And we’re back! It’s a rough week for routers this time, as devices for both small businesses and home workers suffer some security slip-ups.
There’s also another group of threat actors leaping onto the Magecart school of card-skimming.
Neutered Routers Could Pollute Our Computers - Cisco Salutes Its Astute Trouble-shooter
During little more than a routine check up on a client’s network this week, CyCognito’s Head of Security Research, Alex Zaslavsky, came upon a major discovery: a zero-day cross-site scripting vulnerability. Known as an ‘XSS’ among acronym fans, the issue was found lurking in two of Cisco’s small business routers; specifically, the RV042 and RV042G models.
As Zaslavsky explains, XSS vulnerabilities are a veritable trove to hackers and cyber criminals, paving the way for session hijacking, account compromise and data theft. “…Hackers are clever”, he reinforces, “and if they can enter a network through a remote branch office, they will”. He goes into greater technical detail over on his blog, where it’s revealed that the flaw exists among other, unnamed routers from different manufacturers.
While it’s a little frustrating that the other affected routers aren’t divulged, it’s actually a very considered decision. This is a zero-day vulnerability, unbeknown to manufacturers, the public or fraudsters, and divulging those affected models would have cyber criminals scrambling to compromise them all. Zaslavsky has endeavoured to share the details once each manufacturer responds.
As for Cisco? As you might imagine, they’ve already pushed out an update that patches both routers appropriately. If your business relies on either of these models for their networking needs, now’s the time to download it.
German Think Tank Delivers Verdict on Home Routers: Es Ist Nicht Gut
Germany - a country that can barely win Eurovision but can develop a Union-leading response to global pandemics - has delivered a stark warning this week about our home Wi-Fi security.
The Fraunhofer Institute for Communication, Information Processing and Ergonomics revealed that the 127 home routers they tested were still available for purchase in Europe, but on average had not seen a security update within 378 days. The study tested such popular brands as ASUS, Linksys, TP-Link and Netgear.
The full report is available here, and while it’s a perfectly readable report it is definitely ein großer – you’ll probably want a cup of tea and some biscuits to get through it. Also note that there is an acknowledged possibility of false negatives around the report’s research into password security – so this is by no means conclusive just yet.
Even so, with so many of us working from home it’s important to note that our routers might not be as secure as the ones at our workplaces. Remember to revise any of your hardware’s default passwords, invest in decent security and ensure your work devices have been adequately protected by your IT department or provider.
Some Things Can’t Wait as Windows Skips Patch Tuesday to Get a Critical RCE Fix Out
Patch Tuesday, our least favourite thing to write about on Threat Thursday (I mean, it’s just a massive list, guys) will be two exploits slimmer for Microsoft this July. This week, the tech giant steamrolled two Remote Code Execution fixes onto operating systems, one of which was deemed critical.
The critical CVE-2020-1425 patch and its less-critical-but-still-important brother CVE 2020-1457 in a patch released last week. Security researcher Abdul-Aziz Hariri first revealed the vulnerabilities to ZDNet last Wednesday.
The vulnerabilities exist in Windows’ media codecs, and could be exploited with a specially-crafted image files, such as a .jpeg. Thankfully, that exploit was never witnessed in the wild and now, assuming we’re all patched up, it never will be.
Lazarus Proves: Nine Out of Ten Malicious Card-Skimming Fraudsters Prefer Magecart!
Magecart, the card-skimming code that targets online point-of-sales services such as Magento and Opencart, has another new fan in the cyber crime community – Lazarus. With its sights reportedly set on European and American webstores, it’s already begun a spate of credential-phishing emails in a bid to weasel its way into their checkout pages.
For those that aren’t familiar, Magecart is a distinctive and malicious programming code that allows the user to read payment details as they’re processed through an online store. In this latest campaign, Lazarus spear-phishes retail staff to obtain their logins and passwords. In doing so, they can inject the malicious code into the checkout pages and send it through the Magecart global network; itself run by numerous other cyber crime syndicates.
And it’s quite the network they’ve built for themselves, too. According to Sansec’s report, the illicit network connects through the compromised pages of “a modelling agency from Milan, a vintage music store from Tehran and a family run book store from New Jersey.” If anything, it seems businesses big and small, from anywhere in the world, can be a candidate – so don’t assume you’re invincible.
As always, the silver lining for us victims is that Lazarus’s spear-phishing method is anything but fool-proof. Regular readers know the rules by now; never open unexpected files, never click unfamiliar links, and always check the sender’s address before opening an email.
Bad Dog! Cerberus Drags Its Behind All Over Google Play’s Carpet
There’s another emerging threat that’s been discovered this week, and while it’s not yet affecting users outside the UK, there’s nothing to stop it reaching our shores very soon.
Spanish Android users have fallen victim to another malicious app that has made its way onto the Google Play store. Calculadora de Moneda, a Spanish currency-converting app that’s impossible to pronounce without adopting a sexy accent, was found to contain the Cerberus malware. Once injected onto a user’s phone, this mythical malware has the capacity to both bypass two-factor authentication and steal a user’s banking details; to that end, its embedding in a currency converting app was quite obviously a calculated effort.
It’s another unfortunate instance of malware finding its way onto the Google Play store unnoticed, and given the store’s track record it unfortunately might not be the last. Calculadora de Moneda has reportedly been downloaded more than 10,000 times, so the full scale of this latest scheme may be bigger than we’d perhaps like.
One more week of Threat Thursday in the bag then – join us next week where we’ll no doubt have plenty more for your perusal.
Still, why come here every week for your cyber security updates when they could be sent straight to you instead?
If you join our mailing list, we’ll be sure to send the latest edition directly to your inbox. Simply stick your email address in the box on the right ➡️ of this page and we’ll add you to the mailing list!