SecurityInsider
Le blog des experts sécurité Wavestone

CERT-W: Cybersecurity watch of events from November 5th


You will find below our weekly report on cybersecurity news. Use this brief compilation to support your coffee break small talk!

Cybercrime watch

Targeted ransomware hits Spanish companies

One of the largest IT consulting companies in Spain, Everis, suffered a targeted ransomware attack on Monday, forcing the company to shut down all its computer systems until the issue gets resolved completely. Some other Spanish and European companies have reportedly also been hit by a similar ransomware malware during the same period.

Canadian Nunavut government systems crippled by ransomware

Last week-end, all Nunavut government services – with the exception of an energy corporation – that rely on access to electronic information stored by the authority have been impacted by a ransomware. The lockdown which followed has encompassed medical, legal, and social services. In its statement, the Government of Nunavut reassured citizens that the incident had not compromised any personal information or produced a privacy breach.

Cyber-attack hits Utah wind and solar energy provider

A cyberattack on the U.S. energy grid has just come to light, which disrupted plant visibility at Utah-based sPower back in March. Because of an unpatched firewall, this denial-of-service (DOS) attack disrupted the organization's ability to monitor the current status of its power-generation systems over 12 hours.

Vulnerability watch

Microsoft Office for Mac users exposed to macro-based attacks

Users have been warned that malicious SYLK files are sneaking past endpoint defenses even when the “disable all macros without notification” is turned on. This leaves systems vulnerable to a remote, unauthenticated attackers who can execute arbitrary code.

Alexa, Siri, Google Smart Speakers hacked via laser beam

Researchers have discovered a new way to hack Alexa and Siri smart speakers merely by using a laser light beam. No physical access of the victims' device, or owner interaction, is needed to launch the hack, which allows attackers to send voice assistants inaudible commands such as unlocking doors. With careful aiming and laser focusing, a such attack could be successful from as far as 110 meters.

Two unpatched critical RCE flaws disclosed in rConfig

Two bugs in the network configuration utility rConfig have been identified, both allowing remote code execution on affected systems. One is rated critical and allows for a user to attack a system remotely – without authentication. Both vulnerabilities affect all versions of rConfig, including the latest rConfig version 3.9.2, with no security patch available at the time.

Weekly top

The top leak - Indian banks to probe alleged data leak of 1.3 million cards

Security researchers at Singapore-based Group-IB had found that card details were being sold at a price of $100 per card. The value of the leaked database has been estimated by the group at $130 million and more than 1.3 million payment card details could have been leaked. The Reserve Bank of India has directed banks to secure their customers' debit and credit card data.

The top exploit - CVE 2019-0708

Cybersecurity researchers have spotted a new cyberattack that is believed to be the very first attempt to weaponize the infamous BlueKeep RDP vulnerability in the wild to mass compromise vulnerable systems for cryptocurrency mining.

The top attack - India confirms cyberattack on nuclear power plant

In September a cyberattack on the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, India occurred. The nuclear power plant's administrative network was breached in the attack but did not cause any critical damage. However, VirusTotal, a virus scanning website owned by Google's parent company, Alphabet, has indicated that a large amount of data from the KKNPP's administrative network has been stolen.

Software version watch

Software
Current version
Adobe Flash Player
Adobe Acrobat Reader DC
Java
Mozilla Firefox
Google Chrome
VirtualBox
CCleaner

Vincent BELOTTI

CERT-W: Cybersecurity watch of events from October 28th


You will find below our weekly report on cybersecurity news. Use this brief compilation to support your coffee break small talk!

Cybercrime watch

Phishing attacks targeting UN, UNICEF and the red cross

Several international organizations among them UN, UNICEF, the red cross organization or the World Food Programme are the targets of a phishing campaign. The campaign targets mobile devices and saves all the keystrokes in order to save the users' credentials.

Anti-doping organizations targets of Fancy bear attacks

Several anti-doping organizations (at least 16) were targeted by the threat group Fancy bear (also known as APT28). The attacks were ongoing for more than a month.
Fancy Bear uses several attack methods among them spear phishing and the use of open-source or custom malware.
In 2016, the threat group targeted the world anti-doping agency and successfully published some data.

Vulnerability watch

A new malware gathers data from more than 100,000 devices

A new malware, named Raccoon, that was seen for the first time in April 2019 has already spread on more than 100,000 devices.
Raccoon gathers personal data from the compromised devices (credit card, emails, cookies, passwords, etc.).
The malware is considered as a service (Malware as a Service or MaaS) and costs 200$ per month for its use. Raccoon is now among the top 10 most famous malwares in the world.

