Microsoft Patches Critical ‘NSACrypt’ flaw reported by NSA
Software giant Microsoft has released security patches for 49 vulnerabilities as part of the January 2020 Patch Tuesday. Out of these 7 have been rated as ‘Critical’ on CVSS score. By far, one of the most notable vulnerabilities is a flaw that was first reported by the National Security Agency (NSA). The flaw dubbed as ‘NSACrypt’ or 'Windows CryptoAPI Spoofing’, is believed to affect millions of Windows 10 computers. According to the security advisory published by Microsoft, the flaw resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for data encryption. An attacker can exploit the flaw to spoof legitimate software, potentially making it easier to run malicious software on a vulnerable computer.
Sneaky Phishing Technique is tricking Employees into installing Malware
Security researchers are warning users about the increase in a particular phishing technique that tricks unsuspecting employees into performing malicious activities. This can include installing malware, transferring money or handing over their login credentials. According to new research from Barracuda Networks, analysis of 500,000 emails show that conversation hijacking attacks have risen by over 400% between July and November last year. Conversation-hijacking attacks are more sophisticated than regular phishing attacks. Hence they are impossible to spot. Therefore, users should pay attention to the email address thread to understand whether a message is suspicious or not. Users should also be wary of sudden demands for payments or transfers and if there’s a doubt about the origin of the request, they should contact the person requesting it.
Cybercriminals Leverage Microsoft sway in a Phishing Attack
A new report has revealed that attackers are exploiting Microsoft Sway to send phishing emails to unsuspecting users. Microsoft Sway is an app that is available on the Web and Windows 10. The app lets the user create presentations, newsletters, and documents complete with photos, videos, and other media. The phishing attack also affects those organisations that do not use the software. By creating and posting a Sway page on sway[.]office[.]com, criminals can devise landing pages that look legitimate but actually carry malicious content. Since the pages are hosted are on Microsoft’s own Sway domain, it becomes quite easy for the phishing pages and their links to be automatically trusted by URL filters. In this way, the users are fooled into thinking that the phishing pages and URLs are valid. This is not the first time Sway has been identified as a tool for conducting phishing attacks. In 2018, Forcepoint Security Labs had reported a similar phishing attack leveraging Microsoft Sway. The attackers were using the novel method for distributing malicious links hosted through the legitimate ‘sway.office.com’.
Researchers find 8 critical risks in Android’s VoIP components
A group of Chinese researchers recently revealed the findings of its pathbreaking investigation into Android’s voice-over-internet-protocol (VoIP) components that had eight critical risks affecting everyone on the planet. Cybercriminals could exploit vulnerabilities to: Transfer calls without the recipient’s knowledge, Spoof caller IDs, Crash VoIP devices and Run malicious code on a victim’s device. Many businesses and organisations are transitioning to a VoIP phone system, hence it’s important to know the threats. Out of the eight cybersecurity risks the team found, six were remotely exploitable issues. Good news, Google has fixed many of the above vulnerabilities. The above-listed vulnerabilities could have enormous security consequences for telecoms first and then to the users.
Google researchers publish technical details of critical iMessage vulnerability
Google Project Zero security researchers have published technical details on the critical iMessage vulnerability that was addressed last year. Tracked as CVE-2019-8641, the vulnerability is considered ‘critical’ and has a CVSS score of 9.8. The vulnerability only affects the devices that are running iOS 12 or later versions. It could be exploited by a remote attacker to cause unexpected application termination or arbitrary code execution. Giving further details on the exploitation process, one of the security researchers, say that the flaw can allow an attacker who knows the user’s Apple ID (mobile phone number or email address) to gain control over an iOS device within a few minutes. This would further allow the attackers to exfiltrate files, passwords, authentication codes, emails, SMS messages, and other data. Moreover, they could spy on the user using the device’s microphone and camera, all without user interaction or visual indicator. Apple has addressed the vulnerability with the release of iOS 12.4.2 for iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad Mini 2, iPad Mini 3, and iPod Touch 6th generation. The vulnerability has also been patched in macOS Mojave 10.14.6, watchOS 5.3.2, and tvOS 12.4.
Edited and compiled by cyber security specialist James Aguilan.