How prepared are you when it comes to a possible internal breach? Fletch: Trending Threats analyzes threats within your industry so you are more prepared.
Board of the Week: Twilio Breach Analysis
On August 7, 2022, Twilio announced an internal breach within their SaaS platform, where attackers obtained access to customer data after bypassing employee 2-factor authentication mechanisms used by Twilio. For firms concerned about their risk to this breach, here are some initial questions to ask of your SaaS authentication logs.
Threat of the Week Spotlight: Trending Threats Spotlight: How Fletch Uses Vulnerability Data
Vulnerability scanners do a good job finding and reporting on the vulnerabilities and their corresponding risk scores. But prioritizing those risks for your specific organization can still be a challenge.
In this session, we explore the following:
What is the Trending Threat app (1:23)
What information vulnerability sources provide (3:10)
How the Trending Threats app gets better with vulnerability information (11:33)
Threats of the Week Breakdown:
1. VMware warns of public exploit for critical auth bypass vulnerability (1:20)
Topping the list is a report by Bleeping Computer that Proof-of-concept exploit code that is now publicly available online for a critical authentication bypass security flaw in multiple VMware products that enables attackers to gain admin privileges. ... Today, VMware "confirmed malicious code that can exploit CVE-2022-31656 and CVE-2022-31659 in impacted products is publicly available" in an update to the original advisory.
While the report says that the vulnerability was “not yet exploited in the wild”, it is crucial that organizations make patching this vulnerability their top priority. Attackers will definitely have exploits for this as quickly as they can.CVEs: CVE-2022-31656, CVE-2022-31659, CVE-2022-22972
2. Hackers are actively exploiting password-stealing flaw in Zimbra (2:44)
Zimbra is commonly used as a low-cost alternative to Microsoft Exchange, I works with MS Outlook clients, and is popular among small to medium enterprises and government agencies on tight budgets.
Last week BleepingComputer.com reported that The Cybersecurity and Infrastructure Security Agency (CISA) has added the Zimbra CVE-2022-27824 flaw to its 'Known Exploited Vulnerabilities Catalog,' indicating that it is actively exploited in attacks by hackers. ... CISA's addition of CVE-2022-27824 to the catalog of actively exploited flaws introduces the obligation for all Federal agencies in the U.S. to apply the available security updates until August 25, 2022, which is the set deadline for this case.
Patches are available, and should be applied immediately.
CVEs: CVE-2022-27824, CVE-2022-27924
3. Cisco fixes critical remote code execution bug in VPN routers (4:54)
Another attack targeting systems commonly used in small to medium enterprises was reported by BleepingComputer.com last week. No known exploit has been “reported” in the wild, but remember that attackers won’t use an exploit like this unless they need to; if your organization is easily phished, attackers will hold any exploit code in reserve for harder targets.
CVE-2022-20827 exploits by submitting crafted input to the web filter database update feature can let threat actors "execute commands on the underlying operating system with root privileges." ... Cisco has fixed critical security vulnerabilities affecting Small Business VPN routers and enabling unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service (DoS) conditions on vulnerable devices.
Patched your vulnerable systems immediately!
CVEs: CVE-2022-20842, CVE-2022-20827, CVE-2022-20841
3. Bitter APT group using "Dracarys" Android Spyware (7:50)
Signal Private Messanger, a free and incredibly secure messaging app created by Moxy Marlinspike has been widely used among security professionals for years, and more recently by the general public. Even the Senate recognizes it’s value.
The Bitter APT group has been targeting Southern Asia countries with the malware “Dracarys”, a malicious bit of Anddroid spyware that, according to Cyble.com “Signal, Telegram, WhatsApp, YouTube, and other chat applications”. All of these apps are free, but users in some countries may find that they are blocked on Google Play, due to their ability to secure a user's messages, even from their own government.
The malware collects SMS data, call logs, installed applications list, and files present on the infected device after receiving a command from the C&C server, as shown in Figures 7 through 10. ... The Bitter APT is actively involved in both desktop and mobile malware campaigns and uses techniques like spear phishing emails, exploiting known vulnerabilities to deliver Remote Access Trojan (RAT) and other malware families.
The best way to protect against malware like this is to only download and install software from trusted sources. That may not always be easy for users in some nation-states.
Malware: Dracarys, Bitter
