Proof-of-Concept Exploits Published for Microsoft-NSA Crypto Bug
Security researchers have released proof-of-concept (PoC) code for a recently disclosed vulnerability in the Windows operating system. The vulnerability, CVE-2020-0601, was initially reported to Microsoft by the U.S National Security Agency (NSA) and affects Windows CryptoAPI, a significant component that handles cryptographic operations.
According to cybersecurity researcher Tal Be’ery, “the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.”
According to the disclosures by the NSA, the DHS, and Microsoft, CVE-2020-0601 (also known as CurveBall) can be exploited to:
launch MitM (man-in-the-middle) attacks as well as intercept and fake HTTPS connections
fake signatures for files and emails
fake signed-executable code launched inside Windows
Government agencies have been ordered to patch the vulnerability within ten days of its announcement. As PoC exploit code has been published online, it’s as important as ever to apply the proper patch updates.
Kudelski Security published the first CurveBall exploit, and shortly after, Danish security researcher group Ollypwn published their code, as well. Thankfully, Windows Defender has received updates to detect active exploitation and warn users of a potential threat to their systems.
Read more here
Law Enforcement Seizes WeLeakInfo.com for Selling Access to Data From Data Breaches
The FBI has seized WeLeakInfo.com, a subscription-based search engine that allows users to explore personal information from over 10,000 data breaches. According to the U.S. Department of Justice announcement, the website illegally obtained and sold data breach information, amounting to over 12 billion records.
The two individuals allegedly involved in the WeLeakInfo operation were arrested in the Netherlands and Ireland. They are believed to have made over £200,000 of which the U.S. Department of Justice, along with other organizations, could trace back to the individual IP addresses of the arrestees.
The U.K. National Crime Agency has been able to establish “links between the purchase of cybercrime tools, such as remote access Trojans (RATs) and cryptors, and weleakinfo.com.” As seen below, to access the 12.5 billion records stolen from data breaches, users could subscribe to various plans for as little as $2.
Read more here
Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack
For almost a month now, Citrix Application Delivery Controllers (ADC) and Citrix Gateways have been vulnerable to a critical path traversal flaw (CVE-2019-1978). The flaw allows an unauthenticated entity to perform arbitrary code execution on vulnerable servers.
It affects all versions of the software, including:
Citrix ADC and Citrix Gateway version 13.0 all supported builds
Citrix ADC and NetScaler Gateway version 12.1 all supported builds
Citrix ADC and NetScaler Gateway version 12.0 all supported builds
Citrix ADC and NetScaler Gateway version 11.1 all supported builds
Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Citrix’s announcement of the flaw did not initially provide any software patches; however, they did offer mitigation steps.
Thankfully, Citrix has now begun to release its first batch of updates, which provides permanent patches for ADC versions “11.1 and 12.0 that also apply to ADC and Gateway VPX hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).”
Get more information here
Critical WordPress Bug Leaves 320,000 Sites Open to Attack
According to researchers from WebArx, two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from a new vulnerability. Both plugins contain a flaw that allows an attacker to access a site’s backend with no password. According to a WebArc blog post, an attacker only needs the admin username to access the site’s backend.
Both plugins were created to allow users to authenticate to numerous WordPress installations from one central server. According to the WordPress plugin library, 300,000 websites are running a vulnerable version of the InfiniteWP Client plugin, and 20,000 are running a vulnerable version of the WP Time Capsule plugin.
The proof-of-concept attack on InfiniteWP Client “requires a payload encoded with JSON, then Base64. Next, it is sent raw to the targeted site in a POST request,” and the WP Time Capsule Bug “only needs to contain a certain string in the body of the raw POST request.”
To mitigate the vulnerability, researchers recommend updating both software versions of the plugins.
Read more here
Bot List With Telnet Credentials for More Than 500,000 Servers and IoT Devices Leaked Online
A cybercriminal has recently dumped an extensive list of Telnet credentials for over 510,000 servers and smart devices. According to SecurityAffairs, this is the largest leak of Telnet passwords ever reported.
The list was first posted on a popular hacking forum under the operator of a DDoS booter service and includes IP addresses as well as the usernames and passwords of the Telnet service for each device.
A quick look at the list reveals that many of the device’s login information contains default, or easy-to-guess, credentials.
The top five credentials in the list were:
Security researcher Victor Gevers analyzed the list and found that more than 8,200 IP addresses were unique, and around 2,174 were accessible via Telnet by using the leaked credentials.
Read more here