Blog: IT Security Alerts

On May 24, 2019, Fortinet published an advisory stating that certain versions of their FortiOS software are vulnerable to a path traversal attack which allows an attacker to download system files through specially crafted HTTP requests. The vulnerability is only present when the SSL VPN service is enabled – either web-mode or tunnel-mode. The vulnerable FortiOS versions and the corresponding patched versions are:

• FortiOS 6.0.0 to 6.0.4
  • Patched version: 6.0.5 or above
• FortiOS 5.6.3 to 5.6.7
  • Patched version: 5.6.8 or above
• FortiOS 5.4.6 to 5.4.12
  • Patched version: 5.4.13 (upcoming)

CoNetrix Security Penetration Test engineers have confirmed this vulnerability can be used to download usernames and passwords from FortiGate devices. The usernames and passwords can then be used to establish an SSL VPN connection which would give an attacker access to internal networks and systems.

CoNetrix strongly recommends all customers ensure the patched versions of FortiOS listed above are installed on all Fortinet devices that have the SSL VPN service enabled.

CoNetrix Technology customers with managed service agreements have already been updated to the FortiOS version to protect against the vulnerability.

References:
https://fortiguard.com/psirt/FG-IR-18-384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379

A report of two new vulnerabilities named Meltdown and Spectre was published last Wednesday, January 3, 2018. It is a big deal because they are hardware vulnerabilities affecting pretty much everything with a silicon chip. Yes, this means microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms.

Currently, mitigation and recommended processes are in flux. New information, articles, and white papers have emerged daily over the last week. As you research these concerns, be sure you are referencing reputable sources and the information is up-to-date.

For now, the tricky part is that some of the early updates aimed at mitigating the vulnerabilities have yielded incompatibilities which might leave systems inoperable. (The fix might break things.) Please be cautious. Verify and test updates before installation.

The Vulnerabilities

If exploited, both vulnerabilities, which are classified as speculative execution vulnerabilities, allow unauthorized access to protected areas of memory which could allow an attacker to collect sensitive information such as passwords and nonpublic customer information.

• Meltdown - allows unauthorized access to memory, including protected kernel memory. Affects almost all Intel processors manufactured since 1995 and some ARM processors.
• Spectre - allows unauthorized access to memory used by other computer processes. Affects almost all processors. It has been verified on Intel, AMD, and ARM processors.

Mitigation

As the IT industry moves to mitigate these vulnerabilities, incompatibilities which can render systems unusable have occurred. It is of utmost importance to verify and test updates before installation. Prudently pursue and ensure the following security processes are working effectively within your organization (these are already standard elements of strong security cultures):

• Installation of security software updates - antivirus software, endpoint security software, etc.
• Installation of operating system (OS) updates - Microsoft Windows, Linux, Mac OS, iPhone, Android, etc.
• Installation of web browser updates - Microsoft Edge/Internet Explorer, Google Chrome, Mozilla Firefox, etc.
• Installation of firmware updates for microprocessors - BIOS updates issued by computer system manufactures - Dell, Lenovo, HP, Apple, etc.
• Prevention of malicious code execution - website blocking, website ad-blocking, phishing detection, security awareness training for users (how to spot malicious emails, not to click on links in emails), etc.

Exploits of these vulnerabilities are likely to change over time and the controls issued by hardware and software manufactures are likely to change as well. Therefore, it will be important to ensure updates are installed regularly.

 

Additional information provided by the researchers who discovered both vulnerabilities can be found at https://meltdownattack.com/.

The Equifax data breach announced yesterday potentially affects 143 million U.S. consumers and is one of the largest breaches of personal information. The following steps can be taken by consumers to help protect against fraud and identity theft:

1. Enroll in the free security services offered by Equifax - https://trustedidpremier.com/eligibility/eligibility.html
2. Place a security freeze on your credit file with each of the credit bureaus
   • https://www.equifax.com/personal/credit-report-services/credit-freeze/
   • https://www.experian.com/freeze/center.html
   • https://freeze.transunion.com/
   • https://www.innovis.com/personal/securityFreeze
3. Monitor your financial accounts for unauthorized activity and report unauthorized activity immediately
4. Obtain a copy of your credit report, review it for unauthorized activity, and report unauthorized activity immediately - www.annualcreditreport.com
5. Set up alerts on your debit and credit accounts to notify you of transactions, changes to your account, or other alerts offered by your financial institution

Additional details:

 The credit reporting bureau, Equifax, reported yesterday that they have been compromised. Non-public information affecting potentially 143 million U.S. consumers was stolen, primarily consisting of names, Social Security numbers, birth dates, addresses, and, in some instances, driver's license numbers. Additionally, credit card numbers for approx. 209,000 U.S. consumers and dispute documents for approx. 182,000 U.S. consumers were accessed. Further details from Equifax can be found here:

• https://www.equifaxsecurity2017.com/ - Equifax's public statement and video from their CEO
• https://www.equifaxsecurity2017.com/potential-impact/ - How to check with Equifax if your information was affected and how to enroll for the free services they are offering. Free enrollment in the credit monitoring and other services ends on November 21, 2017.
• https://www.equifaxsecurity2017.com/trustedid-premier/ - A list of the services that are being offered for free for one year by Equifax. TrustedID Premier is a division of Equifax.

For information from a source independent of Equifax, Brian Krebs' coverage can be found here - https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/.

