Firewall Security Management

Firewall Security Management

20 TOP MOST PROBLEMS IN FIREWALLS WHICH IMPACT BUSINESS More »

Firewall Security Management

Firewall Security Management

Firewall Hardening Checklist More »

Firewall Security Monitoring

Firewall Security Monitoring

Giving You a Proactive Approach to Your Cyber security with Security Monitoring More »

Best TOP Enterprise Network Firewalls

Best TOP Enterprise Network Firewalls

List of Top Firewall Providers Company / Companies in India More »

 

Category Archives: Cyber Security News

New Bird Miner Mac cryptominer leverages Ableton Live 10 cracked installer for propagation

  • The Ableton Live 10 cracked installer can be downloaded from a pirate website called VST Crack.
  • Ableton Live is a high-end music production software and is used as an instrument for live performance by DJs.

A new Mac cryptocurrency miner detected as Bird Miner has been found leveraging craked installer for Ableton Live 10 software for propagation. Ableton Live is a high-end music production software and is used as an instrument for live performance by DJs. The software is also used for composing, recording, mixing and mastering music.

How does it propagate?

According to Malwarebytes, the Ableton Live 10 cracked installer can be downloaded from a pirate website called VST Crack. The software is more than 2.6 GB. Once installed, the software downloads Bird Miner’s post-install script among other things. The cracked installer also copies some installed files to new locations with random names.

The files that get dropped on the infected system with random names have a variety of functions. This includes launching three different shell scripts.

Malicious scripts

One of the scripts launched is called Crax and its installed in the /usr/local/bin/ directory. Crax ensures that the malware gains persistence on the victim’s system without being detected by security solutions.

“The first thing it does is check to see if Activity Monitor is running and, if it is, unload the other processes. If Activity Monitor isn’t running, the malware then goes through a series of CPU usage checks. If the results show that it’s pegging the CPU at more than 85 percent, it again unloads everything,” explained the researchers.

After Crax completes its check process, it loads two more processes named ‘com.Flagellariaceae.plist’ and ‘com.Dail.plist’. While the first one runs a script named Pecora, the second runs a script called Krugerite.

These two scripts once again check for Activity Monitor and later launches an executable named Nigel which is an old version of open-source software called Qemu. The Nigel enables attackers to execute the miner code by hiding it inside Qemu images.

Worth noting

Malwarebytes highlights that the malware was first spotted in a pirated Ableton Live 10 installer. Since then, it has been found to be distributed via other software through the same site. The site has been distributing the malware in one form or the other for at least four months.

Lightbox adware redirects mobile users to random sites

  • The redirected sites include pages related to viral apps or just random tech articles.
  • If the visitor chooses to install any of these apps, they are taken to the respective official store’s webpage.

An external script has been found redirecting visitors to several random sites. This script is frequently used by various webmasters to provide easy Lightbox functionalities on their websites.

Dissecting the malicious script

According to the researchers from Sucuri, the issue came to light after visitors were redirected to random sites while accessing a site via mobile. During the investigation, it was discovered that the installed script made a call to another script and redirected mobile users to a link (below).

hxxp://click[.]thebestoffer[.]gq/?utm_medium=6a9d4be48f9dd74ece2547f9a7d3ed068107809c&utm_campaign=js_1&1=&2=

What next?

Once users fall prey to the URL redirection attack, then they would be bombarded with various random pages related to viral apps or just random tech articles. If the visitor chooses to install any of these apps, they are taken to the respective official store’s webpage.

After a while, the script changes into a different campaign and redirects the visitors to another shady looking page https[:]//you.1gowest[.]top/?utm_medium=87e4ad4e587d6a3c668e4dda57a31ea60a0235b2&utm_campaign=1gowest.

So far, there has been no evidence of extremely malicious happening through the script.

Threat actors often implement this type of technique to generate revenue on the downloaded tool, app or script. Therefore, it is very necessary for webmasters to be cautious while adding external assets to their websites.

SACK Panic and three other vulnerabilities discovered in Linux and FreeBSD kernels

 

  • All these vulnerabilities are related to the minimum segment size (MSS) and TCP selective acknowledgment (SACK) capabilities.
  • ‘SACK Panic’ is the most severe vulnerability of all the flaws.

Four TCP networking vulnerabilities in FreeBSD and Linux kernels have been discovered by security researchers recently. All these vulnerabilities are related to the minimum segment size (MSS) and TCP selective acknowledgment (SACK) capabilities.

