CERT-W Newsletter December 2020

Ethical Hacking & Incident Response

Posted on

Monthly indicators

TOP ATTACKThe massive SolarWind hack
Russian SVR Hackers have been romping through some 18,000 of SolarsWinds’ Origin customer servers using the SUNBURST malware installed via a backdoored update server. FireEye, Microsoft and GoDaddy believe the avsvmcloud domain has been used to coordinate attacks. We do not know yet how the hackers hacked into SolarWinds but last year the company’s server was protected by the password “solarwinds123” (link for more details).
TOP EXPLOITiPhone zero click Wi-Fi exploit
Before Apple patch, Wi-Fi packets could steal photos. No interaction needed. Over the air. This Wi-Fi packet of death exploit was devised by Ian Beer, a researcher at Project Zero, Google’s vulnerability research arm. In this post (link), Beer covers the entire process to successfully exploiting this vulnerability in order to run arbitrary code on any nearby iOS device and steal all the user data.
TOP LEAKTravel agency leaked customer data by giving away in a hackaton
When running a hackathon in 2017, the Australian travel agency, Flight Centre, provided a dataset containing 106 million rows of data and containing 6,121,565 individual customer records. Unfortunately, credit card records and passport numbers belonging to close to 7,000 people were in free text fields. An investigation showed that the agency:

  • Did not implement a way to prevent its employees to fill out those fields with personal information.
  • Did not carry out the necessary checks, only reviewing a top 1,000 row sample for each data file within the dataset.

Cybercrime watch

A hacker is selling access to the email accounts of hundreds of C-Level Executives
The data (email and password combinations for Office 365 and Microsoft accounts) is being sold on a closed-access underground forum for Russian-speaking hackers named Exploit.in. Access to any of these accounts is sold for prices ranging from $100 to $1,500, depending on the company size and user’s role. The validity of the data has been confirmed and the seller refused to share how he obtained the login credentials but said he had hundreds more to sell.
A tax scam ringleader impersonating the IRS just got sent down for 20 years
The man who headed an international criminal call center racket that conned Americans into handing over tens of millions of dollars in the belief they were being chased for money by the US government has been jailed for 20 years. The con artists ran a complex scheme in which employees from call centers in Ahmedabad, India, impersonated officials from the IRS and US Citizenship and Immigration Services (USCIS). Their victims were threatened with arrest, imprisonment, fines or deportation if they did not pay money allegedly owed to the government.
Cybercriminal’s favourite VPN taken down in global action
The virtual private network (VPN) Safe-Inet used by the world’s foremost cybercriminals has been taken down in a coordinated law enforcement action led by Europol and the FBI. Its infrastructure was seized in Germany, the Netherlands, Switzerland, France and the United States. The servers were taken down, and a splash page was put up online after the domain seizures.

Vulnerability watch

CVE-2020-17095Hyper-V Remote Code Execution Vulnerability
CVSS score: 9.9 CRITICAL

It is a bug that could allow an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. It appears that no special permissions are needed on the guest OS to exploit this vulnerability.

CVE-2020-17132Microsoft Exchange Remote Code Execution Vulnerability
CVSS score : 9.1 CRITICAL

Microsoft doesn’t provide an attack scenario here but does note that the attacker needs to be authenticated. This indicates that if you take over someone’s mailbox, you can take over the entire Exchange server.

CVE-2020-17121Microsoft SharePoint Remote Code Execution Vulnerability
CVSS score : 8.8 HIGH

It could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account. In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack.