Connect with us

Cyber Security

NSA reveals to Microsoft critical Windows 10 flaw



Microsoft reportedly acted on an NSA warning creating and issuing a secret out-of-band patch to the military and other high-value targets fixing CVE-2020-0601, a vulnerability affecting a core cryptographic component present in all versions of Windows.

Published reports stated that the NSA informed Microsoft of the vulnerability and this knowledge enabled Microsoft to quickly fix the problem and push out a patch, which was released to the general public today. Cybersecurity execs called the vulnerability a potential “force multiplier” for an attack and heaped praise on the NSA for telling Microsoft, a move that has not always taken place previously.

Synopsis said the patch for CVE-2020-0601 for the crypt32.dll was pushed out prior to today’s normal Patch Tuesday security rollout, although at this time the security firm does not have many details on the vulnerability itself.

“This is
serious news, as the crypt32.dll is a module needed for securing the Microsoft
Operating Systems. We still don’t know precisely what the bug is and how easily
it could be exploited, as that hasn’t been fully disclosed yet, but there are
some pointers online that can give us an idea,” said Boris Cipot, a senior security
engineer with Synopsys.

Renaud Deraison, co-founder and CTO, Tenable, fully expects cybercriminals intent on ransomware and phishing attacks to take advantage of this vulnerability, adding that it is an excellent turn of events that the NSA informed Microsoft. However, with the security patch in place computer’s can be secured.

hits at the very trust we have in today’s digital computing environments —
trust to authenticate binaries and trust that our ciphered communications are
properly protected. The flaw would enable an attacker, among other things, to
exploit how Windows verifies cryptographic trust, enabling them to deliver
executable code and making it look like it came from a trusted source,” he

Cipot strongly recommended implementing the crypt32.dll patch as soon as its available and he also warned that malicious actors may attempt to take advantage of this issue, but perhaps not in the way one would expect, and to only download an update from Microsoft’s Update and Security section in Windows 10.

The fact
that the NSA reported this to Microsoft, unlike Eternal Blue, was an
interesting move, said Rick Holland, CISO, vice president of strategy at
Digital Shadows.

“I’d be
interested to understand what makes this exploit worth reporting to Microsoft
instead of keeping for their personal arsenal as they have in the past. It
could be because many of those previous tools leaked and have caused widespread
damage across multiple organizations. It could be because there was a concern
others would find this vulnerability themselves and it was dangerous enough to
warrant remediation instead of weaponizing,” he said.

Automox’s Senior Technical Product Manager Richard Melick optimistically hoped the NSA’s actions in this case indicate a sign of growth at an agency that is better known in cyber circles for hoarding vulnerabilities for use against enemies.

“While it is
relatively uncommon for a vulnerability of this severity to make it through the
NSA’s Equities process and not be weaponized and kept secret for its offensive
capabilities, it does allude to a possible shift in mentality. The agency has
caught a lot of bad publicity with recent ransomware infections that were made
possible by EternalBlue in cities such as Baltimore and Atlanta,” he said.

users are also urged not to trust website or emails with links that offer
patches for the crypot32.dll. Phishers prey on announcements of security flaws
and design campaigns aimed at exploiting people’s desire to patch a
vulnerability as soon as possible,” he said.

This is in
addition to a very busy Patch Tuesday for Microsoft which saw it start to wind
down support for Windows 7 and roll out patches
for 47 vulnerabilities, seven rated as critical.

Graham, Qualys’ director of product management, pointed out Win32k patches CVE-2019-1468
and CVE-2019-145 for workstations and the remote code execution vulnerability CVE-2019-1471
is patched in Hyper-V that would allow an authenticated user on a guest system
to run arbitrary code on the host system.

and CVE-2019-1469 were at the top of Melick’s list with the former receiving needing
to receive an extra bit of attention.

is a remote code execution exploit that exists when Git for Visual Studio
client improperly sanitizes input. As Visual Studio is one of the most popular
development environments used today to design and build applications, this
exploit puts engineering organizations on the front lines of a potential attack,”
he said.

Some of the critical
rated issues are remote code execution problems in CVE-2020-0603, in ASP.NET
Core; CVE-2020-0605 in various versions of Microsoft .NET Framework and CVE-2020-0609
in Windows Server 2019, 2016, 2012 and 2012 R2.


Cyber Security

Campaign staffer’s husband arrested for DDoSing former Rep. Katie Hill’s opponent



The husband of a campaign staffer for former Rep. Katie Hill, D-CA., was arrested by the FBI for allegedly launching four DDoS attacks against the former congresswoman’s primary opponent.

