Pupuweb

The headline on 11 July 2020

Zoom Zero-day Affects Clients Running on Older Versions of Windows. Zoom is working on a fix for a zero-day vulnerability that was disclosed on Thursday, July 9. The arbitrary code execution flaw affects the Zoom client running on Windows 7, Windows Server 2008 R2, and older versions of the operating system. Zoom clients running on Windows 8 and Windows 10 are not affected.

Read more in:

• Zoom Zero-Day Allows RCE, Patch on the Way
• Zoom working on patching zero-day disclosed in Windows client
• Zero-day flaw found in Zoom for Windows 7

Palo Alto Networks Releases Updates for Another PAN-OS Vulnerability. Palo Alto Networks has released updates to fix a critical command injection vulnerability in its PAN-OS GlobalProtect portal. The flaw affects PAN-OS 9.1 versions prior to 9.1.3; PAN-OS 8.1 versions prior to 8.1.15; PAN-OS 9.0 versions prior to 9.0.9; and all versions of PAN-OS 8.0 and PAN-OS 7.1. Fixes will not be released for PAN-OS 8.0 and 7.1 as those versions are no longer supported.

Read more in:

• Palo Alto Networks fixes another severe flaw in PAN-OS devices
• If you haven’t potentially exposed 1000s of customers once again with networking vulns, step forward… Not so fast, Palo Alto Networks
• CVE-2020-2034 PAN-OS: OS command injection vulnerability in GlobalProtect portal

Citrix Patches 11 Vulnerabilities in Networking Products; Someone is Already Scanning for Vulnerable Installations. Earlier this week, Citrix released fixes for 11 vulnerabilities in Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP appliances. The flaws include information disclosure, local privilege elevation, code injection, cross-site scripting, authorization bypass, denial of service. Rob Joyce, the former head of the NSA’s Tailored Access Operations (TAO) team, has urged users to apply the patches as soon as possible. Active scanning for vulnerable installations has been detected.

Read more in:

• Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688
• FYI: Someone’s scanning for gateways with those security holes Citrix told you not to worry too much about
• Citrix Patches 11 Vulnerabilities in Several Products
• Citrix Bugs Allow Unauthenticated Code Injection, Data Theft
• Citrix tells everyone not to worry too much about its latest security patches. NSA’s former top hacker disagrees
• Citrix fixes 11 flaws in ADC, Gateway, and SD-WAN WANOP appliances
• Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update

Citrix flaw. Feeling like the boy that cried wolf, but really…. 3rd in a string of “must patch” vulnerabilities. Get the latest patches to ensure protection from several exploitable issues including unauthenticated access and RCE. https://t.co/0XLgPO9aML

— Rob Joyce (@RGB_Lights) July 7, 2020

Critical Flaw in WordPress Plugin. A critical remote code execution flaw in the Adning Advertising plugin for WordPress could be exploited to completely take control of vulnerable sites. The flaw has been exploited in the wild. Users are urged to update to Adning version 1.5.6, which also fixes a high-severity unauthenticated arbitrary file deletion via path traversal vulnerability.

Read more in:

• Advertising Plugin for WordPress Threatens Full Site Takeovers
• Critical Vulnerabilities Patched in Adning Advertising Plugin

Russian Hacking Group Cosmic Lynx is Conducting Sophisticated eMail Scams. A group of Russian hackers dubbed Cosmic Lynx has been launching sophisticated business email compromise schemes since last July. According to researchers at Agari, the group has launched more than 200 attacks against organizations in 46 countries. Cosmic Lynx targets organizations that have not implemented DMARC; the group has focused on scams involving mergers and acquisitions.

Read more in:

• Looks Like Russian Hackers Are on an Email Scam Spree
• BEC scams grow in complexity as Russian actors launch Cosmic Lynx operation
• First-Ever Russian BEC Gang, Cosmic Lynx, Uncovered
• First reported Russian BEC scam gang targets Fortune 500 firms

Criminals are Taking Control of Abandoned Subdomains. Criminals have been taking control of abandoned subdomains associated with well-known organizations and using them for nefarious purposes, including malware, pornographic content, or spreading malware. In late June, Microsoft published an article describing how to prevent subdomain takeovers.

