Alerts & Bugs – Provide timely information about current security issues, vulnerabilities, and exploits.

SOPHOS ALERT: Change your XG Firewall admin password (KBA135412)

SOPHOS ALERT: Change your XG Firewall admin password (KBA135412)

On April 24, 2020, Sophos published knowledge base article KBA135412 which included necessary remediation steps to address vulnerability CVE-2020-12271.

Sophos is enforcing a password reset for the XG administrator and all other local administrator accounts that have not reset passwords since the security hotfix was applied at 2200 UTC on April 25, 2020. Where required, administrative accounts will be prompted to change passwords upon logging into an XG Firewall. The instructions for resetting a forgotten administrator password can be found in KBA123732.

For some configurations, additional remediation actions are required as contained in KBA135412.


​State Farm customer accounts breached in credential stuffing attack

  • Attackers used a list of usernames and passwords obtained via credential stuffing attack to access State Farm customers’ online accounts.
  • The investigation revealed that attackers were able to confirm valid usernames and passwords for some online accounts, however, no personal information was accessed.

What is the issue?

Insurance company State Farm notified its customers that it suffered a credential stuffing attack during which attackers were able to confirm valid usernames and passwords for some customer accounts.

The big picture

On July 6, 2019, State Farm became aware that attackers used a list of usernames and passwords obtained via credential stuffing attack to access customers’ online accounts.

  • Upon discovery, the insurance company launched an investigation and determined that the attackers compromised usernames and passwords for some user accounts.
  • The investigation revealed that attackers were able to confirm valid usernames and passwords for some online accounts, however, no personal information was accessed.
  • After this, State Farm reviewed the accounts of impacted customers and confirmed that no fraudulent activity occurred.

“State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account,” State Farm said in a data breach notice.

What actions were taken?

  • State Farm has reset passwords for all impacted customer accounts in order to avoid further access attempts by the attackers.
  • The insurance company has notified the affected customers and has requested them to change their passwords for State Farm accounts as well as for other online accounts if they’ve reused the same passwords.
  • Furthermore, the company has implemented additional security controls to avoid such incidents from happening in the future.

“We have implemented additional controls and continue to evaluate our information security efforts to mitigate future attacks,” a spokesperson for State Farm told ZDNet.

Worth noting

According to the data breach notification filed with the Office of the California Attorney General, the first attempted attack on State Farm accounts occurred on July 6, 2019, followed by subsequent attacks on July 8, 12, 13, 14, 17, 19, 20, and 22.

Data Breach Reminds: Configuration Is Key

An Unfortunate Reminder

If we’ve said it once, we’ve said it 1,000 times – and we’ll keep saying it: the right configuration is key for your network to be fully secure. We had another reminder this week, with news of a data breach affecting Capital One in which a hacker gained access to more than 100 million credit card applications and accounts, in what CNN calls, one of the biggest data breaches ever. Capital One had security measures in place, but the breach still occurred. So how did the hacker get through? A misconfigured web application firewall.

Misconfiguration Opens the Door

More specifically, according to the criminal complaint filed by the U.S. Department of Justice, “a firewall misconfiguration permitted commands to reach and be executed by [a specific] server, which enabled access to folders or buckets of data in Capital One’s storage space at the Cloud Computing Company.” Unfortunately, this is all too common. According to Gartner, 99% of successful network breaches can be attributed to a misconfiguration of the firewall.

The DOJ complaint alleges the hacker gained access multiple times over a few months. It wasn’t until Capital One received an anonymous tip that the company became aware of the data breach. That means the stolen personal information – which included approximately 120,000 social security numbers, more than 75,000 bank account numbers, and millions of names, addresses, and birth dates – was available to the highest bidder for quite some time.

Not only was the firewall misconfigured, the theft was not quickly detected. Those are two expensive issues you don’t want your network to have. Capital One expects to spend $100 to $150 million in costs related to this data breach.

How Can I Prevent a Breach?

So how do you prevent the same thing from happening to you? Get a professional configuration with ongoing management of your network. Our network engineers provide personalized solutions based on your unique needs, ensuring optimized performance and security. Once your configuration is complete, they offer managed security services that take the burden of everyday monitoring, patching vulnerabilities, threat detection, and more away, allowing you to rest assured that the security of your valuable data is in the hands of top-notch, certified professionals. And anytime you have a question, they’ll be there at our Security Operations Center to help.

Cylance Protect AV vulnerability patched

Carnegie Mellon Software Engineering Institute’s CERT Coordination Center is issued patch for a recently disclosed vulnerability in Cylance Protect.

The vulnerability note, VU#489481, said that prior to a July 21, 2019, update Protect contained flaws that allow an adversary to craft malicious files that the AV product would likely mistake for simply being benign files. Security researchers found that this was done by isolating specific properties in the machine learning algorithm allowed them to change most known malicious files.

“Several common malware families, such as Dridex, Gh0stRAT, and Zeus, were reported as successfully modified to bypass the Cylance product in this way. The success rate of the bypass is reported as approximately 85 percent of malicious files tested,” the note said.

Cylance has deployed a patch fixing the problem and any systems that have connected to the service since July 21 have been updated.

MegaCortex variant redesigned a self-executing, incorporates features of previous version

A new variant of MegaCortexransomware making its way across the U.S. and Europe has been recast as a self-executing menace that doesn’t require a password and is aimed at enterprises, according to a technical analysis released by researchers at Accenture iDefense.

“The disadvantage of the first version was that actors had to run the ransomware manually or risk of leaking the password. This prevented global distribution of the ransomware,” Accenture said. “The MegaCortex Version 2 author has updated the ransomware to remove these disadvantages and redesigned the ransomware to self-execute.”

“It seems this threat actor has done its homework regarding which business model works best,” said Mounie Hahad, who heads Juniper Networks Threat Labs. “It has learned from the infamous SamSam group that also delivers ransomware manually after infiltrating an organization.”

As a result attackers can “precision-deliver highly potent malware while keeping it somewhat difficult to obtain by security researchers,” he said.

The new version of MegaCortex integrates the first iteration’s script features. It also “decrypts the main payload and executes in memory; detects and terminates security tools; [and] detects and stops various types of software such as backup software, database software and Web server software so there is no update to files related to that software,” the analysis showed, as well as “hardcodes the password into the ransomware to allow the ransomware to decrypt the main payload automatically; and integrates the loader, main module and worker into a single executable.”

Ransomware incidents have ramifications beyond a particular targeted company, “affecting the entire ecosystem,” including business partners, suppliers and vendors, Matan Or-El, co-founder and CEO of Panorays, stressed. “This ransomware interrupts corporate operations and causes a Denial-of-Service to the supply chain.”

On the plus side, the MegaCortex variant “is fairly easy to detect, should the threat actor decide to use it more widely or put it up on a ransomware-as-a-service offering,” said Hahad.

Noting “a variety of actions” companies have at their disposal to mitigate supply chain risks,” Matan recommends they “evaluate the cyber posture of their third parties and demand that they adhere to a certain security standard.”

They should also have a set policy for securely dealing with third parties, like severing those “connections with a high-risk vendor” that don’t meet a set security threshold or requiring a password change for those vendors that represent a medium risk.  Finally, organizations “should continuously monitor the security posture of their third parties, receive notification of any change in their security and act according to the policy they put in place,” said Matan.

Cabarrus County loses $1.7 million after being targeted in BEC scam

  • Scammers posed as a representative of the Roanoke Branch and Associate and targeted employees of the County’s schools and government.
  • The scam began in November 2018.

Cabarrus County in North Carolina has lost over $1.7 million in a BEC scam. The scammers pretended to be contractors for the County’s new high school and had sent a phishing email in a pretext to obtain money.

How did it happen?

Cabarrus county officials have released details of the BEC scam that diverted nearly $2.5 million to scammers. Out of this, $1,728,082.60 remains missing.

Officials said that the County had intended to send the money to Roanoke, Virginia-based Branch and Associates Inc. Roanoke serves as a general contractor for the construction of West Cabarrus High school.

The investigation revealed that scammers posed as a representative of the Roanoke Branch and Associate and targeted employees of the County’s schools and government through a series of phishing emails. The scam had begun in November 2018.

Sending phishing emails for payments

The phishing email that was sent under the name of Roanoke, stated that the bank account for the Branch and Associates had been changed and the County should use it for future invoice payments.

The email also included documents that looked legitimate. This tricked the County officials into believing that updated banking information was real and allowed the scammers to steal a sum of $2,504,601.

“Legitimate requests to update bank account information are routine. In this case, the request to change Branch and Associates’ vendor banking information was made by conspirators. They provided County staff with new banking information, seemingly valid documentation and signed approvals. The conspirators then waited for the County to transfer the next vendor payment,” said the County in its notification.

Once the amount was deposited into scammers’ account, they were diverted to multiple different accounts.

Realizing the mistake

The County became aware of the scam after it received a notification of a missed payment from Branch and Associates on January 8, 2019. The county staff then confirmed that the electronic fund transfer cleared in December.

What has been done about it?

The County has notified SunTrust bank about the fraud transaction. On the other hand, Branch and Associates have also informed Bank of America about the fraudulent wire transfer of $2.5 million. Following this, Bank of America has frozen $776,518.40 of the $2,504,601.

The recovered amount of $776,518.40 was paid to Branch and Associates on March 20, 2019. The County paid the remaining balance on May 22, 2019.

