SSH client PuTTY contained serious key exchange flaw

Popular SSH client PuTTY was found to have a critical bug that could allow MITM attacks. The flaw, designated as vuln-dss-verify, primarily affects DSA signature checking and can provide the attacker an opportunity to bypass signature checks. Apparently, vuln-dss-verify was evident only on PuTTY’s development builds created in 2019. The vulnerability was discovered by researcher Filipe Casal as part of a bug bounty program under EU-FOSSA project. Vulnerable versions of PuTTY had a fixed signature that allowed attackers to easily bypass signature checks. All the release versions of PuTTY (including 0.70) other than development builds were unaffected by the bug. Only development snapshot builds from us dated 2019, before 2019-02-11, are affected. In addition, PuTTY with no DSA host keys cached on the OS also remained unaffected. Simon Tatham, the creator of the free SSH client, shed light on how the bug could be disastrous. Tatham’s post also mentions that the flaw is fixed in the latest version 0.71 of PuTTY. On the other hand, this version also fixes other issues such as buffer overflow errors observable on Windows and Unix operating systems.

Gnosticplayers is now selling another 26 million user records on the Dark Web

Gnosticplayers, the infamous hacker who exposed and sold millions of user records in early 2019, has yet again come out with a new batch of user records for sale. This fresh wave of user data dump contains over 26 million records which belong to customers of six companies across the world. According to ZDNet, the six companies impacted are GameSalad, Estante Virtual, Coubic, LifeBear, Bukalapak, and YouthManual. The largest number of user records (13.2 million) leaked was from Bukalapak, an Indonesian e-commerce company, while the smallest portion (1.12 million) of the dump was from YouthManual, a website aimed to help Indonesian students in their career. GameSalad, Estante Virtual, Coubic, and LifeBear each leaked 1.5, 5.45, 1.5 and 3.86 million records respectively.Gnosticplayers cites poor security implementations by these companies as the reason for their breaches. This is the fourth in a series of user record dumps put up for sale by the same individual. The first batch contained 620 million user records, while the second and third batches contained 127 million and 93 million records respectively. Though the data released by the hacker mostly contains records from previous breaches, the combined sale of such a large amount of data means other cybercriminals could leverage it for future credential stuffing attacks, leading to further damage. 

A new Monero mining campaign found targeting organizations across the globe

A new Monero mining campaign has been spotted in the wild. The operation and propagation techniques are similar to the ransomware attacks. Check Point researchers found that the mining operations have been active since January 2019. The campaign uses two specific trojans - Trojan.Win32.Fsysna and a variant of Monero mining malware - to further the attack process. Although it is unclear as to how the initial infection of an unprotected PC in a network occurs, researchers claim that the malware utilizes Mimikatz to spread through unpatched network systems. Once installed, the trojan uses Windows’ default Taskkill application to kill older versions of itself that are running on the machine. This enables the malware to gain persistence over the infected system. “It additionally uses the WMI application to stop other processes that running from Windows Temp folder and have names as its payload,” Check Point researchers added. The new variant of Monero miner leverages legitimate IT admin tools, Windows system tools and previously disclosed Windows vulnerabilities to spread across the network of an organization. Researchers point out that the use of Windows legitimate tools such as CMD, WMI and networking tools in order to inflict damage and establish persistence would make it harder for organizations to detect such attacks.

New Mirai variant leverages 11 new exploits and targets smart signage TVs and wireless presentation systems

In January 2019, Unit 42 discovered a new variant of the Mirai botnet that targets devices like routers, network storage devices, NVRs, and IP cameras using numerous exploits. In addition to that, this new variant now uses 11 new exploits and targets LG Supersign TVs and WePresent WiPG-1000 wireless presentation systems. With the 11 new exploits, this Mirai variant uses a total of 27 exploits to target devices. This new variant also includes new credentials to use in brute force attacks against devices. This new Mirai variant can use the same encryption scheme as is characteristic of Mirai with a table key of 0xbeafdead. It uses unusual default credentials for brute force such as admin:huigu309, root:huigu309, CRAFTSPERSON:ALC#FGU, and root:videoflow. Apart from scanning for other vulnerable devices, this new variant can also be commanded to send out HTTP Flood DDoS attack.

“These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks,” researchers said. Researchers recommend organizations to be aware of the IoT devices on their networks and ensure that all devices are updated to the latest patched versions.

Encrypted traffic from Netflix can reveal user choices as per new study

A new research study has shown how interactive movies such as Netflix’s Bandersnatch could expose sensitive data from encrypted traffic. Academics from the Indian Institute of Technology, Madras (IITM) studies the possibility of sensitive information being leaked from streaming movies that needed user interaction. Their research involved exploring various interactive segments from the recently released Black Mirror Bandersnatch movie for traffic analysis. Each interactive segment is initiated by the user to progress with a storyline based on choices presented to them. The user’s browser or app sends JSON files to the Netflix server whenever it encounters subsequent segments. From the study, it was shown that packets containing these encrypted JSON files could be distinguished by their SSL record lengths visible in the encrypted traffic. This flaw was observed to occur in many cases regardless of browsers, operating systems or the network connection. The research also captured the behavioral state of viewers who participated in the study. In the paper, the academics highlight that the ‘SSL record lengths of client packets’ acted as the side channel to infer user choices when watching Bandersnatch. This is done to gain any insights on the users from the encrypted traffic. The IITM researchers suggested that, “An easy fix for the problem would be to either split the JSON file or to compress it so that it becomes indistinguishable." "However, there could be timing side-channels that may still exist even after this fix,” the researchers added.

Severe Java bugs found in IBM Watson and its components

Watson, IBM’s trademark artificial intelligence (AI) system, was found to be riddled with critical security vulnerabilities in its platform. The bugs were identified in the IBM Runtime Environment Java Technology Edition, which is used by Watson Explorer and Content Analytics. IBM has addressed the five vulnerabilities by providing a fix to all the affected components. The Java components with vulnerabilities were JRockit Libraries, JRockit LDAP, JRockit JNDI, and I18n. These flaws could enable attackers to steal sensitive information, conduct denial of service attacks and have control over the infected systems. They are designated as CVE-2018-2579, CVE-2018-2588, CVE-2018-2602, CVE-2018-2603, and CVE-2018-2633. CVE-2018-2633 was the most severe among the identified vulnerabilities, which would allow cybercriminals to completely take over Watson. “An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could allow an unauthenticated attacker to take control of the system.” described the bulletin. Altogether, 18 IBM Watson products were discovered to be affected. Following the disclosure of the security flaws, IBM released updates for the affected components. Users are advised to upgrade to the required version of IBM Java Runtime to remediate the five vulnerabilities.


Visit for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.


Useful links

Cyber Pulse: Edition 57

Cyber Pulse: Edition 56

Cyber Pulse: Edition 55

Cyber Pulse: Edition 54

Cyber Pulse: Edition 53

Cyber Pulse: Edition 52

Cyber Pulse: Edition 51

Cyber Pulse: Edition 50

Cyber Pulse: Edition 49

Cyber Pulse: Edition 48