Hackers are exploiting a Sophos firewall zero-day

Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers.

Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing “a suspicious field value visible in the management interface.”

After investigating the report, Sophos determined this was an active attack and not an error in its product.

HACKERS ABUSED AN SQL INJECTION BUG TO STEAL PASSWORDS

“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices,” Sophos said today.

Hackers targeted Sophos XG Firewall devices that had their administration (HTTPS service) or the User Portal control panel exposed on the internet.

Sophos said the hackers used the SQL injection vulnerability to download a payload on the device. This payload then stole files from the XG Firewall.

Stolen data could include usernames and hashed passwords for the firewall device admin, for the firewall portal admins, and user accounts used for remote access to the device.

Sophos said that passwords for customers’ other external authentication systems, such as AD or LDAP, were unaffected.

The company said that during its investigation, it did not find any evidence that hackers used the stolen passwords to access XG Firewall devices, or anything beyond the firewall, on its customers’ internal networks.

PATCH ALREADY PUSHED TO CUSTOMER DEVICES

The UK company, famed for its antivirus product, said it prepared and already pushed an automatic update to patch all XG Firewalls that have the auto-update feature enabled.

“This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack,” it said.

The security update will also add a special box in the XG Firewall control panel to let device owners know if their device has been compromised.

sophos-xg-alert.png

For companies that had devices hacked, Sophos is recommending a series of steps, which include password resets and device reboots:

  1. Reset portal administrator and device administrator accounts
  2. Reboot the XG device(s)
  3. Reset passwords for all local user accounts
  4. Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused

Sophos also recommends that companies disable the firewall’s administration interfaces on the internet-facing ports if they don’t need the feature

Apple Patches two zero-day Vulnerabilities

Researchers revealed two zero-day security vulnerabilities affecting Apple’s stock Mail app on iOS devices.

Researchers are reporting two Apple iOS zero-day security vulnerabilities affecting its Mail app on iPhones and iPads. Impacted are iOS 6 and iOS 13.4.1. Apple patched both vulnerabilities in iOS 13.4.5 beta, released last week. A final release of iOS 13.4.5 is expected soon.

Both vulnerabilities are believed to have been actively exploited by an “advanced threat operator” since 2018.

Both bugs are remotely exploitable by attackers who simply send an email to victims’ default iOS Mail application on their iPhone or iPad

“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13,” wrote researchers.

“Exploitation of these flaws would allow an attacker to leak, modify or delete emails within the Mail application. However, the researchers note that combining these flaws with an unpatched kernel vulnerability would provide an attacker with full device access, though that information has not been identified as of yet,” wrote Satnam Narang, principal research engineer with Tenable in a statement.

The first vulnerability is out-of-bounds (OOB) write vulnerability. Researchers said affected library is “/System/Library/PrivateFrameworks/MIME.framework/MIME” with the vulnerable function  “[MFMutableData appendBytes:length:]”

“The implementation of MFMutableData in the MIME library lacks error checking for system call ftruncate() which leads to the Out-Of-Bounds write. We also found a way to trigger the OOB-Write without waiting for the failure of the system call ftruncate,” researchers said.

The second flaw, a heap-overflow, can also be triggered remotely.

“Both the OOB Write bug, and the Heap-Overflow bug, occurred due to the same problem: not handling the return value of the system calls correctly,” researchers wrote. “The remote bug can be triggered while processing the downloaded email, in such scenario, the email won’t get fully downloaded to the device as a result.”

Researchers said both bugs have been exploited in the wild, however researchers believe “the first vulnerability (OOB Write) was triggered accidentally, and the main goal was to trigger the second vulnerability (Remote Heap Overflow).”

In simple terms, researchers said the attack occurs when an attacker sends a specially crafted email that, when received on an iOS device’s Mail app, guzzled so much memory it created conditions ripe for a heap overflow attack.

