Skip to main content

Windows 10 Patch, UN Cyberattack & WordPress Bug

Windows 10 Patch, UN Cyberattack & WordPress Bug

Today is Wednesday, January 15th, 2020 and here are today’s most pressing cyber stories in under 5 minutes.


Patch your Windows 10 Now!


The U.S. National Security Agency (NSA) started a new chapter after discovering and reporting to Microsoft a vulnerability tracked as CVE-2020-0601 and impacting Windows 10 and Windows Server systems.


In a phone conference that Bleeping Computer joined, NSA's Director of Cybersecurity Anne Neuberger said that this is the first time the agency decided to publicly disclose a security vulnerability to a software vendor.


"We thought hard about that. When Microsoft asked us, 'Can we attribute this vulnerability to NSA?' we gave it a great deal of thought. And then we elected to do so and here is why," Neuberger explained.


She added that "part of building trust is showing the data" and, as a result, "it's hard for entities to trust that we indeed take this seriously and ensuring that vulnerabilities can be mitigated is an absolute priority."


Neuberger also said during the media call that the agency will make efforts towards becoming an ally to the cybersecurity community and private sector entities, and will begin to share vulnerability data with its partners instead of accumulating it and using it in future offensive operations.


"We believe in Coordinated Vulnerability Disclosure (CVD) as proven industry best practice to address security vulnerabilities," MSRC's Principal Security Program Manager Mechele Gruhn added.


"Through a partnership between security researchers and vendors, CVD ensures vulnerabilities are addressed prior to being made public."

NSA's new approach to building trust with the public and its partners redefines the agency's cybersecurity mission as US Army General and NSA Director Paul M. Nakasone stated in July 2019.


"The Cybersecurity Directorate will reinvigorate our white hat mission opening the door to partners and customers on a wide variety of cybersecurity efforts," he added at the time.


"It will also build on our past successes such as Russia Small Group to operationalize our threat intelligence, vulnerability assessments, and cyber defense expertise to defeat our adversaries in cyberspace."


The CVE-2020-0601 spoofing vulnerability reported by the NSA affects the Windows CryptoAPI and is caused by the way Elliptic Curve Cryptography (ECC) certificates are validated.


"The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution," the NSA says.

CVE-2020-0601 hasn't yet been exploited in the wild according to Microsoft's security advisory, and the US agency advises users and organizations to install the patches released as part of Microsoft's January 2020 Patch Tuesday as soon as possible to block attackers from defeating "trusted network connections and deliver executable code while appearing as legitimately trusted entities."


"This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk," Gruhn added.


The NSA security advisory also comes with mitigation measures for systems where installing the patches released by Microsoft today is not immediately possible.

"Properly configured and managed TLS inspection proxies independently validate TLS certificates from external entities and will reject invalid or untrusted certificates, protecting endpoints from certificates that attempt to exploit the vulnerabilities," the agency reveals.


"Ensure that certificate validation is enabled for TLS proxies to limit exposure to this class of vulnerabilities and review logs for signs of exploitation."


P&N Bank Disclosed Breach – Aussies Be Ware


P&N Bank is informing customers of a data breach in which personally identifiable information (PII) and sensitive account information was exposed. 

On Wednesday, a security researcher going under the Twitter handle @vrNicknack pinged Troy Hunt, the operator of the Have I Been Pwned? search engine, with a notice he had received from the bank. 


P&N Bank, a division of Police & Nurses Limited and operating in Western Australia, sent the notice which warned of an "information breach" occurring through its customer relationship management (CRM) platform.


The financial services organization said "certain personal information [...] appears to have been accessed as a result of online criminal activity." 

On or around December 12, the bank was performing a server upgrade and it is at this point the cyberattack took place. It is believed that a company P&N Bank hired to provide hosting was the entry point.


P&N Bank says that names, addresses, email addresses, phone numbers, customer numbers, ages, account numbers, and account balances may have been compromised. Information "that could be included in our records of interactions" with customers may have also leaked.  


Passwords, Social Security numbers, Tax file numbers, driver's license or passport details, credit card numbers, and dates of birth have not been included in the breach, nor has any other "sensitive" information such as medical data.  


It is not yet known how many customers have been affected. 


"Upon becoming aware of the attack, we immediately shut down the source of the vulnerability," the company added.  

P&N Bank is keen to emphasize in the notice that at present there is no evidence of customer accounts or funds being compromised, and is "treating this information breach extremely seriously." 


P&N Bank says it is working with the West Australian Police Force (WAPOL) and other federal authorities.


Critical bugs in WordPress plugins


Two WordPress plugins, InfiniteWP Client And WP Time Capsule, contain serious security vulnerabilities that have opened up an estimated 320,000 websites to exploit.  


