PwC Weekly Security Report
This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information.
Access management Improving decision-making in user access review and
cleanup projects
Threat and vulnerability management
Triggered via malicious files, flaws in Cisco WebEx players can lead to RCE
Conference calls a ‘significant
& overlooked’ security gap in the enterprise
Ransomware
New .NET-based ransomware uses open source code
Palo Alto Networks discovered a custom RAT dubbed
UBoatRAT that has been used in targeted attacks on
personnel or organizations related to South Korea.
Top story
PayPal's TIO Networks reveals data breach impacted 1.6 million users
Triggered via malicious files, flaws in Cisco WebEx players can lead to RCE
Cisco has plugged six security holes in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files that could be exploited by remote attackers to execute malicious code on a target system.
“The ARF and WRF file formats are used to store WebEx meeting recordings that have been recorded on a WebEx meeting site, or on the computer of an online meeting attendee,” the company explained.
“The Cisco WebEx players are applications that are used to play back WebEx meeting recordings that have been recorded by an online meeting attendee.
The player can be automatically installed when the user accesses a recording file that is hosted on a WebEx server.” Mirai became widely known about a year ago, when it started ensnaring insecure
Internet of Things (IoT) devices into a botnet capable of launching massive distributed
denial-of-service (DDoS) attacks. With its source code made public in early October 2016, Mirai had already infected devices in 164 countries by the end of that month.
Vulnerability exploitation
Exploitation of the vulnerabilities can be triggered via malicious ARF or WRF files. Attackers can send such a file as an attachment, or provide a link to it in an email. In both cases, they have to convince users to download and open the malicious file.
The company made sure to note that the
vulnerabilities can’t be triggered by users who are attending a WebEx meeting.
Users of Cisco WebEx Business Suite, Cisco WebEx Meetings, and Cisco WebEx Meeting Server should check whether their installations are vulnerable and implement the provided security updates (if they haven’t by now made sure to receive automatic software updates). Instructions on how to do so are provided in the security advisory.
Source:
https://www.helpnetsecurity.com/2017/11/
30/cisco-webex-flaws/
The good news is that vulnerabilities were discovered and reported by security researchers, and there is currently no indication that they are being exploited in the wild.
But, with their existence having now been made public, attackers could quickly move to create exploits and target businesses, so updating the software to the latest release as soon as possible is advisable.
There are no workarounds for these issues, Cisco added. The only thing left to do if you can’t upgrade is to remove all WebEx software completely from a system.
Conference calls a ‘significant &
overlooked’ security gap in the enterprise
Conference calls present a significant and overlooked security gap in the enterprise, according to a new research study from LoopUp.
The firm polled 1000 business professionals and found that whilst 70% said it was normal to discuss confidential information on conference calls, more than half admitted that it is also normal not to know who was on the line. This is often due to imperfections with traditional dial-in conferencing, LoopUp pointed out, as with a lack of visibility and control over meetings users cannot see who’s joined or take action to remove unwanted guests.
“Tools with web-based UIs can help in this respect, but are used only in the minority of cases”, LoopUp said in its report.
What’s more, it was discovered that 66% of professionals use the same passcodes to dial-in to calls for up to a year or more which, as is the case when failing to regularly change any form of log-in credential, opens users and businesses up to security risks should they fall into the hands of malicious actors.
However, dial-in conferencing remains the primary way business people participate in conference calls, regardless of whether they have access to web or video conferencing tools.
“It’s not surprising that the majority of business people still default to dial-in to join their conference calls,” said LoopUp co-CEO, Steve Flavell. “While there is an abundance of capable software products for conferencing, most business people neither have the time nor inclination to learn how to use them, and they certainly don’t want to learn by trial and error during their meetings.”
Unfortunately, dial-in conferencing offers a subpar user experience which impacts productivity and costs businesses money, he added. “Even more critically, it can put sensitive information at risk.”
Source:
https://www.infosecurity-
magazine.com/news/conference-calls- security-gap-in/
The good news is that vulnerabilities were discovered and reported by security researchers, and there is currently no indication that they are being exploited in the wild.
But, with their existence having now been made public, attackers could quickly move to create exploits and target businesses, so updating the software to the latest release as soon as possible is advisable.
There are no workarounds for these issues, Cisco added. The only thing left to do if you can’t upgrade is to remove all WebEx software completely from a system.
Organizations these days are very dynamic with their distributed workforces and applications. As these companies grow, their IT teams must perform the
increasingly complex task of user access management.