A new vulnerability discovered in the Content Delivery Networks (CDN)

Researchers discovered a vulnerability in CDN letting them conduct denial of service attacks (CPDoS).
The attack involves sending some specifically crafted packets to the server that broadcasts the service through the CDN until it sends an error message. Then, the error will be relayed and distributed throughout the network.
Therefore, the server won't be accessed since it will be considered as offline.

Samsung starts deploying patches for the Samsung S10 and Note 10 fingerprint sensor

A vulnerability in the Samsung S10 and Note 10 fingerprint sensor was discovered allowing a user to bypass it as long as the sensor is covered with a protective film. A week later, Samsung released a security patch.

Weekly top

The top leak - More than 7M Adobe Creative Cloud users' accounts exposed

The Adobe Creative Cloud users' database (Elastic search database) was exposed without any authentication.
Around 7.5M users' data was exposed giving material for conducting targeted phishing campaigns.
It seems that the data exposed didn't contain banking information.

The top exploit - CVE-2019-5536, CVE-2019-5537 & CVE-2019-5538

Several vulnerabilities were discovered on VMware products:
*CVE-2019-5536: a denial of service vulnerability on the shader functionality,
*CVE-2019-5537 & CVE-2019-5538: a man in middle attack between the VCenter and the backup storage can expose the data in transit during backup or restore operations.

The top attack - The city of Grand Cognac hit by a ransomware

The information system of Grand Cognac was hit by a ransomware. Several employees were asked to take days off while recovering their workstations.
Some data was recovered, however several files that required years of work were definitively lost.

Software version watch

Software
Current version
Adobe Flash Player
Adobe Acrobat Reader DC
Java
Mozilla Firefox
Google Chrome
VirtualBox
CCleaner

Ilias SIDQUI

CERT-W: Cybersecurity watch of events from October 21st


You will find below our weekly report on cybersecurity news. Use this brief compilation to support your coffee break small talk!

Cybercrime watch

A man has been sentenced for a 12-year jail time for compromising the Los Angeles court's information system

The attacker leveraged the fact that he was inside the information system to launch a massive phishing campaign on 2 million targets. Federal authorities have been able to arrest the attacker based on the email address used to extort money.

German company Pilz hit by a ransomware attack

The information system of a major captors and command systems provider has been hit by the BitPaymer. There has been no impact on production so far, but all workstation have been removed from the company network for more than a week.

Vulnerability watch

Two major vulnerabilities have been patched in Kubernetes

A critical security update in Kubernetes now protects agains two high-score CVE (2019-16276 and 2019-11253). User must update to the 1.14.8, 1.15.5 or 1.16.2 version.

Amazon products Echo and Kindle vulnerable to Wi-Fi attacks

According to ESET, the KRACK attack (Key Reinstallation Attack) can be used agains the Amazon Echo or the 8th generation Kindle. This attack would allow decrypting the communication or at least perform a denial of service attack.

Weekly top

The top leak - Part of the US gouvernment and military personal data has leeked online

The Autoclerk booking system (used by the Best Western hotel chain) has been the target of a 179GB data leak. Information about the whereabouts and travel plans of US military and gouvernement VIP were present in this leak.

The top exploit - According to security researchers, Google Home and Alexa can be used to spy on their owners

SRLab, a German lab, has highlighted the existence of applications (Skills for Alexa and Actions for Google Home) that would allow eavesdropping on the commands send to the vocal assistants.

The top attack - A NordVPN server has been hacked in 2018

A Finnish VPN provider's server has been compromised in 2018, allowing the usurpation of the nordvpn.com domain as well as the decryption of VPN traffic. The attack was made possible due to the exposure of an administration service online.

Software version watch

Software
Current version
Adobe Flash Player
Adobe Acrobat Reader DC
Java
Mozilla Firefox
Google Chrome
VirtualBox
CCleaner

Vincent CHARRETIER

CERT-W : Revue d'actualité de la semaine du 07 octobre 2019


Comme chaque semaine, retrouvez notre revue d'actualité de la sphère cyber-sécurité. Cette compilation de brèves vous permettra d'alimenter les discussions des prochaines pauses cafés !

Veille cybercriminalité

Kaspersky a découvert un malware développé par le gouvernement ouzbek

Les services de sécurité ouzbek ont enregistré un domaine avec le nom d'un de leur groupe militaire puis installé l'anti-virus Kaspers

ky sur leur infrastructure d'attaque. Cela a permis à la firme russe de découvrir leur plateforme et de révéler 4 failles dites zero-day.

Huawei estime recevoir plus d'un million de cyberattaques par jour

Plus d'un million d'attaques par jour serait actuellement menées à l'encontre de Huawei. Ces attaques visent principalement leurs secrets industriels concernant la technologie 5G.

Les groupes d'attaquants APT exploitent des VPN obsolètes

Des organisations internationales sont actuellement la cible de groupes réputés comme APT5. L'exploitation de vulnérabilités sur des produits VPN non mis à jour comme Palo Alto, Pulse Secure ou bien Fortinet semble avérée.

