ElevenPaths Cyber Security Weekly Briefing 27 February – 5 March HAFNIUM attacks Microsoft Exchange servers with 0-day exploits Microsoft has detected the use of multiple 0-day exploits to carry out targeted attacks against on-premise versions of Microsoft Exchange Server (2013,...
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
Diego Samuel Espitia Using Development Libraries to Deploy Malware Cybercriminals seek strategies to achieve their objectives: in some cases, it is users’ information; in others, connections; sometimes they generate networks of computers under their control (botnets), etc. Any...
ElevenPaths From MSS to MDR and Beyond Cybersecurity continues to evolve and, at ElevenPaths, we adapt to these changes. In our view, cybersecurity today is at a crossroads. Despite increased awareness, focus and investment, many organizations...
Juan Elosua Tomé New FARO Version: Create Your Own Plugin and Contribute to Its Evolution We are pleased to announce the latest version of FARO, our open-source tool for detecting sensitive information, which we will briefly introduce in the following post. Nowadays, any organisation can...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
ElevenPaths The hugest collection of usernames and passwords has been filtered…or not (I) Sometimes, someone frees by mistake (or not) an enormous set of text files with millions of passwords inside. An almost endless list of e-mail accounts with their passwords or...
ElevenPaths Cybersecurity Weekly Briefing September 19-25 New attack vector for vulnerability in Citrix Workspace Pen Test Partners security researcher Ceri Coburn has discovered a new attack vector for the CVE-2020-8207 vulnerability in Citrix Workspace corrected in...
ElevenPaths Cyber Security Weekly Briefing 27 February – 5 March HAFNIUM attacks Microsoft Exchange servers with 0-day exploits Microsoft has detected the use of multiple 0-day exploits to carry out targeted attacks against on-premise versions of Microsoft Exchange Server (2013,...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
ElevenPaths CSAs 10 Tips for Secure Homeworking in Your Company We tell you ten measures you can take to make homeworking secure for your company, employees and customers.
ElevenPaths The hugest collection of usernames and passwords has been filtered…or not (II) Over the last entry we focused on analyzing the content of these files from a critical point of view, this is: on clarifying that when a massive leak freeing...
Cybersecurity Weekly Briefing July 4-10ElevenPaths 10 July, 2020 RCE Vulnerability in F5’s BIG-IP (CVE-2020-5902) Last Wednesday a new critical Remote Code Execution vulnerability (CVE-2020-5902 CVSSv3 10) was published for F5’s Traffic Management User Interface (TMUI). This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected. F5 recommends to update to a corrected version of this software, especially since the first attempts to exploit this flaw have been made public and Metasploit has added a PoC to its exploitation framework. Moreover, US Cybercom urged last Friday to patch with no delay. In the event of not being able to apply F5’s patch, the company has indicated a series of temporary mitigating measures. Meanwhile, researchers have begun sharing rules for the detection of exploitation attempts in IDS systems that might be useful to verify that everything is working correctly after patching and to rule out any exploitation attempts. A few days after being known to the public, security researchers Chase Dardaman and Rich Mirch together with the CriticalStart TeamAres found a bypass allowing exploitation of the bug on devices where mitigation measures were implemented. Successful exploitation of BIG-IP devices allows attackers to fully compromise the system, get user credentials, or laterally traverse the device’s internal network. The researchers who uncovered this bypass are working with F5 Security Incident Response Team (SIRT) to update the CVE-2020-5902 security advisory. More details: https://support.f5.com/csp/article/K52145254 Attacks against Manage Service Providers (MSPs) The US Secret Service sent out a security alert in June warning US public and private sectors about an increase in attacks against managed service providers, MSPs. These services provide remote management software for companies and are built around a server-client software architecture that would enable an attacker with access to the server to view and manipulare data in the clients’ systems. The alert informs about the identification of attacks following this pattern to achieve the compromise of point-of-sale systems, to perform business email compromise (BEC) scams, and to deploy ransomware (malawre families such as Sodinokibi/REvil are known to make use of this entry vector). Some days after the warning was released, popular MSP ConnectWise fixed an Automate API flaw that was abused in several intrusions. More info: https://www.zdnet.com/google-amp/article/us-secret-service-reports-an-increase-in-hacked-managed-service-providers-msps/ DXC identifies ransomware attack involving its Xchanging subsidiary Global IT services and solutions provider DXC Technology