“The vulnerability does not necessarily require a large email – a regular email which is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods,” researchers wrote.

The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device, researchers said.

“While Apple has issued fixes for these flaws in the beta version of iOS 13.4.5, devices are still vulnerable until the final version of iOS 13.4.5 is readily available to all iOS device owners. In the interim, the only mitigation for these flaws is to disable any email accounts that are connected to the iOS Mail application, and use an alternative application, such as Microsoft Outlook or Google’s GMail,” Narang wrote. 

Researchers said they first identified suspicious behavior associated with the vulnerabilities in Feb. 19, 2020. After working closely with an impacted customer of theirs, on March 23 the identified the first out-of-bounds (OOB) write vulnerability. On March 31, researchers identified the second bug, a remote heap overflow vulnerability. The same day it shared its research with Apple. Over April 15 and 16, Apple began making a patch available to mitigate the security flaws in its publicly available beta software. On April 22, researchers publicly disclosed their findings.

Courtesy: threatpost.com

65% of COVID-19 Phishing Campaigns Spread Spyware: Research

Singapore-based cybersecurity company Group-IB’s Computer Emergency Response Team analysed hundreds of Coronavirus-related phishing emails between February 13 and April 1, 2020. Researchers found that spyware was the most common malware class (65%) hiding in fraudulent COVID-19 emails, with AgentTesla topping the list of phisher’s favorite strains.

Spyware: The Most likely COVID-19 Phishing Campaign Payload

CERT-GIB’s report is based on the Threat Detection System (TDS) Polygon, which analyzes Coronavirus-related phishing traffic to detect both known and unknown threats in isolated environments. Most COVID-19-related phishing emails had different spyware strains embedded as attachments.However, AgentTesla (45%), NetWire (30%), and LokiBot (8%) were the most actively exploited malware families. With some minor differences, all these malware samples are designed to collect personal and financial data. They are highly efficient in mining user credentials from browsers, exfiltrating mail clients and file transfer protocol (FTP) clients, capturing screenshots, and in secretly tracking user behavior, which is further sent to the operators’ command and control (C&C) server(s).

COVID-19 phishing campaign

Other Findings

  • Most of the emails detected were written in the English language. Those behind such COVID-related campaigns target government organizations and private companies.
  • The emails were masked as advisories, purchase orders, face mask offers, and alerts or safety recommendations from world bodies such as the World Health Organization (WHO), UNICEF, and other international companies such as Maersk, Pekos Valves, and CISCO.

Important: Please take note that these world bodies and international organizations are in no way involved in these fraudulent activities and/or scams.

phishing email, covid-19 phishing campaign

Fig. 1. Example of a malicious email disguised as “UNICEF COVID-19 TIPS APP” with spyware in the attachment.

covid-19 phishing campaign

Fig. 2. Example of a phishing email disguised as an offer of free masks.

  • Following file extensions have been used to deliver malware samples: .gz, .ace, .arj,and .rar,which are mainly archive file formats.

To trick antivirus software installed on the victim’s system, threat actors now include the passwords for accessing the content in the email subject line, in the archive name, or in a subsequent correspondence email sent to the victim. Thus, unless behavioral analytics is employed, such malware are likely to go undetected.

Aleksandr Kalinin,Head of CERT-GIB says, “People should remain particularly vigilant now that most people are working from home due to the pandemic. We predict an increase in the number of cyberattacks on unprotected home networks used by employees who have switched to remote work. Corporate security teams should reassess their approach to securing corporate digital space by strengthening their perimeter, which now includes employees’ home devices. A single employee who opens a malicious file from an undetected phishing email could jeopardize the whole company’s operations.”

What Needs to be Done?

  • All remote employees’ email accounts and VPNs used to access corporate networks should be protected with two-factor / multi-factor authentication.
  • Implement network protection solutions to analyze incoming and outgoing e-mails traffic.
  • Employ network segmentation and role-based access (RBAC) rights to all employees.
  • Remote user activity should also be covered under the organization’s security perimeter and hence endpoint security tools need to be implemented.

