Connect with us

Cyber Security

DHS Warns of Increasing Emotet Risk



Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database CVE-2020-7220
PUBLISHED: 2020-01-23

HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.

PUBLISHED: 2020-01-23

An improper access control vulnerability in FortiMail admin webUI 6.2.0, 6.0.0 to 6.0.6, 5.4.10 and below may allow administrators to perform system backup config download they should not be authorized for.

PUBLISHED: 2020-01-23

An improper access control vulnerability in FortiMail admin webUI 6.2.0, 6.0.0 to 6.0.6, 5.4.10 and below may allow administrators to access web console they should not be authorized for.

PUBLISHED: 2020-01-23

An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is stored XSS in the Appearance modifier.

PUBLISHED: 2020-01-23

An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. CSRF can be used to send API requests.


Cyber Security

Phishers using strong tactics and poor bait in Office 365 scam



An uptick in
phishing attempts using a fake and badly created Office 365 credentials update
form is taking place, according to a new Cofense report.

Not only is
the form, which is linked to in the email, riddled with typos and
capitalization errors, but it is actually a Google Forms fdocs form. Something
Microsoft is unlikely to use under any circumstances.

The Cofense
Phishing Defense Center found the malicious actors did go to great lengths in
some respects to make their scam appear legitimate. The email itself originates
from a real company, the financial services provider CIM Finance, and they used
the CIM Finance website to host the emails to help bypass basic email security

additional elusive step is to use Google so the doc has an authentic SSL
certificate so the recipients will believe they are being linked to a Microsoft
page. However, the URL links to an external Google page.

The email
claims to be from the IT corporate team and states the person’s Office 365
account has expired and unless the individual clicks the link and updates the
account it will be suspended.

At this
point all the professionalism employed by the attackers disappears.

clicking the link, the end user is presented with a substandard imitation of
the Microsoft Office365 login page, as seen in figure 3, that does not follow
Microsoft’s visual protocol. Half the words are capitalized, and letters are
replaced with asterisks; examples include the word ‘email’ and the word
‘password.’ In addition, when end users type their credentials, they appear in
plain text as opposed to asterisks, raising a red flag the login page is not
real,” Cofense said.

Since this
is a Google doc, once the information is entered it becomes available to the
docs’ creator.


Continue Reading

Cyber Security

Campaign staffer’s husband arrested for DDoSing former Rep. Katie Hill’s opponent



The husband of a campaign staffer for former Rep. Katie Hill, D-CA., was arrested by the FBI for allegedly launching four DDoS attacks against the former congresswoman’s primary opponent.

Arthur Dam
was arrested on February 21 by FBI agents and charged with one count of
intentionally damaging and attempting to damage a protected computer. In the criminal
filed in the Central District of California, the FBI claimed the
Dam conducted the attacks while his wife, who was not named, worked on Hill’s
campaign staff.

complaint did not name the victim, but it did indicate the candidate was male
and according to Ballotpedia
the only male running in the California’s 25th District Democratic primary was
Brian Caforio. He lost his primary bid by just under 3,000 votes.

The attacks
took place between April and May 2018 with the site being down for a total of
21 hours, the FBI said in a release,
with the victim claiming $27,000 to $30,000 in damages incurred in repairing
the damage, buying extra security and lost donations.

“The attack
on or about April 28, 2018, occurred just before the start of a live political
debate, which featured the Victim and his two opponents. This attack shut down
the Victim’s website and it remained offline throughout the debate,” the criminal
complaint stated.

The attacks were conducted using an AWS account that the FBI said was controlled by Dam. Agents discovered that each attack was proceeded by logins to the AWS account from Dam’s home or office and cookies from the account were found on Dam’s iPhone. The attacks were associated with URLs spoofing USA Today, Google, and Engadget web pages.

Dam has a cybersecurity background with the complaint stating he runs DDoS attacks as part of his job as a pen tester.

The FBI did not claim that either Hill or Dam’s wife were involved in the incidents.

Hill, who won her seat by defeating incumbent Stephen Knight in 2018, resigned from Congress in October 2019 after admitting she had engaged in an inappropriate relationship with a staffer before being elected to Congress, The Hill reported.


Continue Reading

Cyber Security

Zyxel Fixes 0day in Network Storage Devices



Patch comes amid active exploitation by ransomware gangs

Networking hardware vendor Zyxel today released an update to fix a critical flaw in many of its network attached storage (NAS) devices that can be used to remotely commandeer them. The patch comes 12 days after KrebsOnSecurity alerted the company that precise instructions for exploiting the vulnerability were being sold for $20,000 in the cybercrime underground.

Based in Taiwan, Zyxel Communications Corp. (a.k.a “ZyXEL”) is a maker of networking devices, including Wi-Fi routers, NAS products and hardware firewalls. The company has roughly 1,500 employees and boasts some 100 million devices deployed worldwide. While in many respects the class of vulnerability addressed in this story is depressingly common among Internet of Things (IoT) devices, the flaw is notable because it has attracted the interest of groups specializing in deploying ransomware at scale.

KrebsOnSecurity first learned about the flaw on Feb. 12 from Alex Holden, founder of Milwaukee-based security firm Hold Security. Holden had obtained a copy of the exploit code, which allows an attacker to remotely compromise more than a dozen types of Zyxel NAS products remotely without any help from users.

A snippet from the documentation provided by 500mhz for the Zyxel 0day.

