February 2020

Breach Report

Welcome to our weekly breach report. This newsletter will report on recent cybersecurity breaches where user data was stolen, compromised or extorted. This newsletter is designed to keep you informed so that you can protect yourself when navigating cybersecurity threats in our digital world. 

Our Services Help You Stay

Secure & Compliant

While Reducing Your Costs AND Level of Effort

Get In-Touch With Us Today!
Breach Report

February 2020

Cyber Security Breach Reports

WhatsApp JavaScript Vulnerability  

Google Removes 500 Malicious Chrome Extensions

Summary

Security researchers have identified a JavaScript vulnerability in the WhatsApp desktop platform that could allow cybercriminals to spread malware, phishing or ransomware campaigns through notification messages that appear completely normal to unsuspecting users. And, further investigation shows this could be parlayed into remote code-execution.

Root Cause

PerimenterX cybersecurity researcher and JavaScript expert Gal Weizman first discovered vulnerabilities leading to this latest bug in WhatsApp in 2017. Through the WhatsApp desktop platform, Weizman was able to find the code where messages are formed, tamper with it and then let the app continue in its natural message-sending flow. This bypassed filters and sent the modified message through the app, as usual, appearing relatively normal in the user interface. “This works thanks to the role ‘@; plays in the spec of URL,” Weizman wrote. “The purpose of ‘@’ in URLs is to pass username and password to visited domains in the following way: https://USERNAME:[email protected] One can abuse this, as I just did, and replace the username and password with anything else: https://[email protected] and it’ll still work.

Security Impacts

The flaws leave users vulnerable to attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links that point to malicious destinations. “This works thanks to the role ‘@; plays in the spec of URL,” Weizman wrote. “The purpose of ‘@’ in URLs is to pass username and password to visited domains in the following way: https://USERNAME:[email protected] One can abuse this, as I just did, and replace the username and password with anything else: https://[email protected] and it’ll still work.

Solution

Weizman stressed the importance of an app’s CSP rules, which could have prevented the vulnerability from being exploited in the first place. “If the CSP rules were well configured, the power gained by this XSS would have been much smaller,” he wrote. “Being able to bypass the CSP configuration allows an attacker to steal valuable information from the victim, load external payloads easily, and much more!”

Summary

Researchers say that 500 Google Chrome browser extensions were discovered secretly uploading private browsing data to attacker-controlled servers and redirecting victims to malware-laced websites. The browser extensions, all of which have now been removed, were downloaded millions of times from Google’s Chrome Web Store.

Root Cause

Researchers believe that the actor behind this campaign was active since January 2019, with activity escalating between March and June. After researchers first identified 71 malicious extensions and reported their findings to Google, the tech giant then identified 430 additional extensions that were also linked to the malvertising campaign, they said. The extensions had almost no ratings on Google’s Chrome Web Store, and the source code of the extensions are all nearly identical.

Security Impacts

Malvertising often is used as a vehicle for fraudulent activity, including data exfiltration, phishing or ad fraud. In this particular instance, bad actors were redirecting victims from legitimate online ad streams to malware-laced pages. Extensions have full access to all of the data on a page including your email, banking information, and credit card numbers. While many extensions provide value-added services, there’s little to stop them from collecting and abusing user data. Google implemented new user data privacy policy guidelines, requiring all extensions that handle user data to have a privacy policy, gain consent from the user, and only use the minimum required amount of permissions. Google has also implemented a program that will pay out bounties to researchers who find extensions that are violating this policy.

Solution

Avoid using a large amount of browser extensions – use a few trusted few if necessary. Organizations are encouraged to prevent unauthorized use of extensions by enforcing a user policy that prohibits the use of unnecessary browser tools and extensions.

Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs

CDP Flaw allows attackers to traverse segmented networks

Summary

Fresh firmware vulnerabilities in Wi-Fi adapters, USB hubs, trackpads and cameras are putting millions of peripheral devices in danger of a range of cyberattacks, according to research from Eclypsium. TouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP laptops and the Wi-Fi adapter on Dell XPS laptops were all found to lack secure firmware update mechanisms with proper code-signing.

