7 June 2019
NSA warns Microsoft Windows users of cyber-attack risk
After Microsoft warned Windows users on two separate occasions to patch a severe security flaw known as BlueKeep, now, the US National Security Agency has echoed the OS maker's warning in the hopes of avoiding another WannaCry-like incident. The NSA's alert, authored by the agency's Central Security Service division, is about the security flaw known as BlueKeep (CVE-2019-0708). This vulnerability affects the Remote Desktop Protocol (RDP) service included in older versions of the Windows OS, such as Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008. Microsoft released patches for all these operating systems on May 14, during the company's monthly Patch Tuesday event, but the company also warned that the vulnerability is extremely dangerous because it can be weaponized to create a self-spreading exploit. In its first warning on this matter, Microsoft likened BlueKeep to EternalBlue, the exploit that was at the heart of the self-spreading component used during WannaCry, NotPetya, and Bad Rabbit -- the three ransomware outbreaks of 2017. Two weeks after Microsoft released fixes, the company issued a second warning after a security researcher found that system administrators were lagging behind with their patching process. The security researcher found almost one million Windows computers that were vulnerable to BlueKeep attacks, a number he proclaimed to be the lower tier in his prognosis, as other computers couldn't be scanned because they were sitting inside closed networks.
Newly discovered RCE vulnerability in Exim impacts nearly half of the email servers
A critical remote command execution vulnerability has been found impacting nearly half of the email’s servers. The vulnerability resides in Exim, a mail transfer agent that helps email servers to relay emails from senders to recipients. According to security researchers from Qualys, it has been found the dangerous vulnerability exists in email servers that run Exim versions from 4.87 to 4.91. The vulnerability has been identified as CVE-2019-10149 and can let an attacker run malicious commands on the Exim server as root. Researchers note that the vulnerability can be instantly exploited a local attacker even with low-privileged access to the email server. "To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes),” said researchers, ZDNet reported. "However, because of the extreme complexity of Exim's code, we cannot guarantee that this exploitation method is unique; faster methods may exist,” researchers added. Users are advised to deploy Exim 4.92 to address the vulnerability. The version can help users to avoid their servers being taken over by attackers. The researchers have referred the vulnerability as the ‘Return of the WIZard’ as it resembles the ancient WIZ and DEBUG vulnerabilities that impacted the Sendmail email server back in the 90s.
Leicester City F.C. informs users of data breach on its online store
Bad news for Leicester City FC (LCFC) fans, as anyone who shopped from their online store, are most likely to be affected by a data breach that compromised their credit card details. The English football club has emailed some of its customers affected in the breach recently. The email mentions that the breach happened on May 6, and indicates that specific credit card information was compromised of users who made transactions on the online store. Credit card details such as card number, name of the cardholder, expiry date, and CVV, were compromised. However, the email says that the information related to SecureCode were not affected. LCFC mentions that technical investigations are still underway, and has requested affected customers to contact their credit card providers to prevent misuse of the cards. The Register tells that one of its readers named Yazza, believed it to be the work of Magecart group. “Yazza suspected that LCFC's site is running the Magento ecommerce platform and suggested to The Register that one potential attack vector could have been the Magecart malware,” it told. However, it said that there was no evidence to prove this speculation. The Register also reported that LCFC did not respond and provide any explanation to its questions regarding the incident.
New Windows zero-day flaw enables attackers to hijack active Remote Desktop sessions
A zero-day vulnerability has been discovered that impacts Windows systems with active Remote Desktop Protocol (RDP) sessions. Tracked as CVE-2019-9510, the vulnerability lies in Windows RDP Network Level Authentication(NLA) that allows attackers to bypass Windows lock screen and permit unauthorized access to the system. Systems with Windows 10 (version 1803 or later) and Server 2019 are affected by this authentication bypass flaw. An advisory published by CERT Coordination Center, Carnegie Mellon University indicates that NLA-based RDP sessions had an unexpected behavior when it came to session locking. This led to an ‘unlocked’ condition of the system every time RDP connections were reinitiated regardless of how the system was left. In essence, remote systems with activated Windows lock screen could be unlocked without requiring credentials. Due to this flaw, two-factor authentication (2FA) mechanisms such as Duo Security MFA, could also be bypassed. As of now, there are no security patches provided by Microsoft to remediate this zero-day. However, the advisory suggests a few workarounds to prevent the flaw.
New backdoor family identified in Zebrocy APT group’s campaigns
Zebrocy group, also known as APT28, has been linked to a new backdoor family. A report by Kaspersky Labs that detailed the developments of the group over the years, mentions this new backdoor. According to the report, the backdoor is written in a new programming language called Nim and is used by attackers to steal credentials and gain persistence on infected systems. Just like in previous campaigns, the Zebrocy group has relied on spearphishing techniques to distribute the Nim-based backdoor. As per Kaspersky’s findings, the group targeted 12 countries using this new backdoor. They include Kazakhstan, Tajikistan, Turkmenistan, Germany, Kyrgyzstan, United Kingdom, Myanmar, Syrian Arab Republic, Ukraine, Afghanistan, Tanzania, and Iran. The report also speaks of the growing activity, malware set and infrastructure of the Zebrocy group which has been used to target networks belonging to government and related entities. Kaspersky’s report indicates that the Zebrocy group has employed a plethora of programming languages along with copy-pasting various codes for the malware set. “The Zebrocy malware set is tossed together from a wide set of languages and technologies, including both legitimate and malicious code shared on online forums and sites like Github and Pastebin. This repeated “copy/paste” practice is not frequently seen in Russian speaking APT malware sets, although open source and penetration testing/red teaming malware are frequently used by other groups, like Empire, Responder, BeEF, and Mimikatz,” said the report. Kaspersky Lab has stated it would be publishing more details on this Nim backdoor variant of Zebrocy in the coming days.
Windows gets unofficial micropatch for recently disclosed zero-day bug
Recently, Windows was hit with a discovery of several zero-day flaws. A hacker named SandboxEscaper released x zero-day bugs over a period of x days. While we wait for the official patches from Microsoft, the security firm 0patch has released an interim micropatch for one of the flaws. 0patch has released a fix for the Local Privilege Escalation (LPE) bug in Microsoft Task Scheduler which was disclosed by SandboxEscaper towards the end of May. The flaw allows for escalating privileges when legacy tasks are imported from other systems into Microsoft Task Scheduler. With escalated privileges, any non-authorized user can modify system files and implant backdoors. Mitja Kolsek, co-founder of 0patch and CEO of Arcos Security, described the bug in a statement to Threatpost. “Since these are executed in high-privileged context, the attacker’s code can get executed and, for instance, promote the attacker to local administrator or obtain covert persistence on the computer,” Kolsek stated. It should be noted that the micropatch released by 0patch works for Windows 10 devices only. Researchers claim that the exploit released by SandboxEscaper has minimal effect on Windows 8 systems. Moreover, the vulnerability has not been demonstrated to affect Windows 7 devices. Additionally, 0patch researchers are also working to provide a fix for another recently disclosed Windows bypass vulnerability which was also released by SandboxEscaper. The hacker has made for themselves by publicly releasing a series of Proof-of-concept (PoC) exploits on Github for various flaws affecting Microsoft Windows.