Courtesy: cisomag.com

Work From Home – What’s Next

Phase 1 was all about employee access, network communications confidentiality/integrity, and basic endpoint security. The next phases will move quickly from risk assessment to mitigation.

As most CISOs know all-too-well, large-scale work from home (WFH) initiatives due to COVID-19, where the priority was getting users up and running as quickly as possible, forced security leaders into an unanticipated follow-on sprint to deliver elementary security safeguards for remote employees (i.e., VPNs, endpoint security controls, network security controls, etc.).

This is the new reality, and it’s an ongoing scramble, but what comes next? 

Let’s call the current situation phase 1, which is about employee access, network communications confidentiality/integrity, and basic endpoint security. 

Some organisations are implementing split tunneling so key employees can access VPNs and the internet simultaneously.  Some are paying to upgrade employee bandwidth — especially for executives spending their days on videoconference meetings while their children use the same networks for home schooling.  Back at corporate, there’s also lots of load balancing and SD-WAN activity.

From a security perspective, forward-thinking CISOs are now on to phase 2 focused on situational awareness and risk assessment.  This is directly related to the fact that a lot of LAN traffic has been rerouted to WANs and internet connections.  The goal?  Scope out the new realities of usage patterns and the attack surface.

In about 4 weeks, organizations will have visibility and enough historical data to proceed to phase 3, a full risk assessment and a board-level report.  These reports will examine the WFH infrastructure, new traffic patterns, perceived vulnerabilities, rising threats, etc.  They will also dig into a more thorough look at emerging WFH issues like insider threats, expansive privileges, data security exposures, insecure cloud application configurations, and others.  The goal?  Quantify risk and then work with executives to prioritize actions.

This leads to phase 4, which is all about risk mitigation.  Based upon my conversations, the goal is to address this by mid-May at the latest.  During the risk mitigation phase, organizations will likely employ controls for data privacy/security, least privilege to networks and applications, and segment home network traffic to protect WFH assets from gaming systems, smart refrigerators, security cameras and the like.  We’ll see more deployment of technologies like multi-factor authentication (MFA), zero trust networking tools, privileged account management, and DLP/eRM at that point.  Process automation will also be added during this period. 

At the end of phase 4, WFH should be set up for threat prevention, detection and response — at scale.

A few final things I’ve heard:

  1. While the four phases are a general project plan, CISOs are also busy patching tactical holes like blocking Zoom bombing by using meeting IDs and issuing passwords. Issues like this come up daily.
  2. Another thing I’m hearing about is securing “shotgun” applications, developed and deployed quickly to support remote workers, business partners and customers.
  3. Security will continue to play catch up with IT leading to network performance and service availability. User support and productivity is paramount while security remains behind the scenes.
  4. The need for speed is causing CISOs to have a “SaaS first” mentality.
  5. CISOs are taking a long-term approach since no one can tell how long the lockdown will last. Many also feel like this is a game-changer for the future of IT and security. 

Courtesy: CISOOnline.com

IT services firm Cognizant hit with Maze ransomware

Cognizant, a multibillion-dollar IT services company with clients in the banking and oil and gas industries, said Saturday its computer systems had been disrupted by Maze ransomware, a strain of malicious code that has been used in cyberattacks in the U.S. and Europe in recent months.

“Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident,” the New Jersey-based company said in a statement. “Cognizant has also engaged with the appropriate law enforcement authorities.”

A Fortune 500 company with over a quarter of a million employees worldwide, Cognizant possesses a wealth of data that would make it a target of hackers. Cognizant’s software and consulting services are used by major pharmaceutical firms and restaurant chains, according to its website.

Earlier this week, the company had notified clients of the incident and shared  “indicators of compromise” — forensic data such as IP addresses and malicious files — so that they could defend against the malicious activity.  The attack caused “service disruptions for some of our clients,” the company said.