New Android Ransomware Found Using SMS Spam for Propagation

  • The malware does not encrypt files that have ‘zip’ or ‘rar’ extension.
  • It also leaves the file unencrypted if its size is over 51,200 KB/50 MB and ‘.jpeg’, ‘.jpg’ and ‘.png’ files with less than 150KB.

A new Android ransomware family, dubbed Android/Filecoder.C, has been found making attempts to infect users. The malware is leveraging unusual tricks to propagate to a victim’s device.

How does it spread?

Discovered by ESET Mobile Security, the malware is distributed via various online forums. The malware has been active since at least July 12, 2019. Within a few days of its discovery, the researchers managed to extract samples of the malware from several posts shared on Reddit and the ‘XDA Developers’ forum.

These posts were created around topics that would lure common users. All of these posts included links or QR codes pointing to the malicious apps. Soon after the discovery, the malicious posts on the XDA Developers forum were removed.

To boost its propagation, Android/Filecoder.C uses the victim’s contact lists and spreads further via SMS with malicious links. This includes links to the ransomware, although they are presented as links to apps. Further to maximize the reach, the ransomware has 42 versions of the message template.

“Before sending the messages, it chooses the version that fits the victim device’s language setting. To personalize these messages, the malware prepends the contact’s name to them,” wrote the researchers.

What are its capabilities?

Once the ransomware sends out a batch of malicious SMSes, it encrypts most of the user files and requests a ransom. Android/Filecoder.C uses an asymmetric and symmetric algorithm to encrypt files. While encrypting files, the ransomware generates a new AES key for each file that will be encrypted.

The malware does not encrypt files that have ‘zip’ or ‘rar’ extension. It also leaves the file unencrypted if its size is over 51,200 KB/50 MB and ‘.jpeg’, ‘.jpg’ and ‘.png’ files with less than 150KB.

ShadowHammer attack installed backdoors on a million ASUS devices

Backdoors added to ASUS computers through its software update platform resulted in what Kaspersky researchers are calling one of the largest supply chain incidents ever, “ShadowHammer,” which even surpassed the scope of the CCleaner attack.

Researchers estimated malware was distributed to nearly a million people, although the cybercriminals appeared to have only targeted 600 specific MAC addresses for which hashes were hardcoded into different versions of the utility.

“A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels,” Kaspersky researchers said in a report. “The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time.”

Researchers also noted the same techniques were used against software from three other unnamed vendors which have since been notified along with ASUS. In the meantime, users should update the ASUS Live Update Utility, researchers recommended.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said cybercriminals see code signing certificates as a valuable target due to their extreme power.

“Code signing certificates are used to establish which updates and machines should be trusted, and they are in the applications that power cars, laptops, planes and more,” Bocek said. “Nearly every operating system is dependent on code signing, and we will see many more certificates in the near future due to the rise of mobile apps, DevOps and IoT devices.”

Bocek added that unfortunately, many organizations rely on developers who aren’t prepared to defend these assets, to protect the code signing process and that most security teams don’t even know if their developers are using code signing or who may have access to the code signing process.

“It’s imperative for organizations to know what code-signing certificates they have in use and where, especially as it’s likely we’ll see similar attacks in the future,” Bocek said.

BitSight Vice President Jake Olcott said supply chain risk presents one of the biggest cybersecurity challenges today.

“Tech companies issuing remote patching and remote updates to customers are increasingly targeted because of their broad, trusted relationships with their customers,” Olcott said. “Companies must conduct more rigorous diligence and continuously monitor these critical vendors in order to get a better handle on this risk.”

Mark Orlando, CTO, cyber protection solutions, at Raytheon Intelligence, said that it may be what we don’t yet know that makes the attack more interesting.

“Kaspersky’s investigation identified 600 MAC addresses – a unique identifier assigned to each networked device – hard coded into ASUS’ backdoored update utility,” Orlando said. “This indicates that the wide-reaching attack was launched for the purpose of targeting a relatively small number of very specific devices. It also implies that the attack is part of a multi-phased campaign that builds upon targeted reconnaissance of those devices.”

Orlando added that regardless of the attackers’ ultimate goal, we know that these kinds of supply chain attacks are growing in number and can compromise huge numbers of devices in a way that is difficult to detect.

To combat the growing threat, he said organizations should take a hard look at supply chain security, and specifically software update security, in light of this report.

“Compromised updates that are digitally signed and come from a trusted source will probably evade signature-based defenses like anti-virus; the best defenses are a shift towards proactive analysis (e.g. threat hunting) and tougher scrutiny of third-party software,” Orlando  said.

Xtreme RAT: A deep insight into the remote access trojan’s high profile attacks

  • Its capabilities include uploading or downloading files, manipulating running processes and services, capturing screenshots of victim’s computers, recording audios and videos via microphone or webcameras, and interacting with the registry.
  • Its victims include financial organizations, telecom companies, gaming companies, the IT sector, the energy and utility sector, and more.