SACK PANIC, the serious one

In a report, Netflix Information Security’s Jonathan Looney has revealed that ‘SACK Panic’ is the most severe vulnerability of all the flaws. Tracked as CVE-2019-11477, the vulnerability has been marked with a CVSS score of 7.5. It could permit an attacker to remotely induce a kernel panic within recent Linux operating systems.

A kernel panic is a kind of vulnerability where an operating system cannot be recovered easily. This could force a restart of a targeted host, causing a temporary shutdown in services.

The SACK Panic flaw impacts Linux kernel version 2.6.29 and later. It can be addressed by deploying PATCH_net_1_4.patch. Additionally, the versions of the Linux kernel up to 4.14 require a second patch PATCH_net_1a.patch.

The other way to mitigate the issue is by completely disabling SACK processing on the system.

What are the other flaws?

As per Red Hat, the two other issues that impact the kernel’s TCP processing subsystem are CVE-2019-11478 (dubbed SACK Slowness) and CVE-2019-11479. These flaws are considered to be moderate severity vulnerabilities.

The CVE-2019-11478 can be exploited by sending a crafted sequence of SACKs which will fragment the TCP retransmission queue, while CVE-2019-11479 allows attackers to trigger a DoS attack.

CVE-2019-5599 is the FreeBSD counterpart of CVE-2019-11478. The flaw impacts FreeBSD 12 installations using the RACK TCP Stack. It can be abused by delivering “a crafted sequence of SACKs which will fragment the RACK send map.”

Linux and FreeBSD admins and users can address CVE-2019-11478 by applying PATCH_net_2_4.patch. The second issue, CVE-2019-11479, can be addressed by using PATCH_net_3_4.patch and PATCH_net_4_4.patch security patches. CVE-2019-5599 can be patched only by applying ‘ ‘split_limit.patch’ and set the net.inet.tcp.rack.split_limit sysctl’’ to a reasonable value to limit the size of the SACK table.

Mermaids transgender charity data breach exposed confidential emails

Mermaids UK has apologized for an “inadvertent” data breach which exposed private messages between the charity and the parents of gender variant and transgender children.

As first reported by the Sunday Times last week, over 1,000 pages of confidential emails were leaked online, including “intimate details of the vulnerable youngsters it [the charity] seeks to help.”

The letters, sent between 2016 and 2017, also contained the names, addresses, and telephone numbers of those reaching out to the charity.

When data breaches occur, it is often the case that cyberattackers infiltrate internal networks and steal information — and this data may be published online or sold in underground forums.

However, in Mermaids UK’s case, the material had simply been uploaded to the web and could be accessed just by typing in “Mermaids” and the UK charity number assigned to the group.

After being warned of the leak on Friday, the charity removed the content from public view.

CNET: Black Hat cancels Rep. Will Hurd’s headline speech after Twitter backlash

In a statement, Mermaids UK called the data breach “inadvertent” and insists there is no evidence of the sensitive material being abused.

Mermaids said the leak involved roughly 1,100 emails between executives and trustees, rather than the correspondence of private users, according to the BBC. A spokesperson said the records were not related to “Mermaids service users emailing each other, and their emails and private correspondence being available to an outside audience.”

The charity added that the emails stemmed from a “private user group” and “the information could not be found unless the person searching for the information was already aware that the information could be found.” (Considering the publication was able to find the information through a simple online search, however, this position may not be wholly accurate.)

The UK’s Information Commissioner’s Office (ICO) has been informed, a step now demanded in light of the General Data Protection Regulation (GDPR) legislation, introduced in 2018.

TechRepublic: Magecart attack: What it is, how it works, and how to prevent it

Under the terms of GDPR, organizations now must be prompt when it comes to reporting data breaches and should they be found wanting in terms of data protection and security, heavy fines can be issued. Each security incident is considered on a case-by-case basis.

Mermaids has also contacted the families affected, alongside stakeholders and the Charity Commission.

See also: Have I Been Pwned: It’s time to grow up and smell the acquisition potential

“Mermaids apologizes for the breach,” the charity added. “Even though we have acted promptly and thoroughly, we are sorry.  At the time of 2016 — 2017, Mermaids was a smaller but growing organization. Mermaids now has the internal processes and access to technical support which should mean such breaches cannot now occur.”