Security professionals define access control policies and controls that mandate user access review on a periodic basis. The user access list is sent to application owners for review, and user IDs are disabled or deleted as necessary. The user access review control helps ensure that unauthorized users do not continue to exist in the system if the user ID is deleted during the normal offboarding process.
However, if user access reviews have not been carried out diligently or organizational changes impede access management, the user ID deletion process becomes quite complex. For instance, if a large multinational corporation has been growing through mergers and acquisitions, the integration of user access systems is complicated and
cumbersome. Statutory audits in these
organizations often reveal noncompliance related to user access management.
The tedium of manual user access review Organizations set up projects to clean up unauthorized users IDs in the system, and the initiative gets driven through regulatory
requirements or the company’s security policy. Due to its manual nature, this process requires a concerted effort and ample resources.
Such a project typically involves the following steps:
1. Generate a user ID report from the relevant systems.
2. Send reports to application and system owners for review.
3. Set up meetings with owners and stakeholders.
4. Disable or delete user IDs based on feedback from owners and stakeholders.
Improving decision-making in user access review and cleanup projects
Source:
https://securityintelligence.com/improving -decision-making-in-user-access-review- and-cleanup-projects/
For large organizations with many systems and applications, and potentially thousands of users, the user ID cleanup process is very tedious. A machine learning algorithm can help security teams streamline this process to make decisions
more efficiently.
Using machine learning for faster decision-making
User ID cleanup projects are effort-intensive and require complex interactions between various stakeholders, increasing the cost of performing these activities. Administrators have to interact with many different stakeholders to know which user IDs have to be deleted. Often, application or system owners fail to provide input at the right time, putting the organization at risk of potential unauthorized users.
This also contributes to noncompliance with regulations and security policies.
Machine learning algorithms can help security teams model user ID disabling activities. These algorithms do not solve the complex problems related to user access review, but they aid in decision-making, which is a critical need in such projects.
New .NET-based ransomware uses open source code
Two newly discovered .NET-based
ransomware families are using open source repositories to encrypt users’ files, Zscaler security researchers say.
Dubbed Vortex and BUGWARE, the two
ransomware families have been seen in live attacks carried out via spam emails containing malicious URLs. Both of the new malware families are compiled in Microsoft Intermediate Language (MSIL) and have been packed with the 'Confuser' packer.
The Vortex ransomware is written in Polish and makes use of the AES-256 cipher to encrypt image, video, audio, document, and other potentially important data files on the victim’s machine, Zscaler notes in an analysis report shared with SecurityWeek.
The same as other ransomware variants out there, the malware drops a ransom note once it has completed the encryption process, informing the victim on how they can restore their data and how to send the ransom money.
The malware allows users to decrypt two of their files for free and demands a $100 ransom, which supposedly increases to $200 in four days. Victims are encouraged to contact the attackers using the [email protected] or [email protected] email addresses.
After installation, the malware attempts to achieve persistence through creating a registry entry, as well as a registry key called “AESxWin.” The malware was also observed deleting shadow copies to prevent users from restoring their data
without paying.
While analyzing the malware’s command and control (C&C) communication, the security
researchers observed it sending system information and requesting a password API used for the
encryption and decryption key.
Vortex is entirely based on AESxWin, a freeware encryption and decryption utility hosted on GitHub and created by Egyptian developer Eslam Hamouda.
Thus, files can be decrypted using AESxWin, as long as the password used for encryption is known, Zscaler suggests.
BUGWARE, on the other hand, is based on the open source Hidden Tear code, which has been abused to create various ransomware families before.
The new threat also uses an invalid certificate pretending to be for GAS INFORMATICA LTDA and asks victims to pay the equivalent of a thousand Brazilian reals in Monero.
The malware creates a list of paths to encrypt and stores it in a file called Criptografia.pathstoencrypt.
It also searches for all fixed, network, and
removable drives and adds those paths to the list.
Source:
http://www.securityweek.com/new-net- based-ransomware-uses-open-source-code
Palo Alto Networks discovered a custom RAT dubbed UBoatRAT that has been used in
targeted attacks on personnel or
organizations related to South Korea.
Security experts from Palo Alto Networks discovered custom remote access Trojan (RAT) dubbed UBoatRAT that has been used in targeted attacks on personnel or organizations related to South Korea and the video gaming industry.
The UBoatRAT has been distributed through Google Drive links, the malware obtains the address of the command and control (C&C) server from GitHub and uses Microsoft Windows
Background Intelligent Transfer Service (BITS) to maintain persistence.