Xtreme RAT which was developed by ‘xtremecoder’ is written in Delphi. The Remote Access Trojan is active since 2010. The source code of Xtreme RAT has been leaked online.

Its capabilities include uploading or downloading files, manipulating running processes and services, capturing screenshots of victim’s computers, recording audios and videos via microphone or webcameras, and interacting with the registry.

Xtreme RAT has infected several financial organizations, telecom companies, gaming companies, the IT sector, the energy and utility sector, and more.

Xtreme RAT attacks against Israel

  • In 2012, Attackers used Xtreme RAT to target Israeli and Palestinian governments.
  • In 2015, attackers gained unauthorized access to Israel defense systems and compromised the systems using the Xtreme RAT.

Molerats attacks

In 2014, Xtreme RAT was used to target US financial institutions and European government organizations. The targets of the spear-phishing campaign includes Palestinian and Israeli surveillance organizations, Government departments in Israel, Turkey, Slovenia, Macedonia, New Zealand, Latvia, the US, and the UK, The Office of the Quartet Representative, the British Broadcasting Corporation (BBC), a major U.S. financial institution, and Multiple European government organizations.

W32.Extrat campaigns

In 2015, Colombian financial employees were targeted with multiple phishing email campaigns delivering Xtreme RAT. The four attack teams Caramel, Cuent, Maga, and Molotos targeted Colombian financial employees with phishing emails disguised as payments and tax-related emails that included the W32.Extrat attachments.

Malspam campaign

In 2017, researchers observed a malspam campaign delivering the Xtreme RAT. The malspam campaign targeted Spanish speaking users. The phishing emails sent to the targets lured them into executing the malicious Macro.

In a recent report, researchers analyzed Xtreme RAT and stated that the victim organizations include a European video game company, Middle Eastern, South Asian, and East Asian telecommunications companies, an East Asian industrial conglomerate, and an East Asian IT company.

Firefox and Edge Fall to Hackers on Day Two of Pwn2Own

Browsers Firefox and Edge take a beating on day two of the Pwn2Own competition.

Hackers took down the Mozilla Firefox and Microsoft Edge browsers on Thursday at Pawn2Own, the annual hacking conference held in tandem with CanSecWest, as the competition continued for a second day.

The dynamic hacking duo of Amat Cama and Richard Zhu, which make up team Fluoroacetate, had another good day, following Wednesday’s successes. The two trained their skills first on Mozilla Firefox, leveraging a JIT bug in the browser, followed up by an out-of-bounds write exploit in the Windows kernel. The one-two punch allowed Fluoroacetate to take over the targeted system.

“They were able to execute code at SYSTEM level just by using Firefox to visit their specially crafted website,” wrote Zero Day Initiative in a write-up of the day’s hacking results. For their efforts the two earned $50,000.

View image on Twitter

View image on Twitter

Zero Day Initiative


The @fluoroacetate duo does it again. They used a type confusion in #Edge, a race condition in the kernel, then an out-of-bounds write in #VMware to go from a browser in a virtual client to executing code on the host OS. They earn $130K plus 13 Master of Pwn points.

230 people are talking about this
Twitter Ads info and privacy

The story of the day continued to be Cama and Zhu, who earned an additional $130,000 for a “masterfully crafted exploit chain” that eventually lead to the owning the underlying hypervisor of a VMware Workstation, ZDI reported.

That hack began on VMware Workstation where Fluoroacetate opened an Edge browser and visited a booby-trapped website that contained a confusion bug. Next, Cama and Zhu used a race condition in the Windows kernel followed by an out-of-bounds write in VMware workstation that linked to executing code on the underlying hypervisor.

Arthur Gerkis of Exodus Intelligence

Arthur Gerkis of Exodus Intelligence

Adding both day’s awards together, Fluoroacetate has so far earned $340,000 in the Pawn2Own competition this year.

Mozilla’s Firefox browser went down a second time Thursday, thanks to hacker Niklas Baumstark. He was able to execute code at the system level of a PC by leveraging a JIT bug in Firefox.

“In a real-world scenario, an attacker could use this to run their code on a target system at the level of the logged-on user,” ZDI wrote. The successful exploit earned Baumstark $40,000.

A researcher named Arthur Gerkis, with Exodus Intelligence, was the final contestant and a newcomer to the Pwn2Own competition. His target was also Microsoft’s Edge browser. “[Gerkis] wasted no time by using a double free bug in the renderer followed by a logic bug to bypass the sandbox,” ZDI wrote. For his effort, the researcher earned $50,000.

Day three of the competition closes out the Pawn2Own event with a automotive category.