Cybersecurity Weekly Briefing 23-29 May

ElevenPaths    29 May, 2020
Cybersecurity Weekly Briefing 23-29 May

Critical-Severity RCE Vulnerability in Cisco Unified CCX

Cisco has fixed a critical remote code execution bug in the Java Remote Management Interface of Cisco Unified Contact Center Express (CCX). This vulnerability (CVE-2020-3280) is due to improper input validation of data sent by the user of the affected software. Attackers could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploitation could allow the attacker to execute arbitrary code as the root user. So far, the Cisco Product Security Incident Response Team (PSIRT) has not detected any exploits linked to this vulnerability.


RangeAMP: DoS Attacks against Webs and CDN Servers

A team of Chinese researchers has found a new way to manipulate HTTP packets to increase web traffic and cause service drops on websites and content distribution networks (CDNs). This new denial of service (DoS) technique, called RangeAMP, exploits incorrect implementations of the Range Request attribute in HTTP requests. These allow clients to request only a specific part of a file hosted on the server and was created to pause and resume traffic deliberately, or in the event of network issues. According to researchers, there are two different RangeAMP attacks: Small Byte Range (SBR), which targets a single objective in order to block it, and Overlapping Byte Ranges (OBR), where traffic would be amplified within CDN networks and collapse CDN servers and other target sites. The researchers reportedly contacted 13 CDN providers, 12 of which have already deployed updates to mitigate this type of attack − among them Akamai, Azure, and Cloudflare.


StrandHogg 2.0: Critical-Severity Vulnerability in Android

Promon security researchers have found a vulnerability, called StrandHogg 2.0, which impacts all devices running Android 9.x. The exploitation of this bug, tracked as CVE-2020-0096 with CVSS v3 of 7.8, could allow the threat actor to steal credentials, take photos through the camera, read and send SMS, get GPS information, get access to the contacts list and multimedia records, as well as listen to the user through the microphone. Malicious applications exploiting this bug trick the user by replacing the interface of legitimate apps, starting under a camouflage that makes it easy for malicious actions to be carried out in the background. This vulnerability is an evolution of the previous StrandHogg, although the focus and scope of both is not the same. Google has already fixed the issue by implementing a patch, so it is recommended that users update their systems to the latest version.


Microsoft Warns about PonyFinal Attacks

Microsoft Security Team has issued an advisory today warning organizations worldwide to deploy protections against a new strain of ransomware that has been in the wild over the past two months. PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks. In these types of attacks, hackers breach corporate networks and deploy the ransomware themselves. The intrusion point is usually an account on a company’s systems management server, which the PonyFinal gang breaches using brute-force attacks that guess weak passwords. Once inside, PonyFinal deploys a Visual Basic script that runs a PowerShell reverse shell to dump and steal local data. Once the PonyFinal gang has a firm grasp on the target’s network, they then spread to other local systems and deploy the actual ransomware. Microsoft has pointed out that files encrypted with the PonyFinal ransomware usually have an additional “.enc” file extension added to the end of each encrypted file and that currently there is no known way or free decrypter that can recover encrypted files. 

TrickBot Updates Propagation Module

Security researchers have discovered a new TrickBot module used for propagation from an infected Windows system to a compromised Domain Controller (DC). This new module, called nworm, is run from system RAM, leaves no artifacts on the infected Domain Controller and disappears after a reboot or shutdown. In addition, the TrickBot binary used by nworm would be encrypted. These features show an attempt by TrickBot developers to avoid being detected by security systems.

Leave a Reply

Your email address will not be published. Required fields are marked *