Cyber Pulse: Edition 144 | 5 February 2021

Here is our cyber security news round-up of the week:

Microsoft Office 365 attacks sparked from Google Firebase

A phishing campaign bent on stealing Microsoft login credentials is using Google Firebase to bypass email security measures in Microsoft Office 365, researchers said. Researchers at Armorblox uncovered invoice-themed emails sent to at least 20,000 mailboxes that purport to share information about an electronic funds transfer (EFT) payment. The emails carry a fairly vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE”, and contain a link to download an “invoice” from the cloud.

Clicking that link begins a series of redirects that eventually takes targets to a page with Microsoft Office branding that’s hosted on Google Firebase. That page is, of course, a phishing page, bent on harvesting Microsoft log-in information, secondary email addresses and phone numbers. Armorblox researcher Rajat Upadhyaya, explained in a blog on Thursday: “Opening an HTML file loads an iframe with Office 365 branding. The page displays a thumbnail along with a link to view the invoice.”

Clicking the thumbnail or “View File” link leads to the final phishing page, asking victims to log in with their Microsoft credentials, and asks them to provide alternate email addresses or phone numbers – an effort to collect data that could be used to get around two-factor authentication (2FA) or account recovery mechanisms. After the details are loaded, the login portal reloads with an error message, asking the user to enter correct details. The campaign is perhaps most notable for the bevvy of tactics employed to avoid email security defences. Interestingly, by hosting the phishing page HTML on Google Firebase, an inherently trusted domain, the emails were able to nip past built-in Microsoft security filters, including Exchange Online Protection (EOP) and Microsoft Defender for Office 365.

Open-source tool for hardening commonly used HMI/SCADA system

Otorio, a provider of OT security and digital risk management solutions, released an open-source tool designed for hardening the security of GE Digital’s CIMPLICITY, one of the most commonly used HMI/SCADA systems. Over the past several months, Otorio’s researchers worked closely with GE Digital engineers to deliver a first-of-its-kind open-source tool designed to identify GE CIMPLICITY misconfigurations. The GE CIMPLICITY Hardening Tool verifies the security configuration of different CIMPLICITY components and helps operational teams ensure that the highest security standards are maintained. As an example, the tool checks for proper configuration of IPsec, which ensures secure communication between the different CIMPLICITY components.

“The tool is simple to use and requires no cyber expertise,” noted Yuval Ardon, Security Researcher at Otorio.

The company made sure to point out, though, that this new tool does not address all the possible misconfigurations or checks all of the security flaws that may arise in CIMPLICITY environments (like network segmentation of the network, for example). This marks the second open-source tool released by Otorio as part of the company’s ongoing commitment to empower industrial organisations’ security teams worldwide: in December 2020, the company released an open-source hardening tool for Siemens’ PCS 7 control systems.

Google patches an actively exploited Chrome zero-day

Google has released version 88.0.4324.150 of the Chrome browser for Windows, Mac and Linux. This release contains only one bugfix for a zero-day vulnerability that was exploited in the wild. The zero-day, which was assigned the identifier of CVE-2021-21148, was described as a "heap overflow" memory corruption bug in the V8 JavaScript engine. Google said the bug was exploited in attacks in the wild before a security researcher named Mattias Buelens reported the issue to its engineers on 24 January.

In a report on 28 January, Microsoft said that attackers most likely used a Chrome zero-day for their attacks. In a report published today, South Korean security firm said they discovered an Internet Explorer zero-day used for these attacks as well. Google did not say today if the CVE-2021-21148 zero-day was used in these attacks, although many security researchers believe it was so due to the proximity of the two events. But despite how this zero-day was exploited, regular users are advised to use Chrome's built-in update feature to upgrade their browser to the latest version as soon as possible. This can be found via the Chrome menu, Help option, and About Google Chrome section.

Security firm Stormshield discloses data breach, theft of source code

Stormshield, a major provider of security services and network security devices to the French government, said today that a threat actor gained access to one of its customer support portals and stole information on some of its clients. The company is also reporting that attackers managed to steal parts of the source code for the Stormshield Network Security (SNS) firewall, a product certified to be used in sensitive French government networks, as part of the intrusion. The company said it's investigating the incident with French cyber-security agency ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information), which is currently assessing the breach's impact on government systems.

"As of today, the in-depth analysis carried out with the support of the relevant authorities has not identified any evidence of illegitimate modification in the code, nor have any of the Stormshield products in operation been compromised," Stormshield said in a message posted earlier today on its website.

The Stormshield incident is currently being treated as a major security breach inside the French government. In its own press release, ANSSI officials said they've put Stormshield SNS and SNI products "under observation" for the duration of the investigation. But in addition to reviewing the SNS source code, Stormshield said it also took other steps to prevent other forms of attacks, in case the intruders had access to other parts of its infrastructure.

Fortinet SQL injection weakness exposed

The first vulnerability, tracked as CVE-2020-29015, is a blind SQL injection that resides in the FortiWeb user interface. The flaw could be exploited by an unauthorised attacker to remotely execute arbitrary SQL queries by sending a request with an authorisation header containing a malicious SQL command.

“A blind SQL injection in the user interface of FortiWeb may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted authorization header containing a malicious SQL statement,” reads the advisory published by Fortinet.

The flaw received a CVSS score of 6.4/10, and the vendor recommends to update FortiWeb 6.3.x and 6.2.x to versions 6.3.8 and 6.2.4, respectively.  Researchers also found two stack buffer overflow issues tracked CVE-2020-29016 and CVE-2020-29019, and both received a CVS score of 6.4. The CVE-2020-29016 could be exploited by an unauthorised remote attacker to overwrite the content of the stack and execute arbitrary code by sending a request with a specially generated GET parameter certname. The fourth vulnerability, tracked as CVE-2020-29018, is a format string vulnerability that allows remote attackers to read the memory content, get sensitive data, and execute unauthorised code or commands using the redir parameter. The flaw received a CVSS score of 5.3, it has been addressed with the release of FortiWeb version 6.3.6.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter Find out about QA's extensive cyber-security courses