager used by the plugin.

The vulnerability is present in File Manager versions 6.0-6.8 and was patched in version 6.9, which was released by the plugin’s developer, Canada-based Webdesi9, a few hours after being alerted to the flaw by Seravo. This includes attackers manipulating files or uploading malicious files “directly from the WordPress dashboard, potentially allowing them to escalate privileges once in the site’s admin area.

“For example, an attacker could gain access to the admin area of the site using a compromised password, then access this plugin and upload a webshell to do further enumeration of the server and potentially escalate their attack using another exploit.”

Wordfence therefore recommends that users uninstall utility plugins “when they are not in use, so that they do not create an easy intrusion vector for attackers to escalate their privileges”.

New White House principles to protect cyber assets in space

A new set of cybersecurity principles were recently issued by the White House to ensure its commercial and critical infrastructure investments in space. The short document states:

“The United States considers unfettered freedom to operate in space vital to advancing the security, economic prosperity, and scientific knowledge of the Nation.”

The US additionally increased the utilisation of digital services and technologies delivered by satellites. The move was brought about as the focus of the White House goes beyond military operations in space. The nation is worried about the effect of cybersecurity attacks against a scope of services delivered by satellite, for example the global positioning systems. GPS is particularly significant to military activities as well as regular citizen use.

The Space Policy Directive 5 details a list of suggested best practices for making sure that the information systems and network “radio-frequency-dependent wireless communication channels” that together power US space systems stay safe. Among the suggested best practice principles was the utilisation of “risk-based, cyber-security-informed engineering” to create and operate space systems, with persistent monitoring for vindictive action and of system configurations. 

 Other elements that will help ensure a good baseline of cybersecurity were mentioned:

1. Protection against unauthorised access to space vehicle functions 
2. Physical protection of command
3. Control and telemetry receiver systems
4. Measures to counter communications jamming and spoofing
5. Management of supply chain risks and improved collaboration between space system owners. 

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber-security courses.