Le blog des experts sécurité Wavestone

CERT-W: Cybersecurity watch of January events

You will find below our weekly report on cybersecurity news. Use this brief compilation to support your coffee break small talk!

Cybercrime watch

Jeff Bezos phone hacked: publication of the technical report

For many months, the phone of Jeff Bezos has been sending out private, sensitive and/or confidential data. After months of forensic, analysts did not found any malware installed on the phone in data extracts and iTunes backup given by J. Bezos, but a suspicious video sent through WhatsApp.
Since the reception of the video, Bezos' phone started to send more than 120MB of data per days.
The spyware has not been found in the iTunes backup because iTunes does not create a back-up for system files but only for messages, videos, etc... Thus, in order to find this malware, analysts should jailbreak Bezos iPhone in order to get a root account on the phone and then access to system files.

Half a million IOT devices passwords publicly published

An hacker has published a list of 515,000 credentials of servers, router, and IoT. The list included the device's IP and the username for the telnet service. Thus, these devices can be remotely controlled over the Internet to create a botnet for example (remember Mirai).
This list was compiled by scanning the whole internet for devices exposing their telnet port. Then, default credentials were tried as well as a list of common credentials.

Ryuk's last strike: Tampa Bay Times

The Ryuk crypto-locking malware has strike a great number of major US newspaper since December 2018. After the Chicago Tribunes or the Los Angeles Times, it is the turn of the Tampa Bay Times to suffer a loss from this ransomware. The attack did not success to compromised payment data and the online publications were not interrupted. Thank to their well thought recovery plan, the newspaper is actively restoring its information system.
The Ryuk ransomware start to weaponize Microsoft Office documents with the injection of malicious macro designed to run powershell commands. Those commands will download the Emotet banking trojan which will download another malicious payload as a TrickBot.

Vulnerability watch


The first security patch of the decade released by Microsoft for Windows 10 shows a vulnerability in the cryptography library handling elliptical curve cryptography. This vulnerability allows attackers to spoof a legit certification authority (CA) in order to signed malicious windows executable files as well as TLS certificates. This vulnerability affects all version of Windows 10 but can only be applied on CA using elliptical curve cryptography.


RDP Gateway are servers used as a RDP protocol router. Indeed, all RDP connections from the outside will target the RDP Gateway server which will redirect the connection to the correct computer. This allows reducing the attack area of the information system. However, the CVE-2020-0609, known as BlueGate, shows that RDP Gateway servers are affected by a memory corruption bug allowing remote execution code without authentication.
The code responsible for this vulnerability located in the section handling UDP request. Therefore, only UDP implementations of RDS Gateway are vulnerable.


The script engine of Internet Explorer allows an attacker to remotely execute commands on the underlying computer.
This vulnerability is due to a bug in the jscript.dll file used to parse JavaScript objects stored in memory.
This CVE echoes back to the RCE identified as CVE 2018-8653 which also affected Internet Explorer.

Weekly top

The top leak - Microsoft data breach: 250 million records exposed

A database used for "support case analytics" was available in the cloud to anyone. This database was used to store logs of conversation between Microsoft support agents and customers from all over the world.
Majority of data was anonymized but many of them still contain personal data. The data exposed include:
- Customer email addresses
- IP addresses
- Locations
- Descriptions of CSS claims and cases
- Microsoft support agents emails
- Case numbers, resolutions, and remarks
- Internal notes marked as “confidential”
Even if the data was publicly exposed for almost three weeks, there is no proof of malicious use. However those data could be used later by scammers in order to impersonate call center agents.

The top exploit - Malwares deployed on unpatched Citrix servers

The Revil ransomware gang is using CVE-2019-19781 to deploy ransomware on unpatched Citrix servers. These attacks began in January 11 when a proof of concept for the related CVE was published.
Many companies were not able to update their Citrix because of a lack of official patch for their Citrix kernel. However, the number of unpatched servers goes down from 80 000 in mid december to 11 000 in mid January.
Moreover, Citrix and FireEye have developed together a script that Citrix owners can run in order to verify if their appliances had been already hacked using the CVE.

The top attack - Hackers target European energy firm

The security firm Recorded Future has found a group of hackers (who have been using open source tools as the trojan Pupy) targeting an European energy firm network. The Recorded Future firm suspects the APT33 hacker team. This team is suspected to have links with the Iranian intelligence and is known to have used the same open-source tools than those used to attack the European energy firm.
In the last few years, energy firm have been more and more targeted by advanced persistent threat. Thus, these companies are advised to harden their security with simple mechanisms such as multiple factor authentication and to monitor connections coming from outside of their networks.

Software version watch

Current version
Adobe Flash Player
Adobe Acrobat Reader DC
Mozilla Firefox
Google Chrome


Aucun commentaire:

Enregistrer un commentaire