Reported losses from NBN scams increase by nearly 300% in 2019: ACCC

Australian consumers reported over AU$110,000 in monthly losses from NBN scams in the January-May 2019 period, according to the Australian Competition and Consumer Commission (ACCC).

Compared to the average monthly losses of AU$38,500 in 2018, this is a near 300% increase.

“People aged over 65 are particularly vulnerable, making the most reports and losing more than AU$330,000 this year. That’s more than 60% of the current losses,” ACCC Acting Chair Delia Rickard said.

Despite being only halfway through the year, the amount of reported losses for NBN scams in 2019 has already exceeded the total of last year’s losses, which was around AU$462,000.

“Scammers are increasingly using trusted brands like ‘NBN’ to trick unsuspecting consumers into parting with their money or personal information,” Rickard added.

See also: ACCC questions fairness of NBN basic pricing

The most common types of NBN scams, the ACCC said, include scammers pretending to be the NBN attempting to sell NBN services or test the speed of their connection and asking them to provide personal details such as their name, address, date of birth, and Medicare number or payment; scammers pretending to be NBN Co or an internet provider and claiming there is a connection problem that requires remote access to fix, allowing them to install malware or steal valuable personal information; and scammers calling during a blackout offering consumers the ability to stay connected during a blackout for an extra fee.

“We will never make unsolicited calls or door knock to sell broadband services to the public. People need to contact their preferred phone and internet service provider to make the switch,” NBN Co chief security officer Darren Kane said.

“We will never request remote access to a resident’s computer and we will never make unsolicited requests for payment or financial information.”

This follows the ACCC in April releasing its annual Targeting scams report, which unveiled that the total combined losses from scams in 2018 exceeded AU$489 million  — AU$149 million more than the year prior, up 41.7% year on year.

Of that total reported amount, AU$107 million was reported to Scamwatch, the ACCC’s scam reporting website.

“These record losses are likely just the tip of the iceberg. We know that not everyone who suffers a loss to a scammer reports it to a government agency,” Rickard said at the time.

RELATED COVERAGE

Cryptocurrency scams took over AU$6m from Australians in 2018: ACCC

While hacking scams accounted for over AU$3 million in reported losses.

ACCC starts breaking out Vodafone NBN customer connections

Vodafone Australia is sitting around the level of Aussie Broadband and MyRepublic in the latest ACCC Wholesale Market Indicators Report.

TPG is still king of NBN speed report

TPG still delivers on its download speed promises the most often, while Exetel won on upload speeds, Telstra on latency, and Optus on the highest number of daily outages, according to the fifth ACCC report.

ACMA warns TPG, Foxtel, Aussie Broadband on priority assistance

TPG, Aussie Broadband, MyRepublic, Foxtel, Activ8me, Exetel, Dodo, Skymesh, Southern Phone, Spintel, and V4 Telecom have been formally warned to provide accurate information on priority assistance services.

NBN pulls in AU$2b revenue so far for FY19

For the first nine months of FY19, NBN has reported AU$2 billion in revenue and negative AU$808 million in EBITDA.

Network technologies are changing faster than we can manage them (TechRepublic)

Kentik’s Cisco Live survey shows networks are changing faster than they have in decades, and companies are stumbling trying to keep up with the changes.

Update: Over 20 million affected in massive AMCA data breach

  • The data was compromised after AMCA’s payment system was breached on August 1, 2018, and remained vulnerable till March 30, 2019.
  • AMCA has started notifying consumers whose credit card number, social security number or lab test order information may have been accessed.

Maryland Attorney General Brian E. Frosh is alerting Marylanders that their medical and other private information may have been compromised in the massive AMCA data breach. The data breach has impacted over 20 million patients of five diagnostic firms that took services from American Medical Collection Agency.

Who are the victims?

The companies that were affected in the data breach are:

  • Quest Diagnostics: 11.9 million patients
  • LabCorp: 7.7 million patients
  • BioReference Laboratories: 422,600 patients
  • Carecentrix: 500,000 patients
  • Sunrise Laboratories: unknown number of patients

The data of these companies were compromised after AMCA’s payment system was breached on August 1, 2018 and remained vulnerable till March 30, 2019.

What data was involved?

Although the compromised information varies for each victim company, but it includes some or all of the following:

  • Patient Name
  • Date of Birth
  • Address
  • Phone Number
  • Date of Service
  • Provider
  • Balance Information
  • Payment Card Information
  • Bank Account Information
  • Social Security Number
  • Lab Test Performed

How is the situation being addressed?