The pair, used to manage multiple WordPress websites from one server and create backups for files and database entries when updates are issued, were examined by cybersecurity researchers from WebArx who found "logical issues in the code that allows you to login into an administrator account without a password." 


InfiniteWP is active on over 300,000 websites and WP Time Capsule is active on at least 20,000 domains, according to the WordPress plugins library.  

On Tuesday, the team said the logical issues impacting InfiniteWP versions below means that it is possible to use a POST request payload with JSON and Base64 encoding to bypass password requirements and log in by knowing only the username of an administrator. 

In WP Time Capsule versions below 1.21.16, an issue in a functions line can be exploited by adding a crafted string in a raw POST request to call a function that grabs all available administrator accounts and log in as the first admin on the list.

WebArx reported the vulnerabilities to the developer of both plugins on 7 January, who responded quickly and pushed out a software update only a day later. 

In order to resolve these issues, the developer tweaked action codes, removed several function calls and added payload authenticity checks.

It is important for webmasters to apply these patches, WebArx says, as it can be "hard to block this vulnerability with general firewall rules because the payload is encoded and a malicious payload would not look much different compared to a legitimate-looking payload of both plugins." 

"The developer was very fast to react and released the patches on the very next day after our initial report," the team added. "It's always great to see developers who are taking action quickly and letting their customers know about the issues to help people update to a more secure version as soon as possible."

United Nations Targeted with Emotet Malware   


Pretending to be the Permanent Mission of Norway, the Emotet operators performed a targeted phishing attack against email addresses associated with users at the United Nations. Yesterday, the Emotet trojan roared back to life after a 3-week vacation with strong spam campaigns that targeted countries throughout the world. While Emotet's normal spam campaigns pretended to be fake accounting reports, delivery notices, and invoices, the malware operators had something special in mind for the United Nations.

In a sample of a phishing email shared by email security firm Cofense, the Emotet operators pretend to be representatives of Norway at the United Nations in New York, who state that there is a problem with an attached signed agreement.

According to Cofense, this phishing campaign had "highly specific targeting" and was seen being sent to 600 unique email addresses at the United Nations.

The email states that the representatives of Norway found a problem with a signed agreement and that the recipient should review it to learn the issue.

Attached to these emails is a Microsoft Word document that starts with "Doc_01_13" that pretends to be the signed agreement being sent by the Permanent Mission of Norway.

While there was room for Emotet to send a more convincing Word document template, they instead sent the same one that is used for all of the malspam campaigns.

This template pretends to be a warning that the "document only available for desktop or laptop versions of Microsoft Office Word." It then prompts the user to click on 'Enable editing' or 'Enable Content' to view the document.

If a user opens the document and enables its content, malicious Word macros will be executed that downloads and installs Emotet on the computer.

Emotet will now run in the background while sending out spam emails to other victims.

Eventually, Emotet will also install other payloads such as Trickbot, which would be when things get really bad for the compromised UN workstation.

When Emotet is installed on a machine, one of the malware payloads that is invariably installed is the TrickBot trojan.

The TrickBot trojan will attempt to harvest data from the computer such as cookies, login credentials, files from the computer, and possibly spread to other computers on the network.

After the harvesting of information is finished, TrickBot is known to open a reverse shell back to the operators of Ryuk Ransomware.

These operators will proceed to infiltrate the network, gain administrator credentials, and ultimately deploy Ryuk so that it encrypts every device on the network.

This is particularly worrisome for a UN network as ransomware operators are known to steal data before encrypting files, which could expose extremely sensitive diplomatic or government information.

While there are no known victims of this phishing attack, this targeted attack illustrates that bad actors are constantly trying to get access to the networks of organizations and government networks.

CISA Releases test tool for Citrix ADC             


DHS CISA released a public domain tool designed to help security staff to test if their organizations are vulnerable to ongoing attacks that might target the CVE-2019-19781 security flaw impacting the Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) products. "The Cybersecurity and Infrastructure Security Agency (CISA) has released a utility that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix Gateway software is susceptible to the CVE-2019-19781 vulnerability," says the DHS agency. 


CISA also strongly recommends all organizations to review CERT/CC’s U#619785 vulnerability note and the Citrix CTX267027 security bulletin to apply the described mitigation measures until new versions of the software will be released.  According to the CTX267027 bulletin, Citrix will be releasing new Citrix ADC and Citrix Gateway versions to patch the CVE-2019-19781 vulnerability starting with January 20, 2020.  The vulnerability makes it possible for unauthenticated attackers to perform arbitrary code execution via directory traversal if successfully exploited.

Several working proof-of-concept (PoC) exploits for the CVE-2019-19781 vulnerability are already publicly available

The PoC exploits allow attackers to create reverse shells back to their machines and execute malicious commands on the compromised devices, effectively enabling the attacker to gain full control over the machines.