Veille vulnerabilite

Les appareils médicaux affectés par de nombreuses vulnérabilités

Selon l'agence américaine des médicaments (FDA), de nombreux appareils de santé connectés seraient vulnérables à URGENT/11, un ensemble de vulnérabilités affectant des matériels temps-réel (RTOS) qui supportent la pile TCP/IP. L'agence demande aux constructeurs de se rapprocher des professionnels de santé pour définir la liste des équipements impactés et ainsi définir un plan de mitigation.

La société Juniper Networks annonce avoir corrigée 84 vulnérabilités sur ses produits

Deux vulnérabilités annoncées par la société atteignent le score CVSS maximum (CVE-2019-3828 et CVE-2018-14721).

Indicateurs de la semaine

Le leak de la semaine - Les données de 92 millions de brésiliens en vente sur le dark web

Bien que le vol n'ait pas été officiellement authentifié, il semblerait que les données présentes dans cette base soit authentiques. De quoi remettre une nouvelle fois en cause la protection des données par les autorités publiques.

L'exploit de la semaine - Une nouvelle faille Windows permet l'installation de ransomware via ITunes et ICloud

Une faille de type zéro day a été récemment découverte par l'entreprise Morphisec. Elle permet à un attaquant d'injecter un ransomware sur un poste Windows sans être détecté par l'anti-virus.

L'attaque de la semaine - Le groupe M6 ciblé par une cyberattaque

Un ransomware a affecté les lignes fixes et la messagerie électronique du groupe M6 ce week-end. La chaine a tout de même réussi à assurer sa programmation durant cette attaque.

Suivi des versions

Produits
Version actuelle
Adobe Flash Player
Adobe Acrobat Reader DC
Java
Mozilla Firefox
Google Chrome
VirtualBox
CCleaner

Vincent CHARRETIER

CERT-W : Revue d'actualité de la semaine du 02 octobre 2019


Retrouvez ci-dessous notre revue d'actualité de la sphère cyber-sécurité. Cette compilation de brèves vous permettra d'alimenter les discussions des prochaines pauses cafés !

Veille cybercriminalité

Facebook exhorté à mettre fin au chiffrement de bout en bout par certains gouvernements

Les Etats-Unis, la Grande-Bretagne et l'Australie ont récemment rédigé une lettre ouverte à Mark Zuckerberg, lui demandant de ne pas mettre en place de chiffrement de bout en bout sur ses applications et notamment sur son nouveau projet de messagerie unifiée.

La campagne présidentielle de Trump serait ciblée par des hackers Iraniens

Un groupe appelé "Phosphorous" aurait essayé d'accéder aux comptes Microsoft des personnes associées à la campagne de Trump.

Veille vulnérabilité

Une nouvelle faille sur iOS permet le jailbreak permanent de presque toutes les versions de l'iPhone


Une nouvelle attaque : PDFex, permet d'exfiltrer les données présentes dans des fichiers PDF chiffrés

Une équipe allemande a mis au point une nouvelle attaque, nommée PDFex, permettant à un attaquant de visualiser le contenu d'un fichier PDF chiffré. 27 visualiseurs PDF y compris des logiciels couramment utilisés comme Adobe Acrobat et les visualiseurs PDF intégrés de Chrome et Firefox sont impactés.

Un nouveau malware permet de compromettre le trafic HTTPS de sa victime

Des chercheurs ont récemment découvert un nouveau maliciel, appelé Dubbed Reductor, permettant de manipuler le trafic HTTPS de sa victime, en modifiant le générateur de nombre aléatoire utilisé par son navigateur pour assurer une connexion privée entre le client et le serveur.

Indicateurs de la semaine

L'exploit de la semaine - Les appareils Android touchés par un exploit 0-day, Google pensait avoir corrigé la faille

Google a admis que certains smartphones Android sont récemment devenus vulnérables à un sérieux exploit 0-day (CVE-2019-2215), permettant d'obtenir le contrôle total des smartphones impactés. La société pensait avoir corrigé cette faille pour de bon, il y a presque deux ans.

Le leak de la semaine - Sephora s'est fait voler les données de 780 073 utilisateurs en 2017


L'attaque de la semaine - Le botnet Android Geost fait 800 000 victimes en Russie

Un botnet a infecté plus de 800 000 appareils Android russes, permettant d'avoir accès à plusieurs millions d'euros disponibles sur les comptes bancaires de ses victimes.

Suivi des versions

Produits
Version actuelle
Adobe Flash Player
Adobe Acrobat Reader DC
Java
Mozilla Firefox
Google Chrome
VirtualBox
CCleaner

Jordy MARTIN