Executive Summary

Executive Summary

A critical flaw has been discovered within Zyxel Firewall products, allowing for a malicious user to bypass the Authentication requirement on the device, enabling unauthorised privileged access. The bug impacts several Zyxel Firewall Network Access Control (NAC) systems as detailed within the technical summary. The bug, achieves a 9.8 on the Common Vulnerability Scoring System (CVSS).

What’s the risk to my business?

Due to the severity of the bug, and the ability for attackers to gain unauthorised privileged access to critical perimeter defence, the risk to businesses operating affected Zyxel Firewalls is high.

What can I do?

The bug has been reported, and a patch has been issued. Businesses operating these devices are urged to implement as soon as possible.

Technical Summary

Zyxel have issued a patch for bug CVE-2022-0342, which was disclosed on 03/28/2022. Zyxel’s investigation has only been focused on devices within their warranty and support period. The following Zyxel products are confirmed to be affected, with the appropriate patches listed:

·       USG/ZyWALL, running version ZLD V4.20 to ZLD V4.70 | Fixed in Patch ZLD V4.71

·       USG FLEX, running version ZLD V4.50 to ZLD V5.20 | Fixed in Patch ZLD V5.21 Patch 1

·       ATP, running version ZLD V4.32 to ZLD V5.20 | Fixed in Patch ZLD V5.21 Patch 1

·       VPN, running version ZLD V4.30 to ZLD V5.20 | Fixed in Patch ZLD V5.21

·       NSG, running version V1.20 to V1.33 Patch 4 | Fixed in Hotfix V1.33p4_WK11, available from vendor. Fix will be included in standard patch V1.33 Patch 5 when released in May 2022.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Cyber Advisory – Critical SonicWall VPN Bug Allows Remote Unauthenticated Takeover

Executive Summary

SonicWall, a security vendor best known for their hardware appliances, is the subject of a critical advisory relating to its Secure Mobile Access (SMA) 100 series VPN appliances. The SMA 100 series provides secured end-to-end remote access to corporate networks and resources in a variety of environments, such as on-premises, hybrid or cloud infrastructure. The SMA 100 also provides policy driven access control, based on trusted users and devices.

The bug, rated a 9.8 out of 10 on the CVSS scale, allows a remote attacker to authenticate as “nobody”, effectively granting them the lowest level of access to the device. As such, an attacker would be able to modify policies, alter security settings or launch additional attacks from the compromised device.

What’s the risk to my business?

If you or your IT provider use the SonicWall SMA 100 appliance, the risk could be high. CVSS scores of 9.0 and higher carry a “fix immediately” flag, as any attack capable of remote execution provides an attractive target to bad actors. As firewalls and other perimeter security devices generally form the first line of defence, and protect a huge quantity of assets, compromising one can facilitate any number of additional attacks.

What can I do?

Speak to your IT service provider or IT team to find out if the SMA 100 is used in your environment. SonicWall have urged users to patch and continue to patch their devices, as SonicWall have been the subject of numerous attacks in recent years.

Technical Summary

The vulnerability – CVE-2021-20038 – has been found in the string concatenate function strcat(), which is used when handling environment variables in a HTTP GET method. The bug runs under the Apache httpd server, allowing attackers to run a stack-based buffer overflow to result in code execution.

A complete list of impacted devices can be found on SonicWall’s website.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

A Third of Global Companies Have Experienced Ransomware Attack, Survey Finds

Roughly a third of large international companies have faced a ransomware attack or other data breach in the last 12 months, according to a new survey.

Analysts surveyed almost 800 companies and found 37% of international companies experienced ransomware attacks this past year. The survey focused on companies with more than 500 employees.

https://www.vice.com/en/article/jg84q3/a-third-of-global-companies-have-experienced-ransomware-attack-survey-finds

Company Size Is A Nonissue With Automated Cyber Attack Tools

Even with plenty of old problems to contend with, firms need to get ready for new and more powerful automated ransomware tools.

Cyber criminals are constantly looking for the best return on their investment and solutions that lower the chance of being caught. Sadly, that appears to mean small businesses are their current target of opportunity.

Tech media and cyber pundits have been sounding the alarm and offering small businesses specific cybersecurity solutions for a few years now, but it seems to no avail.

https://www.techrepublic.com/article/company-size-is-a-nonissue-with-automated-cyberattack-tools/

Over 60% Of Employees Reuse Passwords Across Business And Personal Accounts

Nearly two thirds of employees are using personal passwords to protect corporate data, and vice versa, with even more business leaders concerned about this very issue. Surprisingly, 97% of employees know what constitutes a strong password, yet over half (53%) admit to not always using one.

http://hrnews.co.uk/over-60-of-employees-reuse-passwords-across-business-and-personal/

LockBit 2.0 Ransomware Proliferates Globally 

Fresh attacks target companies’ employees, promising millions of dollars in exchange for valid account credentials for initial access.