Additional information about the steps consumers can take to protect against fraud and identity theft:

• Placing a security freeze on your credit file with the four major credit bureaus (Equifax, Experian, Trans Union, Innovis) may have associated fees depending on which state the consumer lives in. Also, some states require the freeze to expire after a specified amount of time.
• NOTE - A security freeze will also prevent the consumer from opening new lines of credit (a new credit card, new loan, etc.) unless the consumer first removes the security freeze. Fees may be associated with removing the freeze. Here are some resources:
  • https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/ (the "Personal Experience" section at the end of the page explains what happens when a credit application is filled out with a security freeze in place)
  • http://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/
• Here are links to the credit bureau websites:
  • https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp (no longer valid)
  • https://www.experian.com/freeze/center.html
  • https://freeze.transunion.com/
  • https://www.innovis.com/personal/securityFreeze
• By law, you can get a free copy of your credit report every 12 months at www.annualcreditreport.com
• Each financial institution has different services and alerts available for debit and credit accounts. Consumers should check with their institution for details. Examples of alerts that can be useful include notification of transactions over a specific threshold (e.g. over $100), transactions originating outside the US, and changes to the consumer's account profile (e.g. password change).

An outbreak of the WCry (also known as WannaCry/WanaCrypt0r) ransomware began to be reported May 12, 2017. The attack was worldwide and deemed by some as “the biggest ransomware outbreak in history.”

The goal of the attack, like all ransomware, is to encrypt computer files making them unavailable to the computer user. A payment is required to get the key which unlocks the files.

The ransomware was discovered in early February 2017, but was recently updated and began spreading quickly. It is delivered via a phishing email. When downloaded it exploits an SMB vulnerability (Small Message Block is a file sharing protocol used by Windows operating systems). The vulnerability was addressed in March 2017 by Microsoft Security Bulletin MS17-010. WCry will use unpatched SMB to spread payloads to vulnerable machines on the same network and to randomly choose IP addresses on external networks.

If Windows systems are patched, in accordance with MS17-010, the SMB vulnerability is resolved and the systems are not vulnerable. 

CoNetrix Technology customers with Network Advantage managed service agreements were automatically updated in March 2017 when this patch was initially released.

CoNetrix recommends that all customers verify this update is installed as soon as possible.

 

Researchers have reported a critical vulnerability in recent versions of OpenSSL which is used to secure numerous websites. This vulnerability has been assigned CVE identifier CVE-2014-0160 and is also known as the “Heartbleed Bug.” Exploitation can expose a website's secret keys, usernames and passwords of site users as well as other confidential information. [more]

This affects systems using OpenSSL versions 1.0.1 through 1.0.1f. Note this also includes numerous appliances used to terminate SSL connections used in Virtual Private Networks, secure email solutions, etc. Thus, even if you are only using unaffected Microsoft web servers, you may need to address these other types of appliances and embedded systems.

The Qualys SSL Labs scanning service available at https://www.ssllabs.com/ssltest/ can be used to determine if a particular site exhibits this vulnerability.

Additional information is available at http://heartbleed.com.

We recommend you work with appropriate vendors to identify vulnerable systems and apply the appropriate patches as soon as possible.

The Federal Financial Institutions Examination Council (FFIEC) issued statements today notifying financial institutions of the risks associated with cyber-attacks on Automated Teller Machines (ATM) and car authorization systems and the continued distributed denial of service (DDoS) attacks. [more]

To read the Press Release, visit http://www.ffiec.gov/press/pr040214.htm

To view the Joint Statement, Cyber-attacks on Financial Institutions' ATM and Card Authorization Systems, visit http://www.ffiec.gov/press/PDF/FFIEC%20ATM%20Cash-Out%20Statement.pdf

To view the Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, visit http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf

The Federal Financial Institutions Examination Council (FFIEC) jointly issued a statement to alert financial institutions Microsoft will discontinue extended support for Windows XP effective April 8, 2014.  After this date, Microsoft will no longer provide secruity patches or support for the Windows XP Operating System.  To read the Joint Statement, visit http://ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf 

I have received 4 or 5 email this week from a phishing scam that claims that one of my ACH transactions was recently cancelled. These emails are getting through the filters and landing in my Inbox. If you or anyone you know gets an email similar to the one below, delete it. I have modified the link in the email below so it won’t work, but you can still see where it was trying to go.

One indication the emails are fake – they purport to come from NACHA, the National ACH Association. However, NACHA does not deal directly with consumers or individual transactions.

If you know someone who works with payroll, purchasing, paying bills, etc., you should warn them about these emails. They are targeting people who work with online ACH transactions. Imagine the horror if the person responsible for payroll at a company received an email saying, “ACH Payroll Cancelled”. They would be very likely to click on the link first and think about security later. [more]

From: admin@nacha.org 
Sent: Friday, September 16, 2011 8:07 AM
To: You
Subject: ACH Payroll Cancelled

 
The ACH Payroll transaction (ID: 2150243623890),
recently initiated from your operating account (by your company), was rejected by the other financial institution.

Cancelled transaction Transaction ID: 2150243623890 Reason for rejection: See details in the report below Transaction Report: report_2150243623890.pdf.zip (self-extracting archive, Adobe PDF) Note: If you are sure that this email was delivered to you by mistake, please redirect it to your director or accountant.

..
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703)561-1100 2011 NACHA - The Electronic Payment Association