Arthur Dam
was arrested on February 21 by FBI agents and charged with one count of
intentionally damaging and attempting to damage a protected computer. In the criminal
filed in the Central District of California, the FBI claimed the
Dam conducted the attacks while his wife, who was not named, worked on Hill’s
campaign staff.

complaint did not name the victim, but it did indicate the candidate was male
and according to Ballotpedia
the only male running in the California’s 25th District Democratic primary was
Brian Caforio. He lost his primary bid by just under 3,000 votes.

The attacks
took place between April and May 2018 with the site being down for a total of
21 hours, the FBI said in a release,
with the victim claiming $27,000 to $30,000 in damages incurred in repairing
the damage, buying extra security and lost donations.

“The attack
on or about April 28, 2018, occurred just before the start of a live political
debate, which featured the Victim and his two opponents. This attack shut down
the Victim’s website and it remained offline throughout the debate,” the criminal
complaint stated.

The attacks were conducted using an AWS account that the FBI said was controlled by Dam. Agents discovered that each attack was proceeded by logins to the AWS account from Dam’s home or office and cookies from the account were found on Dam’s iPhone. The attacks were associated with URLs spoofing USA Today, Google, and Engadget web pages.

Dam has a cybersecurity background with the complaint stating he runs DDoS attacks as part of his job as a pen tester.

The FBI did not claim that either Hill or Dam’s wife were involved in the incidents.

Hill, who won her seat by defeating incumbent Stephen Knight in 2018, resigned from Congress in October 2019 after admitting she had engaged in an inappropriate relationship with a staffer before being elected to Congress, The Hill reported.


Continue Reading

Cyber Security

Zyxel Fixes 0day in Network Storage Devices



Patch comes amid active exploitation by ransomware gangs

Networking hardware vendor Zyxel today released an update to fix a critical flaw in many of its network attached storage (NAS) devices that can be used to remotely commandeer them. The patch comes 12 days after KrebsOnSecurity alerted the company that precise instructions for exploiting the vulnerability were being sold for $20,000 in the cybercrime underground.

Based in Taiwan, Zyxel Communications Corp. (a.k.a “ZyXEL”) is a maker of networking devices, including Wi-Fi routers, NAS products and hardware firewalls. The company has roughly 1,500 employees and boasts some 100 million devices deployed worldwide. While in many respects the class of vulnerability addressed in this story is depressingly common among Internet of Things (IoT) devices, the flaw is notable because it has attracted the interest of groups specializing in deploying ransomware at scale.

KrebsOnSecurity first learned about the flaw on Feb. 12 from Alex Holden, founder of Milwaukee-based security firm Hold Security. Holden had obtained a copy of the exploit code, which allows an attacker to remotely compromise more than a dozen types of Zyxel NAS products remotely without any help from users.

A snippet from the documentation provided by 500mhz for the Zyxel 0day.

Holden said the seller of the exploit code — a ne’er-do-well who goes by the nickname “500mhz” –is known for being reliable and thorough in his sales of 0day exploits (a.k.a. “zero-days,” these are vulnerabilities in hardware or software products that vendors first learn about when exploit code and/or active exploitation shows up online).

For example, this and previous zero-days for sale by 500mhz came with exhaustive documentation detailing virtually everything about the flaw, including any preconditions needed to exploit it, step-by-step configuration instructions, tips on how to remove traces of exploitation, and example search links that could be used to readily locate thousands of vulnerable devices.

500mhz’s profile on one cybercrime forum states that he is constantly buying, selling and trading various 0day vulnerabilities.

“In some cases, it is possible to exchange your 0day with my existing 0day, or sell mine,” his Russian-language profile reads.

The profile page of 500mhz, translated from Russian to English via Google Chrome.


KrebsOnSecurity first contacted Zyxel on Feb. 12, sharing a copy of the exploit code and description of the vulnerability. When four days elapsed without any response from the vendor to notifications sent via multiple methods, this author shared the same information with vulnerability analysts at the U.S. Department of Homeland Security (DHS) and with the CERT Coordination Center (CERT/CC), a partnership between DHS and Carnegie Mellon University.

Less than 24 hours after contacting DHS and CERT/CC, KrebsOnSecurity heard back from Zyxel, which thanked KrebsOnSecurity for the alert without acknowledging its failure to respond until they were sent the same information by others.

“Thanks for flagging,” Zyxel’s team wrote on Feb. 17. “We’ve just received an alert of the same vulnerabilities from US-CERT over the weekend, and we’re now in the process of investigating. Still, we heartily appreciate you bringing it to our attention.”

Earlier today, Zyxel sent a message saying it had published a security advisory and patch for the zero-day exploit in some of its affected products. The vulnerable devices include NAS542, NAS540, NAS520, NAS326, NSA325 v2, NSA325, NSA320S, NSA320, NSA310S, NSA310, NSA221, NSA220+, NSA220, and NSA210. The flaw is designated as CVE-2020-9054.