Holden said the seller of the exploit code — a ne’er-do-well who goes by the nickname “500mhz” –is known for being reliable and thorough in his sales of 0day exploits (a.k.a. “zero-days,” these are vulnerabilities in hardware or software products that vendors first learn about when exploit code and/or active exploitation shows up online).

For example, this and previous zero-days for sale by 500mhz came with exhaustive documentation detailing virtually everything about the flaw, including any preconditions needed to exploit it, step-by-step configuration instructions, tips on how to remove traces of exploitation, and example search links that could be used to readily locate thousands of vulnerable devices.

500mhz’s profile on one cybercrime forum states that he is constantly buying, selling and trading various 0day vulnerabilities.

“In some cases, it is possible to exchange your 0day with my existing 0day, or sell mine,” his Russian-language profile reads.

The profile page of 500mhz, translated from Russian to English via Google Chrome.


KrebsOnSecurity first contacted Zyxel on Feb. 12, sharing a copy of the exploit code and description of the vulnerability. When four days elapsed without any response from the vendor to notifications sent via multiple methods, this author shared the same information with vulnerability analysts at the U.S. Department of Homeland Security (DHS) and with the CERT Coordination Center (CERT/CC), a partnership between DHS and Carnegie Mellon University.

Less than 24 hours after contacting DHS and CERT/CC, KrebsOnSecurity heard back from Zyxel, which thanked KrebsOnSecurity for the alert without acknowledging its failure to respond until they were sent the same information by others.

“Thanks for flagging,” Zyxel’s team wrote on Feb. 17. “We’ve just received an alert of the same vulnerabilities from US-CERT over the weekend, and we’re now in the process of investigating. Still, we heartily appreciate you bringing it to our attention.”

Earlier today, Zyxel sent a message saying it had published a security advisory and patch for the zero-day exploit in some of its affected products. The vulnerable devices include NAS542, NAS540, NAS520, NAS326, NSA325 v2, NSA325, NSA320S, NSA320, NSA310S, NSA310, NSA221, NSA220+, NSA220, and NSA210. The flaw is designated as CVE-2020-9054.

However, many of these devices are no longer supported by Zyxel and will not be patched. Zyxel’s advice for those users is simply “do not leave the product directly exposed to the internet.”

“If possible, connect it to a security router or firewall for additional protection,” the advisory reads.

Holden said given the simplicity of the exploit — which allows an attacker to seize remote control over an affected device by injecting just two characters to the username field of the login panel for Zyxel NAS devices — it’s likely other Zyxel products may have related vulnerabilities.

“Considering how stupid this exploit is, I’m guessing this is not the only one of its class in their products,” he said.

CERT’s advisory on the flaw rates it at a “10” — its most severe. The advisory includes additional mitigation instructions, including a proof-of-concept exploit that has the ability to power down affected Zyxel devices.


Holden said recent activity suggests that attackers known for deploying ransomware have been actively working to test the zero-day for use against targets. Specifically, Holden said the exploit is now being used by a group of bad guys who are seeking to fold the exploit into Emotet, a powerful malware tool typically disseminated via spam that is frequently used to seed a target with malcode which holds the victim’s files for ransom.

Holden said 500mhz was offering the Zyxel exploit for $20,000 on cybercrime forums, although it’s not clear whether the Emotet gang paid anywhere near that amount for access to the code. Still, he said, ransomware gangs could easily earn back their investment by successfully compromising a single target with this simple but highly reliable exploit.

“From the attacker’s standpoint simple is better,” he said. “The commercial value of this exploit was set at $20,000, but that’s not much when you consider a ransomware gang could easily make that money back and then some in a short period of time.”

Emotet’s nascent forays into IoT come amid other disturbing developments for the prolific exploitation platform. Earlier this month, security researchers noted that Emotet now has the capability to spread in a worm-like fashion via Wi-Fi networks.

“To me, a 0day exploit in Zyxel is not as scary as who bought it,” he said. “The Emotet guys have been historically targeting PCs, laptops and servers, but their venture now into IoT devices is very disturbing.”


This experience was a good reminder that vulnerability reporting and remediation often can be a frustrating process. Twelve days turnaround is fairly quick as these things go, although probably not quick enough for customers using products affected by zero-day vulnerabilities.

It can be tempting when one is not getting any response from a vendor to simply publish an alert detailing one’s findings, and the pressure to do so certainly increases when there is a zero-day flaw involved. KrebsOnSecurity ultimately opted not to do that for three reasons.

Firstly, at the time there was no evidence that the flaws were being actively exploited, and because the vendor had assured DHS and CERT-CC that it would soon have a patch available.

Perhaps most importantly, public disclosure of an unpatched flaw could well have made a bad situation worse, without offering affected users much in the way of information about how to protect their systems.

Many hardware and software vendors include a link from their home pages to /security.txt, which is a proposed standard for allowing security researchers to quickly identify the points of contact at vendors when seeking to report security vulnerabilities. But even vendors who haven’t yet adopted this standard (Zyxel has not) usually will respond to reports at security@[vendordomainhere]; indeed, Zyxel encourages researchers to forward any such reports to

On the subject of full disclosure, I should note that while this author is listed by Hold Security’s site as an advisor, KrebsOnSecurity has never sought nor received remuneration of any kind in connection with this role.

Tags: 0day, 500mhz, alex holden, CERT Coordination Center, CERT/CC, CVE-2020-9054, DHS, Emotet, Hold Security, ransomware, zero day, ZyXEL Communications Corp.


Continue Reading