AMCA has started notifying consumers whose credit card number, social security number or lab test order information may have been accessed.

Meanwhile, General Frosh has also urged consumers to review their financial and medical accounts for suspicious activity.

“Massive data breaches like the one experienced by the AMCA are extremely alarming, especially considering the likelihood that personal, financial, and medical information may now be in the hands of thieves and scammers,” said General Frosh, CBS Baltimore reported.

Distributed Denial of Service attack on Telegram causes service outages

  • The attack caused services outages primarily in South and North America.
  • However, users in the United Kingdom, the Netherlands, Germany, Ukraine, Russia, Australia, and China also faced connection issues and network disruptions.

A Distributed Denial of Service (DDoS) attack on Telegram messenger caused service outages and connection problems for users at certain parts of the world.

Which countries were impacted?

The attack caused services outages primarily in South and North America. However, users in the United Kingdom, the Netherlands, Germany, Ukraine, Russia, Australia, and China also faced connection issues and network disruptions.

“We’re currently experiencing a powerful DDoS attack, Telegram users in the Americas and some users from other countries may experience connection issues,” Telegram tweeted.

What happened?

A network of compromised computers targeted Telegram servers with a DDoS attack. A botnet formed of compromised computers sent huge traffic to Telegram servers which resulted in unstable connections as the messenger could not handle all the requests.

What is a DDoS attack?

In a Distributed Denial of Service (DDoS) attack, multiple compromised systems are used to target a server with a huge volume of traffic. DDoS attack aims at bringing services down by bombarding them with so much traffic that their services and infrastructure are unable to handle it.

On February 28, 2018, GitHub suffered world’s largest DDoS attack that took the service offline from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC.

Source of the attack

Pavel Durov, Founder and CEO of Telegram noted that the DDoS attack has been originated from China.

“IP addresses coming mostly from China. Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception,” Durov tweeted.

Connection problem resolved

Telegram confirmed users that their data are safe. “There’s a bright side: All of these lemmings are there just to overload the servers with extra work – they can’t take away your BigMac and coke. Your data is safe,” Telegram tweeted.

As of now, the connection issues have been resolved and users will be able to use Telegram messenger without any disruptions.

Major airplane parts manufacturer ASCO hit with ransomware attack

  • ASCO factory in Zaventem, Belgium was hit by a ransomware infection causing major downtime as most of the plants IT systems were infected.
  • ASCO shut down production in factories across Germany, Canada, and the United States.

What is the issue?

ASCO, one of the largest airplane parts manufacturer, suffered a ransomware attack crippling production in factories across four countries.

What happened?

On June 7, 2019, ASCO factory in Zaventem, Belgium was hit by a ransomware infection causing major downtime as most of the plant’s IT systems were infected.

  • As a result of which, almost 1,000 of its 1,400 workers were sent home.
  • The manufacturing company also extended leave for the entire week as well as shut down production in factories across Germany, Canada, and the United States.
  • However, the non-production offices located in France and Brazil were operational.

“We have submitted an application for recognition of temporary unemployment due to force majeure,” Vicky Welvaert, HR director at ASCO said.

Worth noting

The airplane parts manufacturer’s some of the primary clients include Airbus, Boeing, Bombardier, and Lockheed Martin.

What actions were taken?

  • The aviation company has notified the appropriate authorities and the police department about the incident.
  • It has also engaged third-party IT experts to remediate the incident as quickly as possible.

“We have informed all competent authorities in this area of this cyber attack and have engaged external experts to solve the problem. We are currently working hard and hard at it,” Welvaert added.

However, details related to the name of the ransomware and the recovery steps taken by the company to remediate the attack still remains unknown.

Microsoft fixes 88 flaws, Adobe security updates, Intel’s advisories, and many more: Patch Tuesday – Week 2, June 2019

Adobe

Adobe has released security updates to fix major vulnerabilities in its Adobe Flash, Adobe ColdFusion, and Adobe Campaign software products. The update for Flashpatches a critical use-after-free vulnerability (CVE-2019-7845) that can lead to arbitrary code execution (ACE) attack. The ColdFusion updates also address three critical ACE vulnerabilities (CVE-2019-7838, CVE-2019-7839, and CVE-2019-7840) in the platform. On the other hand, seven vulnerabilities that existed in Adobe Campaign, including one rated critical (CVE-2019-7850), was also remediated with new updates.