The LockBit ransomware-as-a-service (RaaS) gang has ramped up its targeted attacks, researchers said, with attempts against organizations in Chile, Italy, Taiwan and the U.K. using version 2.0 of its malware.

https://threatpost.com/lockbit-ransomware-proliferates-globally/168746/

Secret Terrorist Watchlist With 2 Million Records Exposed Online

A secret terrorist watchlist with 1.9 million records, including classified "no-fly" records was exposed on the internet.

The list was left accessible on an Elasticsearch cluster that had no password on it.

https://www.bleepingcomputer.com/news/security/secret-terrorist-watchlist-with-2-million-records-exposed-online/

Phishing Costs Nearly Quadrupled Over 6 Years

Lost productivity & mopping up after the costly attacks that follow phishing – BEC & ransomware in particular – eat up most costs, not pay-outs to crooks.

Research shows that the cost of phishing attacks has nearly quadrupled over the past six years: Large US companies are now losing, on average, $14.8 million annually, or $1,500 per employee.

That’s up sharply from 2015’s figure of $3.8 million, according to a new study from Ponemon Institute that was sponsored by Proofpoint.

According to the study, released Tuesday, phishing leads to some of the costliest cyber attacks.

https://threatpost.com/phishing-costs-quadrupled/168716/

Security Teams Report Rise In Cyber Risk

A recent report shows declining confidence in many organisations’ security function to address today’s threats.

80% of respondents to the Trend Micro’s biannual Cyber Risk Index (CRI) report said they expect to experience a data breach that compromises customer data in the next 12 months.

The report surveyed more than 3,600 businesses of all sizes and industries across North America, Europe, Asia-Pacific, and Latin America for their thoughts on cyber risk. Despite an increased focus on security due to high-profile ransomware and other attacks in the past year, respondents reported a rise in risk due to inadequate security processes like backing up key assets.

Organisations are overwhelmed as they pivot from traditional to distributed networks. Pandemic-driven work-from-home growth is potentially how businesses will be run going forward. That distributed network means that it’s harder for IT staff to know what assets are under their control and what security controls should be in place. With the line blurring between corporate and personal assets, organizations are overwhelmed with the pace of change.

https://www.csoonline.com/article/3629477/security-teams-report-rise-in-cyber-risk.html

Organisations Aware Of The Importance Of Zero Trust, Yet Still Relying On Passwords

Organisations have become more security conscious over the course of the pandemic, leading them to invest heavily in zero trust, according to a new study.

The report surveyed over 600 global security leaders about their initiatives and found that remote work has led to a change in how organizations view the importance of zero trust, with financial services, healthcare organisations and the software industry seeing the most significant progress.

78% of companies globally say that zero trust has increased in priority and nearly 90% are currently working on a zero trust initiative, up from just 41% a year ago.

https://www.helpnetsecurity.com/2021/08/11/importance-of-zero-trust/

Reliance On Third Party Workers Making Companies More Vulnerable To Cyber Attacks

A new survey revealed 83% of respondents agree that because organisations increasingly rely on contractors, freelancers, and other third party workers, their data systems have become more vulnerable to cyber attacks.

Further, 88% of people say organisations and government entities must have better data security systems in place to protect them from the increase in third party remote attacks.

Recent high-profile breaches, including SolarWinds, Colonial Pipeline, and JBS Foods, have exposed how vulnerable organisations are to cyber crime and in particular ransomware attacks. Of note with recent attacks is how data breaches can quickly affect aspects of everyday life, such as the ability to fill a car with petrol or buy meat at the supermarket.

https://www.helpnetsecurity.com/2021/08/16/reliance-on-third-party-workers/

The Cyber Security Skills Gap Persists For The Fifth Year Running

Most organisations are still lacking talent, according to a new report, but experts think expanding the definition of a cybersecurity professional can help.

https://www.techrepublic.com/article/the-cybersecurity-skills-gap-persists-for-the-fifth-year-running/

T-Mobile Hack Is A Return To The Roots Of Cyber Crime

In the world of cyber crime, ransomware attacks might be the sophisticated bank heists. The hack of T-Mobile is more akin to smashing a window, grabbing merchandise, and running.

The attack that exposed the personal information of millions of T-Mobile customers spotlights a common type of cyber threat that can inflict significant damage to consumers, much like the recent rash of ransomware attacks hitting companies.

The breach exposed the data of more than 40 million people, T-Mobile confirmed Wednesday, including customer’s full names and driver’s license information. A hacker posted about the stolen information on a cyber crime forum late last week, offering to sell the information to buyers for the price of six bitcoin, or about $270,000.

This type of attack, in which hackers worm their way into companies’ systems, steal data and try to sell it online, has been a common tactic for years, cyber security experts say. Unlike the high-profile ransomware attacks that have disrupted fuel supplies, hospital systems and food production in recent months, these data exfiltration hacks do not lock down computer systems.

https://www.washingtonpost.com/technology/2021/08/19/tmobile-breach-data-hacks/

Phishing Attacks Increase In H1 2021, Sharp Jump In Crypto Attacks

The first half of 2021 shows a 22 percent increase in the volume of phishing attacks over the same time period last year, a new report reveals. Notably, however, phishing volume in June dipped dramatically for the first time in six months, immediately following a very high-volume in May.

