CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 48: March 06 2023

Links

https://www.helpnetsecurity.com/2023/03/06/financial-services-apps-vulnerabilities/?web_view=true

https://www.helpnetsecurity.com/2023/03/06/cve-2023-21716-poc/?web_view=true

https://www.bankinfosecurity.com/phishing-campaign-targets-job-seekers-employers-a-21371?&web_view=true

https://www.helpnetsecurity.com/2023/03/03/known-exploitable-vulnerabilities/?web_view=true

Popular fintech apps expose exploitable secrets

  • The Approov Mobile Threat Lab
    • downloaded, decoded and scanned the top 200 financial services apps
      • S., U.K., France and Germany
      • the Google Play Store
    • investigating a total of 650 unique apps.
  • Findings
    • 92% of the apps leaked valuable, exploitable secrets
    • 23% of the apps leaked extremely sensitive secrets.
    • Breakdown
      • 5 No Secrets Exposed
      • 48 Low value secrets
      • 444 medium value secrets
      • 150 High value secrets
    • two critical runtime attack surfaces that could be used to steal API keys at runtime
    • 5% of the apps had good defenses against runtime attacks
    • 4% were well protected against Man-in-the-Middle (MitM) attacks
    • hardcoding sensitive data in mobile apps is widespread
      • problem since secrets can easily be extracted
    • None of the 650 apps “ticked all the boxes” in terms of the three attack surfaces investigated. All failed in at least one category.
    • Only four apps had runtime protection against channel MitM attacks and “man-in-the-device.” All were payment and transfer apps and none were in the U.S.
    • In general, apps deployed in Europe were better protected than apps available only in the U.S., for immediate secret exposure and runtime protections. This may be due to stricter privacy rules in Europe and more focus on security.
    • Crypto apps were more likely to leak sensitive secrets as 36% immediately offered highly sensitive secrets when scanned.
    • Only 18% of personal finance apps leaked sensitive information, possibly because they are less dependent on sensitive APIs.
    • For Man-in-the-Device attacks, traditional banks are twice as likely to be well protected over other sectors reflecting the use of packers and protectors to protect against run-time manipulation.

Microsoft Word RCE PoC is public

  • CVE-2023-21716
    • security researcher Joshua J. Drake in November 2022
    • heap corruption vulnerability in Microsoft Word’s RTF parser
      • allows attackers to achieve remote code execution with the privileges of the victim
    • attackers can simply send a booby-trapped RTF file to the victim(s) via email.
  • Fixes
    • Microsoft confirmed the Preview Pane as an attack vector
    • patching vulnerable products is preferred
      • Configuring Microsoft Outlook to read all standard mail in plain text format
      • Using Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources.

Phishing Campaign Targets Job Seekers, Employers

  • Threat actors are exploiting the ongoing economic downturn
    • using job-themed phishing and malware campaigns
    • target job seekers and employers
      • steal sensitive information and hack company recruiters.
    • The phishing campaigns
      • target job seekers
        • sending emails that pretending to be from a recruitment agency
        • asking them to provide personal information or login credentials.
      • “These emails look legitimate but are designed to steal sensitive information such as passwords or financial information. The malware can then be used to steal sensitive information or to gain unauthorized access to the job seeker’s device and the information stored on it,”
    • The malware campaigns
      • attempts to drop prominent malware
        • AgentTesla
        • Emotet
        • Cryxos Trojans
        • Nemucod
      • Trellix researchers
        • observed that attackers are posing as job seekers to target employers.
        • The attackers send specially crafted emails delivering malware through attachments
        • URLs that are disguised as applicant resumes or identification documents.
        • cybercriminals take advantage of the high volume of job applications that employers receive,
        • goal of these attacks is to gain unauthorized access to sensitive information, steal personal data and disrupt the operation of the organization.
        • Attackers also are using fake or stolen documents such as Social Security numbers and driver’s licenses
          • to make emails look legitimate and increase the credibility of the email
        • Typosquatting
          • creating typosquatting domains of popular job websites to target job seekers
          • Typosquatting is a social engineering attack in which attackers use misspelled domains for malicious purposes.
          • “These domains are like the legitimate websites, but with slight variations such as misspelled words or different extensions,” Kapur says.
          • The domains trick job seekers into thinking they are applying for a job through a legitimate website, when in fact they are providing their sensitive information to cybercriminals.
          • researchers have observed an increase in registration of new typosquatted domains for jobs-related domains
            • LinkedIn
            • Indeed
          • Some of the examples of typosquatting domains observed by Trellix are indeed-id.com, indeed-7.com, indeed-a.com, indeed.ch, indedd.com, linkhedin.com, linkegin.com and linkednn.com.

Old Vulnerabilities haunt organizations

  • Tenable
    • Cyber Security Company
  • Report
    • 29 billion records were exposed.
      • 257 Terabytes of data
    • 3% of all data breaches identified were caused by unsecured databases.
      • 800 million records.
    • 1,335 data breach incidents
      • between November 2021 and October 2022.
    • Top 5 Vulnerabilities 2022
      • #1) Large Pool of frequent vulnerabilities
        • Some far back as 207
        • flaws in following applications
          • Microsoft Exchange
          • Zoho ManageEngine
          • Virtual private network
            • Fortinet
            • Citrix
            • Pulse Secure.
          • #2) Log4Shell
            • CVE-2021-44228
          • #3) Follina
            • CVE-2022-30190
          • #4) Atlassian Confluence Server and Data Center
            • CVE-2022-26134
          • #5) Proxy Shell
            • CVE-2021-34473
          • four of the first five zero-day vulnerabilities exploited in the wild in 2022 were disclosed to the public on the same day the vendor released patches and actionable mitigation guidance.
        • Attack Group Tactics
          • Ransomware #1
            • LockBit 10% of attacks
            • Hive 7.5%
            • Vice Society 6.3%
            • BloackCat/ALPHV 5.1%