Root Cause

“Many peripheral devices do not verify that firmware is properly signed with a high-quality public/private key before running the code,” explained researchers at Eclypsium, in vulnerability research released on Tuesday. “This means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run.”

Security Impacts

Firmware attacks allow the malicious actors to fly under the radar of endpoint protection. Vulnerable drivers can be used to bypass security protections and enable ransomware to attack without interference. Unsigned firmware in peripheral devices remains a highly overlooked aspect of cybersecurity and provides multiple pathways for malicious actors to compromise laptops and servers.

Solution

Keep all software up to date: Software is constantly changing; the industry regularly finds new security issues. It’s basic but crucial to keep current on updates for operating systems, kernels, third-party libraries (both open and closed source), as well as software for virtual machines and containers. Adopt best practices for development and operations: These include using well-maintained and reputable libraries, carefully evaluating open source packages, and designing the architecture to separate secret data and user data. Many of these also help protect against side-channel attacks. Assess risk: Basic analysis can help you understand the potential exposure of sensitive data to firmware-based attacks.

Summary

Cisco is issuing patches for five critical vulnerabilities that have been discovered in Cisco Discovery Protocol (CDP), the info-sharing layer that maps all Cisco equipment on a network.

Root Cause

The attack comes with a caveat: It requires the attacker to already have some sort of foothold inside the network, via a previously compromised Cisco device, Seri told Threatpost. After compromising a vulnerable Cisco device, an attacker could then send a maliciously crafted CDP packet to another Cisco device located inside the network. There are five vulnerabilities in all — four of which are critical remote code-execution (RCE) vulnerabilities, and one is a denial-of Service (DoS) vulnerability.

Security Impacts

Researchers at Armis say that the vulnerabilities, which they disclosed on Wednesday and collectively dubbed CDPwn, can allow attackers with an existing foothold in the network to break through network segmentation efforts and remotely take over millions of devices. Once these flaws have been exploited, a bad actor could launch an array of attacks – including exfiltrating data of corporate network traffic traversing through an organization’s switches and routers; and viewing sensitive information such as phone calls from IP phones and video feeds from IP cameras.

Solution

Armis disclosed the vulnerabilities to Cisco on Aug. 29, and said that it has worked with the networking giant since then to develop and test mitigations and patches. The patches were released Wednesday. Updating Cisco devices is recommended.

See What We're About

As cyber threats grow in number and sophistication, many organizations are turning to managed security service providers to help secure their digital assets and data. Based at our 24/7/365 cutting-edge security operations center in Scottsdale, Arizona, we provide a suite of managed services to ensure your business stays safe from cyber attacks.

At MegaplanIT, our expert QSAs are fully certified and have decades of experience helping businesses like yours stay compliant with industry frameworks all year round. We build long-term relationships with our customers and provide holistic services to meet all your security and compliance needs.

The vast majority of security breaches are made possible by vulnerabilities and configuration errors in an organization’s network or applications. Our fully certified security testing services are designed to help you find and fix weaknesses in your networks and applications, and prepare you digital infrastructure to withstand the latest cyber threats.

Stay Up To Date

Whether you’re looking to secure your business, or stay PCI compliant, MegaplanIT has the certified team of experts that can help you every step of the way. Follow us to stay up-to-date on the latest security news and trends.

Subscribe To Our Newsletter

The MegaplanIT Team

The Management Team oversees each project, working alongside our IT security specialists to ensure your company has a successful engagement. 

MAKE OUR TEAM

YOUR TEAM

At MegaplanIT, we understand the demands of your business. You need your data to be accessible to your organization, yet impenetrable from the outside. You also have to comply with increasingly stringent information security regulations, which are vital not only to your security but to your success. On top of that, you’re still, well—running a business.

Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.