Bad actors continue to utilise phishing to fleece proprietary information, and are developing more sophisticated ways to do so based on growth in areas such as cryptocurrency and sites that use single-sign-on.

https://www.helpnetsecurity.com/2021/08/19/phishing-attacks-h1-2021/

Connected Devices Increasingly At Risk As New Ransomware Attacks Are Reported Almost Daily

A new report has shined a light on the state of connected devices. The number of agentless and un-agentable devices increased to 42% in this year’s report (compared to 32% of agentless or un-agentable devices in 2020). These devices include medical and manufacturing devices that are critical to business operations along with network devices, IP phones, video surveillance cameras and facility devices (such as badge readers) that are not designed with security in mind, cannot be patched, and cannot support endpoint security agents.

With almost half of devices in the network that are either agentless or un-agentable, organisations need to complement their endpoint security strategy with a network-based security approach to discover and secure these devices.

https://www.helpnetsecurity.com/2021/08/12/connected-devices-risks/

Threats

Ransomware

• John Oliver On Ransomware Attacks: ‘It’s In Everyone’s Interest To Tet This Under Control’

• Hospitals Hamstrung By Ransomware Are Turning Away Patients

• Half Of US Hospitals Shut Down Networks Due To Ransomware

• Device Complexity Leaving Schools At Heightened Risk Of Ransomware Attacks

• This Ransomware Has Returned With New Techniques To Make Attacks More Effective

• Diavol Ransomware Sample Shows Stronger Connection To TrickBot Gang

• Ransomware Criminals' Demands Rise As Aggressive Tactics Pay Off

BEC

• 23 Charged Over Covid-19 Business Email Compromise Fraud

Phishing

• "Jigsaw Puzzle" Phishing Attacks Use Morse Code To Hide

• Cyber Attackers Embrace CAPTCHAs To Hide Phishing, Malware

• WordPress Sites Abused In Aggah Spear-Phishing Campaign

• This Microsoft 365 Spear-Phishing Campaign Has Been Running Riot For Over A Year

Other Social Engineering

• Delivery Scams Most Prominent Form Of Smishing

Malware

• Malware Campaign Uses Clever 'Captcha' To Bypass Browser Warning

• Malware Dev Infects Own PC And Data Ends Up On Intel Platform

• Researchers Discover New AdLoad Malware Campaigns Targeting Macs And Apple Products

Mobile

• How Hackers Can Use Message Mirroring Apps To See All Your SMS Texts — And Bypass 2FA Security

IOT

• Amazon Sidewalk Highlights Network Security Visibility Risks Consumer Services Pose

Vulnerabilities

• Multiple Flaws Affecting Realtek Wi-Fi SDKs Impact Nearly A Million IoT Devices

• Unpatched Remote Hacking Flaw Disclosed In Fortinet's FortiWeb WAF

• Linux Glibc Security Fix Created A Nastier Linux Bug

• 65 Vendors Affected By Severe Vulnerabilities In Realtek Chips

• Eight-Year-Old Bug In Microsoft's 64-Bit VBA Prompts Complaints Of Neglect

• Cisco Won’t Fix Zero-Day RCE Vulnerability In End-Of-Life VPN Routers

• Adobe Addresses Two Critical Vulnerabilities In Photoshop

Data Breaches/Leaks

• Chase Bank Accidentally Leaked Customer Info To Other Customers

• Colonial Pipeline Reports Data Breach After May Ransomware Attack

• Ford Bug Exposed Customer And Employee Records From Internal Systems

Dark Web

• Dark Web Blockchain Analysis Tool Suspended After Flurry Of Media Coverage

• Dark Web Drug Dealer Indicted For Laundering $137 Million In Bitcoin From Prison

• Dark Web Criminals Have Built A Tool That Checks For Dirty Bitcoin

Supply Chain

DoS/DDoS

• Attackers Can Weaponize Firewalls And Middleboxes For Amplified DDoS Attacks

• Botnet Generates One of the Largest DDoS Attacks on Record

OT, ICS, IIoT and SCADA

• Mysterious Hacker Group Suspected In July Cyber Attack On Iranian Trains

Nation State Actors

• Chinese Espionage Tool Exploits Vulnerabilities In 58 Widely Used Websites

• North Korea Hackers Spreading Malware Via Browser Exploits

Cloud

• The Overlooked Security Risks Of The Cloud

Other News

• Blackbaud – Firm That Paid Off Crooks After 2020 Ransomware Attack – Fails To Get California Privacy Law Claim Dropped

• Threat Actors Hacked US Census Bureau In 2020 By Exploiting A Citrix Flaw

• Cyber Security Is Top Priority For Enterprises As They Shift To Digital-First Operating Models

• SMEs Awareness Of GDPR Is High, But Few Adhere To Its Legal Requirements

• Hacker Finds A Way To Steal Windows 365 User Names And Passwords

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.