“The integrity and availability of our systems are of paramount importance to Cognizant and we are working diligently to minimize any disruptions,” a company spokesperson told earlier on Saturday.

One of the malware samples that Cognizant shared with clients is detected by multiple anti-virus products as Maze ransomware. Hackers affiliated with Maze reportedly denied involvement in the attack to Bleeping Computer, but the forensic data suggests that Maze infrastructure was used in the attack. Nearly all of the malicious IP addresses reported by Cognizant have been previously used by hackers to deploy the Maze ransomware, according to advisories from the Department of Homeland Security and the FBI.

The hackers behind Maze gained notoriety last year by stealing sensitive data from victims, encrypting it, and threatening to publish the information if they aren’t paid a ransom, leading the FBI to privately warn U.S. companies about the threat in December. A spate of attacks has continued since then.

The cyberattack on Cognizant is the latest sign that ransomware gangs are not holding off on targeting companies amid the novel coronavirus pandemic.

Reference: CyberScoop

COVID-Themed Phishing Messages Fill Phishing Filters on Gmail

In the past week, Google says it identified more than 18 million daily phishing messages featuring coronavirus themes.

When you block 100 million phishing email messages every day, you get plenty of data to see trends. Google has seen a big one in recent weeks: Nearly one-fifth of all phishing email messages identified on the Gmail platform now feature coronavirus or COVID-19 as part of their content.

According to Google, last week saw roughly 18 million email messages rejected per day because they were identified as phishing messages preying on fears around the coronavirus pandemic. Typical messages used fear or financial incentives to create a sense of urgency in the recipient and claimed to be from authoritative government agencies or credible NGOs.

Phishing messages frequently ask the recipient to download a file containing a form to be filled out (along with, all too frequently, a malware payload) or to visit a malicious website to fill out a form before a government subsidy or other payment can be delivered.

The 18 million COVID-19-related phishing messages were, according to Google, in addition to more than 240 million coronavirus-themed spam messages sent to Gmail accounts every day.

10 Ways to Avoid Phishing Scams

1. Keep Informed About Phishing Techniques – New phishing scams are being developed all the time. Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep your eyes peeled for news about new phishing scams. By finding out about them as early as possible, you will be at a much lower risk of getting snared by one. For IT administrators, ongoing security awareness training and simulated phishing for all users is highly recommended in keeping security top of mind throughout the organization.

2. Think Before You Click! – It’s fine to click on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, isn’t such a smart move. Hover over links that you are unsure of before clicking on them. Do they lead where they are supposed to lead? A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website. The email may ask you to fill in the information but the email may not contain your name. When in doubt, go directly to the source rather than clicking a potentially dangerous link.

3. Install an Anti-Phishing Toolbar – Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and it is completely free.

4. Verify a Site’s Security – It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals. 

5. Check Your Online Accounts Regularly – If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.

6. Keep Your Browser Up to Date – Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.

7. Use Firewalls – High-quality firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.

8. Be Wary of Pop-Ups – Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.

9. Never Give Out Personal Information – As a general rule, you should never share personal or financially sensitive information over the Internet. This rule spans all the way back to the days of America Online, when users had to be warned constantly due to the success of early phishing scams. When in doubt, go visit the main website of the company in question, get their number and give them a call. Most of the phishing emails will direct you to pages where entries for financial or personal information are required. An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https”.

10. Use Antivirus Software – There are plenty of reasons to use antivirus software. Special signatures that are included with antivirus software guard against known technology workarounds and loopholes. Just be sure to keep your software up to date. New definitions are added all the time because new scams are also being dreamed up all the time. Anti-spyware and firewall settings should be used to prevent phishing attacks and users should update the programs regularly. Firewall protection prevents access to malicious files by blocking the attacks. Antivirus software scans every file which comes through the Internet to your computer. It helps to prevent damage to your system.