Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
It’s the time of the month again where Microsoft release thenews on their vulnerable products and the patches available to fix them. Thismonth there are a total of 74 vulnerabilities disclosed with 16 rated Critical,54 Important, 1 Moderate and 3 Low.
These updates cover issues found in software products suchas, MS Windows Operating Systems, Internet Explorer, MS Edge, Office, MSExchange Server, the scripting engine, Team Foundation Server and more.
CVE-2019-0803 & CVE-2019-0859 cover two vulnerabilities rated Important, that exist in the Win32K component of the Windows operating system. By failing to handle memory objects properly, these vulns allow an attacker to run code in kernel mode and elevate their privileges, so they can view, change and delete data. New accounts could also be created with full user rights.
Note that both of these vulns are currently being actively exploitedin the wild, so its very important to address these quickly.
Last week it was reported that the ICO have fined Londonbased Newham Council, £145,000 after it was responsible for leaking thepersonal information of alleged gang members.
After the London Riots in 2011 the Met Police created adatabase that captured intelligence which identified possible gang members,based on their history of violent crime and other information provided by localcouncils.
An unredacted copy of information from this database was leakedin 2017, after a Newham council worker sent the list in an email to 44 recipientswhich included both internal departments and numerous external organisations.
Through the use of Snapchat, photographic copies of thislist found its way into the hands of rival gang members. Although there was anincreased level of gang related violence that year it is unclear whether thisdata leak was the cause.
We are unfortunately all to familiar with the constant databreaches we see in news each week, often resulting in personal and financial informationloss, but rarely do we see breaches such as this that directly threatens human life.
This drills home the importance and simple fact thatorganisations of all types and sizes, are still not doing enough to securetheir data and educate their users on how to use it, both appropriately andsecurely.
UK Universitynetworks have been subject to a series of tests in order to understand how goodtheir defences were against cyber-attacks. Unfortunately, the results of thesetests have highlighted that in every case valuable data was obtained within twohours.
These penetrationtests were jointly organised by JISC (the Joint Information Systems Committee)and HEPI (Higher Education Policy Institute) and were scheduled to take placeagainst 50 universities in the UK.
Ethical Hackers from the JISC’s in house team were tasked with carrying out the tests, which not only saw a 100% success rate against all tested universities, but they also managed to reach personal information for staff and students, and access research databases, within two hours of starting the test.
It won’t be asurprise to most familiar with cyber security that spear phishing attacks werethe most effective method used in these tests.
Spear phishing attacksuse crafted emails that are sent to specific targets within an organisation,pretending to be from a trusted source, with the intent to convince the user toclick on a bad link or download malicious attachments / software.
Universities hold awealth of valuable information for both cyber criminals and nation state actorsworking for foreign governments. Not only do they contain a vast amount ofpersonal information for staff and students, but they also store research dataand intellectual property that is worth great value to these foreigngovernments.
These tests highlighthow vulnerable our UK universities are to cyber-attack, meaning greater focuson improving cyber defences is urgently required.
Talking to the BBC, aUK spokeswoman for UK Universities stated that they are now working with theUK’s National Cyber Security Centre (NCSC), to help improve and strengthensecurity practices to better protect the sector from cyber threats.
An exploited vulnerability has been identified in thepopular Yuzo Related Posts WordPressplugin, which allows attackers to inject malicious JavaScript into the pages ofthe target systems website.
Exploiting this vuln allows an unauthenticated attacker to modifythe plugins settings, to a value that includes a malicious JavaScript. Once theJavaScript is injected it can be used to redirect visitors of the compromisedwebsite to attacker-controlled websites or fraudulent scam sites.
The JavaScript used here contains a redirect that sends visitors to following URL:
httpx://hellofromhony[.]org/counter
Once the user reaches this URL, numerous other redirects occurs, which eventually leads them to various scam sites, including a tech support scam page.
Researchers at Wordfence believe that this exploit shares a lot of commonalities with two other vulns, found in the Social Warfare and Easy WP SMTP plugins. The same IP address (176[.]123[.]9[.]53) used for accessing the URL above was also used in these previous exploits, both of which delivered malicious redirects as part of their campaigns.
This vulnerability is believed to impact over 60,000 sites that currently have this plugin actively installed within WordPress. The plugin developer became aware of this vuln and on March 30th the plugin was removed from the WordPress Plugin directory. This prevented any new users from downloading the plugin, but left the existing user still exposed.
The exploit of this vulnerability has been the unfortunateresult of a security researcher’s irresponsible actions, who publicly disclosedthe vuln along with a proof of concept, prior to a fix being released by thedeveloper.
Website JavaScript injection has become a common method for attackers in recent times. Formjacking techniques such as those used by the Magecart exploit in the Ticketmaster and British Airways breaches last year, have been used to steal customer credit card information from the website, without having to compromise the server or network infrastructure first.
The developer recommends that any users of their Yuzo RelatedPosts plugin should remove it from their WordPress site immediately, until theycan release a fix for this vulnerability.
To protect yourself from these types of WordPress threats,always ensure that your WordPress site and its plugins are always kept up todate with the latest versions of software.
In addition, WordPress users should also strongly considerthe use of a WordPress or Web Application Firewall, to provide an extra layerof defence against such web attacks.
As with most new technologies its never plain sailing whenit comes to developing secure solutions, and it’s been no different with thenew Wi-Fi Security standard WPA3.
The WPA3 or Wi-Fi Protected Access 3 protocol is thenext-generation in Wi-Fi Security and is due to replace the aging and lesssecure WPA2 protocol we use today.
In their April 10th press release the Wi-Fi alliance have issued an update on two identified vulns found in a limited number of early implementations of WPA3-Personal, where devices running attacker software, can capture information and expose passwords due to improper implementation of cryptographic functions.
Researchers have released a paper titled DragonBlood thatcovers the two vulns. The first is a downgrade attack that forces WPA3supported devices to connect using an insecure WPA2 handshake. This is thenfollowed by the second flaw that incorporates two side-channel attacks whichlead to the attackers obtaining the Wi-Fi password through an offline dictionarystyle attack.
The Wi-Fi alliance state that multiple CVEs have been raisedunder the IDs CVE-2019-9494 to CVE-2019-9499 to cover these flaws, but limitedinformation is currently available from Mitre.
A simple software update is already available from the smallnumber of device manufacturers affected by these WPA3 flaws.
More details can be found on The Hackers News website.
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #36 – 12th April 2019
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