Intel

For this month, Intel has published various advisories that address security vulnerabilities found in multiple firmware and software products. Out of the 25 vulnerabilities addressed, nine were rated as high severity. The high-impact flaws were found in Intel NUC, Intel RAID Web Console 3 (RWC3), Intel Accelerated Storage Manager and in Intel Rapid Storage Technology Enterprise (RSTe). The flaws could lead to an escalation of privilege(EoP), denial of service (DoS) or result in information disclosure (ID).

Other products covered in the advisories include vulnerabilities in Intel® Turbo Boost Max Technology 3.0 driver, Open Cloud Integrity Technology (Open CIT), OpenAttestation, Intel® Omni-Path Fabric Manager GUI, ITE Tech* Consumer Infrared Driver for Windows 10, INF Update Utility, Intel® PROSet/Wireless WiFi Software and Intel® SGX driver for Linux. A microprocessor related-flaw was also addressed.

Intel has planned to release software updates for the affected products, except for the Turbo Boost Max Technology 3.0 driver, which it has decided to issue a Discontinuation Notice to users.

Microsoft

Microsoft has rolled out monthly updates which fix 88 security vulnerabilities. Among them, 21 flaws had a rating of ‘Critical’. Vulnerabilities mostly included remote code execution (RCE), ID and cross-site scripting (XSS) flaws that affected various products. The affected products listed in the updates are:

  • Adobe Flash Player
  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • Skype for Business and Microsoft Lync
  • Microsoft Exchange Server
  • Azure

In the updates, the tech giant has also patched four (CVE-2019-1069, CVE-2019-1053, CVE-2019-1064, CVE-2019-0973) out of five zero-day vulnerabilities uncovered last month.

SAP

SAP has published 11 security notes in this month along with three follow-up updates to previous notes. The security notes address DoS, XSS, ID, clickjacking and missing authorization check vulnerabilities found in many of its products. Products impacted from the flaws are SAP NetWeaver Process Integration, SAP Work Manager, SAP Inventory Manager, SAP R/3 Enterprise Application, SAP HANA Extended Application Services and SAP NetWeaver AS ABAP Platform.

VMware

VMware fixes two major vulnerabilities which impacted its VMware Tools and Workstation products. While the update for VMware Tools resolves an out-of-bounds read (CVE-2019-5522) vulnerability in a software driver, the update for Workstation is for a use-after-free (UAF) vulnerability (CVE-2019-5525) present in the backend. The UAF has a CVSS score of 8.5 and the out-of-bounds read flaw scores 7.1.

Ubuntu

Ubuntu has released software updates for the recent vulnerabilities discovered in Vim and Neovim applications. Both the applications could be exploited with RCE attacks due to file handling issues in these software. Apart from this, Ubuntu has also announced updates for applications such as DBus, GLib, libsndfile, and elfutils, which housed DoS and RCE vulnerabilities.

Vulnerability in SymCrypt could allow an attacker to perform DoS on any Windows server

  • The vulnerability could allow an attacker to perform DoS on any Windows server such as IPsec, Internet Information Services (IIS), and Microsoft Exchange Server.
  • The researcher found out that any program on the system that processes the X.509 digital certificate will trigger the vulnerability causing deadlock.

A vulnerability researcher at Google, Tavis Ormandy, uncovered a vulnerability in the primary cryptographic library of Microsoft’s operating system ‘SymCrypt’. The vulnerability could allow an attacker to perform Denial of Service (Dos) on Windows 8 servers and above.

More details on the vulnerability

Ormandy tested the vulnerability using a specially crafted X.509 digital certificate that prevents completing the verification process and found out that any program on the system that processes the certificate will trigger the vulnerability causing deadlock.

“The vulnerability could cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric,” the researcher said.

The researcher also found out that embedding the certificate in an S/MIME message, authenticode signature, and schannel connection could allow an attacker to perform DoS on any Windows server such as IPsec, Internet Information Services (IIS), and Microsoft Exchange Server, requiring the machine to be rebooted.

Patch still not available

Ormandy notified Microsoft about the issue in March 2019 with a 90-day disclosure deadline. Microsoft acknowledged the issue and promised to come up with the patch within 90 days.

However, the Microsoft Security Response Center (MSRC) informed the researcher that a patch wouldn’t be ready until next month’s release of security updates. This made the researcher release the details of the bug to the public as the 90-day time-frame has lapsed.

Firewall Company | Firewall Company India | Firewall Provider India | Firewall Company