Database of +900 Pulse Secure VPN Enterprise Servers
An underground forum post has been detected showing the existence of a database containing data collected on more than 900 Pulse Secure VPN enterprise servers. Zdnet.com has managed to obtain and analyze the data, which includes: IP addresses of Pulse Secure VPN servers, firmware version and ssh keys of the servers, list of users and password hashes, among others. The information appears to have been obtained between June 24 and July 8, 2020.
From Bank Security’s Twitter account they have said that, after analyzing the data obtained, all Pulse Secure VPN servers included in the list were running a firmware version vulnerable to the CVE-2019-11510 vulnerability. Due to this, it is estimated that the threat actor who compiled this information could have used an exploit for this vulnerability and, once it has gained access to these systems, it has extracted all the information to create this repository.
Remote code execution in Microsoft Teams
Trustwave researcher Reegun Jayapaul has published an analysis of Microsoft Teams in which he claims that the application would be vulnerable to remote code execution attacks. The increased use of video conferencing applications as an aid to teleworking during the health crisis has led threat agents to focus on this type of tool and in this respect, Microsoft Teams has been one of the resources most widely used.
In 2019, this software published a patch that prevented an attacker from using the high volume of updates to include malicious payloads, given the ability to update via a URL. However, as the researcher points out, this was not a complete solution as local connections are allowed via a shared resource. The proof of concept to demonstrate this fact is to use a remote SMB share, creating a Samba server with public remote access and naming the malicious payload “Squirrel”, the Teams installation and update manager. To mitigate this threat, it is recommended to scan executables Squirrel.exe and investigate possible outgoing SMB connections.
New vulnerability in TeamViewer
Security researcher Jeffrey Hofmann has discovered a new vulnerability in the Windows TeamViewer platform that has been listed as CVE-2020-13699 with CVSS v3 score of 8.8. TeamViewer is a tool used for remotely connecting both computers and mobile devices. The vulnerability discovered entails that vulnerable versions of TeamViewer do not correctly execute URI drivers, which could lead threat agents to exploit this flaw by including a malicious iframe in a web domain specifically created for an attack.
This vulnerability can be exploited remotely, and no prior authentication is required. Therefore, it makes possible attacks known as “watering hole”. So far, there is no evidence that this vulnerability is being exploited, nor that any exploit is available. The company has released a new update, which they recommend applying (15.8.3) to correct this security flaw that affects previous versions of TeamViewer.
New Timing Attack Techniques
A group of researchers has discovered a new technique for timing-based side-channel attacks that makes them more effective. This type of attack is mainly based on variations in network transmission time, which depends on the load of the network connection. The new technique, called TTA (Timeless Timing Attacks) leverages multiplexing of network protocols and concurrent execution by applications to analyze the order of responses and no longer rely on synchronization, and therefore, on network transmission time. This is allowed only for those protocols with HTTP/2, including web services that support HTTPS.
Additionally, researchers claim that this new method could be deployed against Tor services, using this technique also in HTTP/1.1 web services and allowing a threat actor to create two connections to a node on this network and send simultaneous requests on each of the connections to measure the time difference.
20GB of Intel internal documents get leaked
Technology company Intel is investigating a security breach after a total of 20GB of its internal documents were posted on MEGA site. The company has confirmed the authenticity of the documents, some of them classified as “restricted” or “confidential”. It should be noted however, that none of these documents contained confidential customer or employee data. The person responsible for the theft sent these files to Till Kottmann, the head of a Telegram channel that publishes accidentally leaked data from technology companies, who uploaded part of these files to MEGA.
For the time being, Intel suspects that the theft was committed by an individual with access to their Design and Resource Center which provides non-public technical documents to Intel business partners and was not the result of an unauthorized access. However, the perpetrator of the theft told Till Kottmann that this data was obtained through access to an unsecured server hosted on Akamai’s CDN.