Cyber Pulse: Edition 110

Read the latest edition of Cyber Pulse, with news of RDP Bruteforce attacks, the new Android mobile banking trojan EventBot, a SaltStack Sat security flaw, vulnerable WordPress LMS plugins and a Teams credentials phishing campaign.

Our cyber security round-up of the week:

RDP Bruteforce attacks increase worldwide

With the spread of Covid-19, organisations worldwide have introduced remote-working, which is having a direct impact on cyber security and the threat landscape. One of the most popular application-level protocols for accessing Windows workstations or servers is Microsoft’s proprietary protocol – RDP.

The lockdown has seen the appearance of a great many computers and servers able to be connected remotely, and right now Kaspersky is reporting an increase in cybercriminal activity to attack corporate resources that have now been made available (sometimes in a hurry) to remote workers. As the number of poorly configured RDP servers has increased, so has the rise in the number of attacks.

Since the beginning of March, the number of Bruteforce.Generic.RDP attacks have rocketed across almost the entire planet. Bruteforce attackers are not surgical in their approach, but operate by area. Attacks on remote-access infrastructure (as well as collaboration tools) are unlikely to stop any time soon.

Possible protection measures for RDP:

At the very least, use strong passwords.
Make RDP available only through a corporate VPN.
Use Network Level Authentication (NLA).
If possible, enable two-factor authentication.
If you don’t use RDP, disable it and close port 3389.

If you use a different remote-access protocol, you still cannot relax:  at the end of last year, Kaspersky experts found 37 vulnerabilities in various clients that connected via the VNC protocol, which, like RDP, is used for remote access.

Data centres and cloud environments vulnerable to SaltStack security flaw

Two severe security flaws have been discovered in the open-source SaltStack Sat configuration framework that could allow an adversary to execute arbitrary code on remote servers deployed in data centres and cloud environments. Identified by F-Secure researchers, the vulnerabilities, allocated CVE IDs CVE-2020-11651 and CVE-2020-11652, are of two different classes. One is an authentication bypass where functionality was unintentionally exposed to unauthenticated network clients, the other is a directory traversal where untrusted input (i.e. parameters in network requests) was not sanitised correctly, allowing unconstrained access to the entire filesystem of the master server.

Salt is a powerful Python-based automation and remote execution engine that's designed to allow users to issue commands to multiple machines directly. Built as a utility to monitor and update the state of servers, Salt employs a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a "master" node that deploys the changes to a target group of "minions" (e.g. servers) en masse.

An attacker can exploit the flaws to call administrative commands on the master server as well as queue messages directly on the master publish server, thereby allowing the salt minions to run malicious commands. F-Secure researchers said an initial scan revealed thousands of vulnerable Salt instances exposed to the public internet. LineageOS, Ghost and DigiCert have already been breached. "We expect that any competent hacker will be able to create 100% reliable exploits for these issues within 24 hours."

New Android mobile banking trojan is born

Security researchers are investigating EventBot, a new type of Android mobile malware that has recently emerged. EventBot is a mobile banking trojan and info stealer that abuses Android’s accessibility features to steal user data from financial applications, read user SMS messages, and steal SMS messages to allow the malware to bypass two-factor authentication.

EventBot targets users of over 200 different financial applications, including banking, money transfer services, and crypto-currency wallets. Those targeted include applications like PayPal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more.

EventBot is particularly interesting because it is in such early stages. This brand-new malware has real potential to become the next big mobile malware, as it is under constant iterative improvements, abuses a critical operating system feature, and targets financial applications.

When installed, EventBot requests the following permissions on the device:

SYSTEM_ALERT_WINDOW – allow the app to create windows that are shown on top of other apps.

READ_EXTERNAL_STORAGE – read from external storage.

REQUEST_INSTALL_PACKAGES – make a request to install packages.

INTERNET – open network sockets.

REQUEST_IGNORE_BATTERY_OPTIMIZATIONS – whitelist the app to allow it to ignore battery optimisations.

WAKE_LOCK – prevent the processor from sleeping and dimming the screen.

ACCESS_NETWORK_STATE – allow the app to access information about networks.

REQUEST_COMPANION_RUN_IN_BACKGROUND – let the app run in the background.

REQUEST_COMPANION_USE_DATA_IN_BACKGROUND – let the app use data in the background.

RECEIVE_BOOT_COMPLETED – allow the application to launch itself after system boot. EventBot uses this permission in order to achieve persistence and run in the background as a service.

RECEIVE_SMS – allow the application to receive text messages.

READ_SMS – allow the application to read text messages.

By accessing and stealing this data, Eventbot has the potential to access key business data, including financial data. 60% of devices containing or accessing enterprise data are mobile, and mobile devices tend to include a significant amount of personal and business data, assuming the organisation has a bring-your-own-device policy in place.

50,000 Teams users targeted to phish for Office 365 logins

A convincing cyberattack that impersonates notifications from Microsoft Teams in order to steal the Office 365 credentials of employees is making the rounds, according to researchers.

“Attackers utilise numerous URL redirects in order to conceal the real URL used that hosts the attacks,” the firm’s researchers said. “This tactic is employed in an attempt to bypass malicious link detection used by email protection services.”

For instance in one of the attacks, the actual sender email originates from a recently registered domain, “sharepointonline-irs.com”, which is not associated to Microsoft – it’s hidden due to the redirects though, and doesn’t present an obvious red flag to targets.

In the second attack, the email link points to a YouTube page, from which users are redirected twice to finally land on another Microsoft login phishing site.

“These attackers crafted convincing emails that impersonate automated notification emails from Microsoft Teams,” according to the analysis. “The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider.”

Attackers can gain access to more than credentials for the specific service represented on the phishing pages, warned Abnormal Security: “Since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user’s Microsoft credentials via single-sign on.”

The researchers said that the campaigns are especially effective on mobile, where images take up most of the content on the screen and where it’s more difficult to vet URLs. But even on desktop, the attacks are well-crafted using existing legitimate imagery, and are thus quite convincing, according to the analysis.

Multiple vulnerabilities in WordPress LMS plugins

The vulnerable WordPress plugins such as LearnPress, LearnDash, and LifterLMS make it easy by adapting any WordPress site to a fully functioning and easy-to-use LMS. The flaws in LearnPress (Ninja Forms) range from blind SQL injection to privilege escalation, which can authorise an existing user to gain a teacher's role. "Unexpectedly, the code doesn't check the permissions of the requesting user, therefore letting any student call this function," the researchers stated.

LearnDash, likewise, suffers from a SQL injection flaw that allows an adversary to craft a malicious SQL query by using PayPal's Instant Payment Notification (IPN) message service simulator to trigger fake course enrolment transactions.

Lastly, LifterLMS's arbitrary file write vulnerability exploits the dynamic nature of PHP applications to allow an attacker, e.g. a student registered for a specific course, to change their profile name to a malicious piece of PHP code. In total, the flaws make it possible for attackers to steal personal information (names, emails, usernames, passwords, etc) and for students to change grades, retrieve tests and test answers beforehand, and also forge certificates. The vulnerabilities were responsibly disclosed to the concerned platforms. All three LMS systems have released patches to address the issues.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.