Cybersecurity Weekly Briefing 26 September – 2 October

ElevenPaths    2 October, 2020
Cybersecurity Weekly Briefing 26 September - 2 October

The logistics giant CMA CGM affected by a cyber attack

This week, the French logistics group CMA CGM, which operates in 160 different countries, reported via its website and social networks of a cyberattack against their systems. Apparently, the incident has affected several perimeter servers, forcing the company to interrupt internet access to some of its applications to prevent malware from spreading within its network. Therefore, the entity recommends its clients to contact the group’s local agencies for any request, reservation or other type of operation. Although the group has not disclosed the type of malware that caused the incident, some communications point at RagnarLocker ransomware, which would have managed to infect several of CMA CGM’s offices in China.

More: https://www.cmacgm-group.com/en/news-media/important-notice-external-access-to-CMA-CGM-IT-applications

Windows XP and Server 2003 compilation and installation managed from the filtered source code

On 24 September, several users of 4chan and Reddit reported the leak of the Windows XP source code, which would later appear to have been leaked on one of these forums, confirming the legitimacy of the leak. Now, the NTDEV developer has published two videos on YouTube and several tweets in which he shows how to compile Windows XP and Server 2003 from the ‘System Symbol’ of another Windows XP, although the developer admits that unlike the code of Windows Server 2003, in the case of Windows XP he has not yet been able to generate an ISO image to share. This code could be related to the July 26 leak in which a GitLab repository containing the code of more than 50 companies, including Microsoft, was made public. This leak could affect various public institutions or ATMs that continue to use Windows XP even though it is no longer supported. Threat agents could analyse this code for vulnerabilities that could also be exploited in more current versions.

More info (in Spanish): https://www.genbeta.com/windows/logran-compilar-ejecutar-windows-xp-server-2003-a-partir-codigo-fuente-filtrado-asi-proceso-video

Microsoft clears up confusion with patches for Windows Zerologon flaws

Microsoft has clarified the steps that customers must take to ensure that their devices are protected against attacks using Windows Server Zerologon exploits (CVE-2020-1472). The company issued a new version of its warning after customers found the original guidance confusing and were unsure whether applying the patch was enough to protect vulnerable Windows Server devices from attacks. In a step-by-step process, the updated warning explains now the exact actions administrators must take to ensure their environments are protected and that disruptions are avoided in the event of an incoming attack designed to exploit servers that would otherwise be vulnerable to Zerologon’s exploits. The actions to be taken as described by Microsoft are as follows:

  • UPDATE domain controllers with the update published on or after 11 August 2020.
  • FIND out which devices are making suspicious connections by monitoring the event logs.
  • ADDRESS non-compliant devices that are making these connections.
  • ENABLE the run mode to address the CVE-2020-1472 in its environment.

More: https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Phishing campaign takes advantage of reading permissions for third party applications on O365

Proofpoint has published a report on a new technique used by agent TA2552 since August 2019 in which it abuses access to third-party applications (3PA) of Microsoft Office 365. Specifically, an email is sent to users in Spain and Latin America with a message urging users to click on a link and redirecting them to a consent page for legitimate third-party Microsoft applications. On this page, they are asked to grant read-only permissions to their O365 account through OAuth2 or other token-based authorisation methods. Through this technique, TA2552 seeks to obtain permissions to view the content and activity of available resources, such as user contacts and email, through a user’s O365 account. Read-only access carries considerable risk, as it provides attackers with the ability to access valuable information that could be used in BEC or account hijacking attacks, to silently steal data, or to intercept password reset messages from other accounts, such as those of financial institutions.

More: https://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks

Leave a Reply

Your email address will not be published.