announced over the weekend a ransomware attack on systems of its Xchanging subsidiary. Xchanging is known as a managed service provider for businesses in the insurance industry but its list of customers includes companies from other fields. The company reported the incident on July 5th, expressing confidence that it did not spread outside Xchanging’s network. It is unclear when the company detected the attack but so far, the investigation has not reveal any indication of data being affected. The number of customers affected has not been disclosed and as usual with such incidents, the company is working with law enforcement and authorities on the investigation. No information about the family of the ransomware used in the attack has been revealed yet. Learn more: https://www.dxc.technology/newsroom/press_releases/149112-dxc_identifies_ransomware_attack_on_part_of_its_xchanging_environment Banking Trojan Cerberus Discovered on Google Play Avast Cybersecurity Team has published a report on the detection of a Cerberus banking Trojan on Google Play targeting Android users in Spain. According to the researchers, this malicious software had remained obfuscated in an application called “Calculadora de Moneda“. This application was accepted by Google Play sometime last March and, although at first it did not cause any harm to the victims, once it gained the trust of the users the application started to activate a code that allowed to connect to a Command & Control server. From there, the C&C instructed the application to download an additional APK to the affected devices: Cerberus. Among the features of this tool: ability to create overlays on legitimate banking applications in order to exfiltrate victim’s credentials, read SMS to obtain unique access codes or get details of the second authentication factor. It is estimated that the malicious application was downloaded more than 10,000 times. Details: https://blog.avast.com/avast-finds-banking-trojan-cerberus-on-google-play-avast New Vulnerability in PAN-OS Just one week after fixing a critical vulnerability in PAN-OS (CVE-2020-2021), Palo Alto Networks has fixed a new serious flaw in PAN-OS GlobalProtect. This is a command injection vulnerability in the operating system that would allow an unauthenticated remote attacker to execute arbitrary operating system commands with root privileges on unpatched devices. It has got the identifier CVE-2020-2034 and a CVSS 3.x severity of 8.1, as it can be exploited by attackers with network access to vulnerable servers as part of a more complex attack that does not require user interaction. PAN-OS versions < 9.1.3, < 9.0.0 < 8.1.15, 8.0 and 7.1 are affected. The flaw cannot be exploited if the GlobalProtect portal is not enabled and, in addition, the attacker needs certain information about the firewall configuration or will need to perform some kind of brute-force attack in order to exploit the vulnerability. Telefónica is taking the appropriate action to identify and patch the vulnerability. More: https://www.bleepingcomputer.com/news/security/palo-alto-networks-fixes-another-severe-flaw-in-pan-os-devices/ Juniper security bulletin Yestarday, Juniper published a security bulletin that patches 19 vulnerabilities in their products. Amidst all of them, it is worth highlighting a critical vulnerability (CVSSv3 9.8) with the reference CVE-2020-1654. This issue appears when processing a malformed HTTP message that may lead to a Denial of Service (DoS) or Remote Code Execution (RCE) if the ICAP (Internet Content Adaptation Protocol) redirect service is enabled. The affected products are Juniper Networks Junos OS on SRX Series, versions 18.1, 18.2, 18.3, 18.4, 19.1, 19.2 & 19.3. To remediate the issue, it is recommended to apply the updates provided by Juniper. Info: https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES How to Protect Yourself from Pandemic Cyberattacks Using Free ToolsNew ElevenPaths DoH Server (Beta) That Filters Out Malicious Domains
ElevenPaths Cyber Security Weekly Briefing 27 February – 5 March HAFNIUM attacks Microsoft Exchange servers with 0-day exploits Microsoft has detected the use of multiple 0-day exploits to carry out targeted attacks against on-premise versions of Microsoft Exchange Server (2013,...
Juan Elosua Tomé New FARO Version: Create Your Own Plugin and Contribute to Its Evolution We are pleased to announce the latest version of FARO, our open-source tool for detecting sensitive information, which we will briefly introduce in the following post. Nowadays, any organisation can...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths Cyber Security Weekly Briefing February 13-19 Privilege escalation vulnerability in Windows Defender SentinelLabs researcher Kasif Dekel has discovered a new vulnerability in Windows Defender that could have been active for more than twelve years. The flaw,...
Gonzalo Álvarez Marañón Functional Cryptography: The Alternative to Homomorphic Encryption for Performing Calculations on Encrypted Data — Here are the exact coordinates of each operative deployed in the combat zone.— How much?— 100.000.— That is too much.— And a code that displays on screen the...