Popular services, programs, and organizations have always been a target of cyber attacks to exploit the vulnerabilities in the service, steal users’ information, steal sensitive corporate information, or compromise the infrastructure.
We have gathered the major cyber news over the past week including Cerberus RAT, WordPress plugins vulnerabilities, Cisco Webex phishing emails, Cisco update, and Microsoft Teams phishing campaign.
Cerberus RAT is upgraded with new malicious features
Earlier this year we have reported that the Cerberus had the new ability to steal and exploit Google Authenticator’s one-time passcodes (OTP). Check Point researchers have now discovered an upgraded variant of Cerberus, capable of stealing a whole raft of users’ information, such as call logs, SMS, credentials, and installed applications, as well as gaining full remote control of the device by running the TeamViewer remote access application. Cerberus, a full-fledged spyware, is now targeting a multinational conglomerate and is distributed by the company’s Mobile Device Manager (MDM) server. This malware has already infected over 75% of the company’s devices. Once installed, this new Cerberus variant can collect large amounts of sensitive data, including user credentials, and send it to a remote command and control (C&C) server.
Cerberus android banking Trojan, primarily available for distribution as a Malware-as-a-Service product, was launched in June 2019. Earlier samples of the Trojan contained advanced obfuscation, anti-analysis, and anti-deletion features.
2 WordPress plugin vulnerabilities put 1M websites at risk
Elementor Pro is a paid page builder plugin with over 1 million active installations. The vulnerability in this plugin, rated as critical, is a remote code execution flaw that allows attackers with registered user access to upload arbitrary files on the compromised websites and execute remote codes, then install backdoors or webshells and gain full admin access. Attackers can also exploit the vulnerability in the Ultimate Addons for Elementor, with over 110,000 installations, to register as a subscriber-level user even if users cannot register on the targeted site.
There are now updates available for both plugins.
Hackers are using SSl cert warning phishing emails to steal Cisco Webex users’ credentials
Hackers are carrying out yet another phishing attack using Cisco Webex; convincing phishing emails are impersonating Cisco Webex emails by using fake SSL certificate error warnings to steal users’ account credentials. According to email security company Abnormal Security, these phishing emails have been delivered to up to 5,000 targets Cisco Webex users.
With the COVID-19 pandemic going on, video conferencing applications such as Cisco Webex and Zoom have immensely become popular among remote workers; this provides the best platform for hackers to conduct malicious activities and harvest intellectual property.
The phishing emails, disguised as the Cisco Webex Team, tell users they are blocked by the administrator due to Webex Meetings SSL cert errors and they need to verify their accounts by clicking the link in the email and lift the restriction. The landing page convincingly disguises a real Cisco Webex sign-in page; once users enter their login credentials, their accounts get hijacked by the hacker and their credentials are sent to the hacker’s server.
This is not the first time hackers used Cisco Webex to steal credentials; back in April, hackers were stealing user credentials by sending out fake security warning emails to Cisco Webex users urging them to update their Desktop app.
12 high-severity Cisco ASA and FTD software are now fixed
Cisco has patched 12 high-severity vulnerabilities in its Adaptive Security Appliance software and Firepower Threat Defense software.
“Successful exploitation of the vulnerabilities could allow an attacker to cause a memory leak, disclose information, view and delete sensitive information, bypass authentication, or create a denial of service (DoS) condition on an affected device.” Reads Cisco’s advisory.
The vulnerabilities, all ranked high, in the Cisco Adaptive Security Appliance software and Firepower Threat Defense software are:
|A vulnerability (CVE-2020-3191) in DNS over IPv6 packet processing could allow an unauthenticated, remote attacker to cause the device to unexpectedly reload, resulting in a denial of service (DoS) condition.|
|A vulnerability (CVE-2020-3298) in the Open Shortest Path First (OSPF) implementation could allow an unauthenticated, remote attacker to cause the reload of an affected device, resulting in a denial of service (DoS) condition.|
|Multiple vulnerabilities (CVE-2020-3254) in the Media Gateway Control Protocol (MGCP) inspection feature of the two software programs, caused by inefficient memory management, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device by sending crafted MGCP packets through an affected device.|
|A vulnerability (CVE-2020-3195) in the Open Shortest Path First (OSPF) implementation, caused by incorrect processing of certain OSPF packets, could allow an unauthenticated, remote attacker to cause a memory leak on an affected device by sending a series of crafted OSPF packets to be processed by an affected device.|
|A vulnerability (CVE-2020-3196) in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) handler could allow an unauthenticated, remote attacker to exhaust memory resources on the affected device by establishing multiple SSL/TLS connections with specific conditions to the affected device, leading to a denial of service (DoS) condition.|
|A vulnerability (CVE-2020-3259) in the web services interface could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information.|
|Another vulnerability (CVE-2020-3187) in the web services interface, caused by the lack of proper input validation of the HTTP URL, could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system.|
|A vulnerability (CVE-2020-3125) in the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access. The vulnerability is due to insufficient identity verification of the KDC when a successful authentication response is received.|
|A vulnerability (CVE-2020-3283) in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) handler when running on the Cisco Firepower 1000 Series platform could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition on an affected device. The vulnerability is caused by a communication error between internal functions.|
|A vulnerability (CVE-2020-3179) in the generic routing encapsulation (GRE) tunnel decapsulation feature, caused by a memory handling error when GRE over IPv6 traffic is processed, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.|
|A vulnerability (CVE-2020-3255) in the packet processing functionality, caused by inefficient memory management, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.|
|The last vulnerability (CVE-2020-3189) exists only in Cisco Firepower Threat Defense (FTD) Software in the VPN System Logging functionality. The vulnerability is caused by the system memory not being properly freed for a VPN System Logging event generated when a VPN session is created or deleted. It could allow an unauthenticated, remote attacker to cause a memory leak that can deplete system memory over time, which can cause unexpected system behaviors or device crashes.|
Microsoft Teams users are the target of phishing emails
In our previous Week in Cyber News report, we reported a vulnerability in Microsoft Teams that could allow attackers to completely take over user accounts only by using an innocent GIF. Fortunately, this flaw was patched.
This time, attackers are impersonating Microsoft Teams emails to steal Office 365 employee credentials. According to Abnormal Security 50,000 Teams, users were targeted in two separate attacks.
“Attackers utilize numerous URL redirects in order to conceal the real URL used that hosts the attacks,” Abnormal Security says. “This tactic is employed in an attempt to bypass malicious link detection used by email protection services.”
“For instance in one of the attacks, the actual sender email originates from a recently registered domain, “sharepointonline-irs.com,” which Abnormal Security pointed out is not associated to either Microsoft or the IRS.”
In the second attack, the URL redirect is hosted on YouTube, then redirected twice to the final landing page which hosts another Microsoft login phishing site.
Secure Your Organization’s Mind with Securemind.se