Read more in:

• Hundreds of forgotten corners of mega-corp websites fall into the hands of spammers and malware slingers
• Prevent dangling DNS entries and avoid subdomain takeover

ThiefQuest macOS Malware More Focused on Stealing Information than on Encrypting Data. Researchers now think the ThiefQuest malware that targets macOS is largely focused on exfiltrating data from infected networks. Initial assessment of ThiefQuest categorized the malware as ransomware. While it does have an encryption component, researchers think it may be included as a distraction rather than the main purpose of the malware.

Read more in:

• Mac ThiefQuest malware may not be ransomware after all
• Hidden purpose of Mac ‘ransomware’ EvilQuest is data exfiltration, say researchers

DigiCert Will Revoke 50,000 Certificates This Weekend Because of Botched Audit. DigiCert plans to revoke 50,000 Extended Validation (EV) certificates on Saturday, July 11 after learning that they were not properly audited. While the situation does not pose a security threat, EV guidelines require that the certificates be revoked.

Read more in:

• Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle
• DigiCert ICA Replacement

Turchin Indictment Unsealed. The US Department of Justice recently unsealed an indictment charging Andrey Turchin with conspiracy to commit computer hacking, two counts of computer fraud and abuse, conspiracy to commit wire fraud, and access device fraud. Turchin allegedly hacked into networks at hundreds of organizations, established backdoors, and then sold access to those systems. Turchin is a citizen of Kazakhstan and is believed to be residing there currently.

Read more in:

• Citizen of Kazakhstan, known as “fxmsp,” charged with computer fraud, wire fraud, and conspiracy for hacking hundreds of corporate networks in more than 40 countries worldwide
• US Charges Kazakhstani Citizen With Hacking Into More Than 300 Orgs
• Fxmsp hacker indicted by feds for selling backdoor access to hundreds of companies
• Notorious Hacker ‘Fxmsp’ Outed After Widespread Access-Dealing
• Andrey Turchin Indictment (PDF)

German Authorities Seize BlueLeaks Server. Authorities in Germany have seized a server hosting BlueLeaks data, 269 GB of US police documents. The department of public prosecution in Zwickau said the server was seized on July 3 at the request of the US government.

Read more in:

• Germany Seizes Server Hosting ‘BlueLeaks’ Data Dump on US Police Practices
• Cops Seize Server that Hosted BlueLeaks, DDoSecrets Says
• BlueLeaks Server Seized By German Police: Report
• German authorities seize ‘BlueLeaks’ server that hosted data on US cops
• German police seize DDoSecrets server distributing ‘BlueLeaks’ files
• Germany seizes server hosting leaked US police files

Microsoft Seizes Domains Used in Phishing Attacks that Targeted Office 365 Users. Recently unsealed documents detail Microsoft’s efforts to thwart phishing attacks that preyed on people’s concerns about COVID-19. The attacks targeted Office 365 users in 62 countries around the world and were crafted to appear to be from employers or other trusted entities. Microsoft’s Digital Crime Unit became aware of the fraudulent activity in December 2019. On July 1, Microsoft obtained a court order allowing it to seize the malicious domains.

Read more in:

• Microsoft takes legal action against COVID-19-related cybercrime
• Microsoft Seizes Domains Used in COVID-19-Themed Attacks
• Microsoft neuters Office 365 account attacks that used clever ruse
• Microsoft seizes six domains used in COVID-19 phishing operations
• Microsoft sues coronavirus phishing spammers to seize their domains amid web app attacks against Office 354.5
• Microsoft Seizes Malicious Domains Used in Mass Office 365 Attacks

CISA Warns of Vulnerabilities in Medical Devices and Hospital Information Management System. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has published two advisories regarding security issues in ultrasound systems from Philips and in the OpenClinic GA open source hospital information management system. Philips has released updates to address the authentication bypass issue in some of the affected products and expects to have fixes for the rest of the affected products by the end of the calendar year.

Read more in:

• Alerts: Flaws in Ultrasound, Open-Source Hospital Systems
• ICS Medical Advisory (ICSMA-20-177-01) Philips Ultrasound Systems
• Security Advisories: Philips Ultrasound (24-June-2020)
• ICS Medical Advisory (ICSMA-20-184-01) OpenClinic GA