However, many of these devices are no longer supported by Zyxel and will not be patched. Zyxel’s advice for those users is simply “do not leave the product directly exposed to the internet.”

“If possible, connect it to a security router or firewall for additional protection,” the advisory reads.

Holden said given the simplicity of the exploit — which allows an attacker to seize remote control over an affected device by injecting just two characters to the username field of the login panel for Zyxel NAS devices — it’s likely other Zyxel products may have related vulnerabilities.

“Considering how stupid this exploit is, I’m guessing this is not the only one of its class in their products,” he said.

CERT’s advisory on the flaw rates it at a “10” — its most severe. The advisory includes additional mitigation instructions, including a proof-of-concept exploit that has the ability to power down affected Zyxel devices.


Holden said recent activity suggests that attackers known for deploying ransomware have been actively working to test the zero-day for use against targets. Specifically, Holden said the exploit is now being used by a group of bad guys who are seeking to fold the exploit into Emotet, a powerful malware tool typically disseminated via spam that is frequently used to seed a target with malcode which holds the victim’s files for ransom.

Holden said 500mhz was offering the Zyxel exploit for $20,000 on cybercrime forums, although it’s not clear whether the Emotet gang paid anywhere near that amount for access to the code. Still, he said, ransomware gangs could easily earn back their investment by successfully compromising a single target with this simple but highly reliable exploit.

“From the attacker’s standpoint simple is better,” he said. “The commercial value of this exploit was set at $20,000, but that’s not much when you consider a ransomware gang could easily make that money back and then some in a short period of time.”

Emotet’s nascent forays into IoT come amid other disturbing developments for the prolific exploitation platform. Earlier this month, security researchers noted that Emotet now has the capability to spread in a worm-like fashion via Wi-Fi networks.

“To me, a 0day exploit in Zyxel is not as scary as who bought it,” he said. “The Emotet guys have been historically targeting PCs, laptops and servers, but their venture now into IoT devices is very disturbing.”


This experience was a good reminder that vulnerability reporting and remediation often can be a frustrating process. Twelve days turnaround is fairly quick as these things go, although probably not quick enough for customers using products affected by zero-day vulnerabilities.

It can be tempting when one is not getting any response from a vendor to simply publish an alert detailing one’s findings, and the pressure to do so certainly increases when there is a zero-day flaw involved. KrebsOnSecurity ultimately opted not to do that for three reasons.

Firstly, at the time there was no evidence that the flaws were being actively exploited, and because the vendor had assured DHS and CERT-CC that it would soon have a patch available.

Perhaps most importantly, public disclosure of an unpatched flaw could well have made a bad situation worse, without offering affected users much in the way of information about how to protect their systems.

Many hardware and software vendors include a link from their home pages to /security.txt, which is a proposed standard for allowing security researchers to quickly identify the points of contact at vendors when seeking to report security vulnerabilities. But even vendors who haven’t yet adopted this standard (Zyxel has not) usually will respond to reports at security@[vendordomainhere]; indeed, Zyxel encourages researchers to forward any such reports to

On the subject of full disclosure, I should note that while this author is listed by Hold Security’s site as an advisor, KrebsOnSecurity has never sought nor received remuneration of any kind in connection with this role.

Tags: 0day, 500mhz, alex holden, CERT Coordination Center, CERT/CC, CVE-2020-9054, DHS, Emotet, Hold Security, ransomware, zero day, ZyXEL Communications Corp.


Continue Reading

Cyber Security

360,000 Quebec teachers PII possibly compromised



The PII of at least 51,400, and possibly as many as 360,000 educators, in Quebec Province was exposed when a malicious actor obtained login credentials to the Ministère de l’Éducation et de l’Enseignement supérieur network.

The ministry
received confirmation of the breach on February 19 noting in a statement that a
single database was accessed that contained the Social Insurance Number, last
name, first name, date of birth of full-time and those substitute teachers who completed
a contract of 20 days or more. The data base that was compromised contained
51,400 names, but the ministry is informing all 360,000 of its educators out of
an abundance of caution.

“The 360 000
people in the database in question will receive a letter indicating the
procedure to follow to contact a credit monitoring company. The government will
assume all costs related to the protection of people who are not already
covered,” the ministry

The ministry
did not reveal when the attack took place but did say that so far about 400
teachers reported their identities have been stolen.

Letters are
being sent to all 360,000 potential victims and the ministry will pay for
credit monitoring and a hot line has been established (1 877 644‑4545). However, those who have incurred losses due to the
data breach will not be reimbursed by the government, instead the ministry suggested
they resort to using the common law courts.


Continue Reading