February 2020
Breach Report
Welcome to our weekly breach report. This newsletter will report on recent cybersecurity breaches where user data was stolen, compromised or extorted. This newsletter is designed to keep you informed so that you can protect yourself when navigating cybersecurity threats in our digital world.
Our Services Help You Stay
Secure & Compliant
While Reducing Your Costs AND Level of Effort
February 2020
Cyber Security Breach Reports
WhatsApp JavaScript Vulnerability
Google Removes 500 Malicious Chrome Extensions
Summary
Security researchers have identified a JavaScript vulnerability in the WhatsApp desktop platform that could allow cybercriminals to spread malware, phishing or ransomware campaigns through notification messages that appear completely normal to unsuspecting users. And, further investigation shows this could be parlayed into remote code-execution.
Root Cause
PerimenterX cybersecurity researcher and JavaScript expert Gal Weizman first discovered vulnerabilities leading to this latest bug in WhatsApp in 2017. Through the WhatsApp desktop platform, Weizman was able to find the code where messages are formed, tamper with it and then let the app continue in its natural message-sending flow. This bypassed filters and sent the modified message through the app, as usual, appearing relatively normal in the user interface. “This works thanks to the role ‘@; plays in the spec of URL,” Weizman wrote. “The purpose of ‘@’ in URLs is to pass username and password to visited domains in the following way: https://USERNAME:[email protected]. One can abuse this, as I just did, and replace the username and password with anything else: https://[email protected] and it’ll still work.
Security Impacts
The flaws leave users vulnerable to attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links that point to malicious destinations. “This works thanks to the role ‘@; plays in the spec of URL,” Weizman wrote. “The purpose of ‘@’ in URLs is to pass username and password to visited domains in the following way: https://USERNAME:[email protected]. One can abuse this, as I just did, and replace the username and password with anything else: https://[email protected] and it’ll still work.
Solution
Weizman stressed the importance of an app’s CSP rules, which could have prevented the vulnerability from being exploited in the first place. “If the CSP rules were well configured, the power gained by this XSS would have been much smaller,” he wrote. “Being able to bypass the CSP configuration allows an attacker to steal valuable information from the victim, load external payloads easily, and much more!”
Summary
Researchers say that 500 Google Chrome browser extensions were discovered secretly uploading private browsing data to attacker-controlled servers and redirecting victims to malware-laced websites. The browser extensions, all of which have now been removed, were downloaded millions of times from Google’s Chrome Web Store.
Root Cause
Researchers believe that the actor behind this campaign was active since January 2019, with activity escalating between March and June. After researchers first identified 71 malicious extensions and reported their findings to Google, the tech giant then identified 430 additional extensions that were also linked to the malvertising campaign, they said. The extensions had almost no ratings on Google’s Chrome Web Store, and the source code of the extensions are all nearly identical.
Security Impacts
Malvertising often is used as a vehicle for fraudulent activity, including data exfiltration, phishing or ad fraud. In this particular instance, bad actors were redirecting victims from legitimate online ad streams to malware-laced pages. Extensions have full access to all of the data on a page including your email, banking information, and credit card numbers. While many extensions provide value-added services, there’s little to stop them from collecting and abusing user data. Google implemented new user data privacy policy guidelines, requiring all extensions that handle user data to have a privacy policy, gain consent from the user, and only use the minimum required amount of permissions. Google has also implemented a program that will pay out bounties to researchers who find extensions that are violating this policy.
Solution
Avoid using a large amount of browser extensions – use a few trusted few if necessary. Organizations are encouraged to prevent unauthorized use of extensions by enforcing a user policy that prohibits the use of unnecessary browser tools and extensions.
Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs
CDP Flaw allows attackers to traverse segmented networks
Summary
Fresh firmware vulnerabilities in Wi-Fi adapters, USB hubs, trackpads and cameras are putting millions of peripheral devices in danger of a range of cyberattacks, according to research from Eclypsium. TouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP laptops and the Wi-Fi adapter on Dell XPS laptops were all found to lack secure firmware update mechanisms with proper code-signing.
Root Cause
“Many peripheral devices do not verify that firmware is properly signed with a high-quality public/private key before running the code,” explained researchers at Eclypsium, in vulnerability research released on Tuesday. “This means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run.”
Security Impacts
Firmware attacks allow the malicious actors to fly under the radar of endpoint protection. Vulnerable drivers can be used to bypass security protections and enable ransomware to attack without interference. Unsigned firmware in peripheral devices remains a highly overlooked aspect of cybersecurity and provides multiple pathways for malicious actors to compromise laptops and servers.
Solution
Keep all software up to date: Software is constantly changing; the industry regularly finds new security issues. It’s basic but crucial to keep current on updates for operating systems, kernels, third-party libraries (both open and closed source), as well as software for virtual machines and containers. Adopt best practices for development and operations: These include using well-maintained and reputable libraries, carefully evaluating open source packages, and designing the architecture to separate secret data and user data. Many of these also help protect against side-channel attacks. Assess risk: Basic analysis can help you understand the potential exposure of sensitive data to firmware-based attacks.
Summary
Cisco is issuing patches for five critical vulnerabilities that have been discovered in Cisco Discovery Protocol (CDP), the info-sharing layer that maps all Cisco equipment on a network.
Root Cause
The attack comes with a caveat: It requires the attacker to already have some sort of foothold inside the network, via a previously compromised Cisco device, Seri told Threatpost. After compromising a vulnerable Cisco device, an attacker could then send a maliciously crafted CDP packet to another Cisco device located inside the network. There are five vulnerabilities in all — four of which are critical remote code-execution (RCE) vulnerabilities, and one is a denial-of Service (DoS) vulnerability.
Security Impacts
Researchers at Armis say that the vulnerabilities, which they disclosed on Wednesday and collectively dubbed CDPwn, can allow attackers with an existing foothold in the network to break through network segmentation efforts and remotely take over millions of devices. Once these flaws have been exploited, a bad actor could launch an array of attacks – including exfiltrating data of corporate network traffic traversing through an organization’s switches and routers; and viewing sensitive information such as phone calls from IP phones and video feeds from IP cameras.
Solution
Armis disclosed the vulnerabilities to Cisco on Aug. 29, and said that it has worked with the networking giant since then to develop and test mitigations and patches. The patches were released Wednesday. Updating Cisco devices is recommended.
See What We're About
As cyber threats grow in number and sophistication, many organizations are turning to managed security service providers to help secure their digital assets and data. Based at our 24/7/365 cutting-edge security operations center in Scottsdale, Arizona, we provide a suite of managed services to ensure your business stays safe from cyber attacks.
At MegaplanIT, our expert QSAs are fully certified and have decades of experience helping businesses like yours stay compliant with industry frameworks all year round. We build long-term relationships with our customers and provide holistic services to meet all your security and compliance needs.
The vast majority of security breaches are made possible by vulnerabilities and configuration errors in an organization’s network or applications. Our fully certified security testing services are designed to help you find and fix weaknesses in your networks and applications, and prepare you digital infrastructure to withstand the latest cyber threats.
Subscribe To Our Newsletter
The MegaplanIT Team
The Management Team oversees each project, working alongside our IT security specialists to ensure your company has a successful engagement.
What Our Customers Say
Make Our Team, Your Team!
Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.