The address of the C&C and the destination port are hidden in a file hosted on GitHub, and the malware accesses the file using a specific URL. UBoatRAT communicates with the C&C served using a custom protocol.
Attackers used the GitHub account ‘elsa999’, according to the researchers the author has been frequently updating repositories since July.
UBoatRAT was first spotted on May 2017, at the time it was a simple HTTP backdoor leveraging a public blog service in Hong Kong and a
compromised web server in Japan for C&C.
Across the months the authors added several new features to the RAT, the last variant was released during summer.
“Palo Alto Networks Unit 42 has identified attacks with a new custom Remote Access Trojan (RAT) called UBoatRAT.” reads the analysis published by Palo Alto Networks.
“The attacks with the latest variants we found in September have following characteristics.
Targets personnel or organizations related to South Korea or video games industry
Distributes malware through Google Drive Obtains C2 address from GitHub
Uses Microsoft Windows Background Intelligent Transfer Service (BITS) to maintain persistence.”
The exact targets aren’t still clear at the moment, the experts speculate the hackers aimed to Korea or the video games industry, because Korean-language game titles, Korea-based game company names, and some words used in the video games business were used for delivery.
The UBoatRAT performs malicious activities on the infected machine only when joining an Active Directory Domain, this means that user systems that are not part of a domain would not be impacted.
Threat actors delivered the RAT through a ZIP archive hosted on Google Drive and containing a malicious executable file disguised as a folder or a Microsoft Excel spreadsheet. The latest variants of the UBoatRAT masquerade as Microsoft Word document files.
Source:
http://securityaffairs.co/wordpress/66178/
malware/uboatrat-east-asia.html
PayPal's TIO Networks reveals data breach impacted 1.6 million users
PayPal's recently-acquired payment processor TIO Networks has revealed that up to 1.6 million customers have had their information stolen in a recent data breach.
Last week, the Vancouver, Canada-based TIO Networks said that following the suspension of operations, evidence has been uncovered of a data breach due to "unauthorized access."
In a statement, the company said that unknown attackers were able to gain access to "locations that stored personal information of some of TIO's customers and customers of TIO billers.
In total, up to 1.6 million customers may have had their information leaked, which could include personally identifiable information (PII) or potentially financial data.
No details on the type of information exposed have yet been revealed; however, PayPal says the unauthorized access was "ongoing."
PayPal acquired TIO Networks in July 2017 in a deal worth $238 million. TIO Networks operates under PayPal's umbrella but acts as a separate company, processing over $7 billion in consumer bill payments in 2016, supporting roughly 16 million customer bill pay accounts.
In November, PayPal announced the suspension of TIO Networks' operations due to "PayPal's
discovery of security vulnerabilities on the TIO platform and issues with TIO's data security program that do not adhere to PayPal's information security standards."
TIO's platform, thankfully, has not been integrated into PayPal's business, which means users of the latter have not been impacted by the latest disclosure.
PayPal launched an internal investigation into the newly-acquired firm's business and hired a third- party cyberforensics company to review the TIO bill payment platform after suspending operations, revealing the data breach.
Source:
http://www.zdnet.com/article/paypals-tio- networks-reveals-data-breach-impacted-1- 6-million-users/
TIO Networks has begun notifying those potentially impacted by the security issue and Paypal has signed up credit reporting agency Experian to provide free monitoring for 12 months to customers which have been verified as victims.
"At this point, TIO cannot provide a timeline for restoring bill payment services, and continues to recommend that you contact your biller to identify alternative ways to pay your bills," TIO Networks says. "We sincerely apologize for any inconvenience caused to you by the disruption of TIO's service."
In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in
PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity. Please see www.pwc.com/structure for further details.
©2017 PwC. All rights reserved
For any queries, please contact:
Sivarama Krishnan
[email protected] Amol Bhat
All images in this presentation are protected by copyright, trademark, patent, trade secret and other intellectual property laws and treaties. Any unauthorised use of these images may violate such laws and shall be punishable under appropriate laws. Our sharing of this presentation along with such protected images with you does not authorise you to copy, republish, frame, link to, download, transmit, modify, adapt, create derivative works based on, rent, lease, loan, sell, assign, distribute, display, perform, license, sub- license or reverse engineer the images. In addition, you should desist from employing any data mining, robots or similar data and/or image gathering and extraction methods in connection with the presentation.
© 2017 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.
PK/December2017-11423
