Welcome back to Threat Thursday – where this week it’s a full house of threats; phishing, hacking and security flaws abound.
Yet there’s also some major security updates dedicated to your cyber safety. Let’s get to it.
Phishing Campaign Keeps Outlook Users on Lookout
Earlier this week, cyber security specialists Cofense discovered an elaborate spear-phishing campaign, with tactics catered specifically to the target user and company. The scheme was designed to swipe Outlook credentials from the victim, and owing to its smart use of social engineering, we can rightfully file this scheme under “Nasty Piece of Work”.
The scheme involves the distribution of malicious emails, each designed to mimic the target company’s technical support team. These emails are then sent to company users, insisting urgent action on three critical inbox messages which will be deleted in three days’ time – nothing like a bit of urgency to keep the user clicking, right?
Upon clicking the links, the user is taken to a login page that’s identical to their company’s own home page – the exception being a dodgy, credential phishing overlay which wasn’t there before, asking for the user’s login details. You can probably guess where the scheme is going from here.
This technique is especially sneaky, doing all it can to accurately disguise itself as the company’s internal emails and home page. Yet once again, diligent checking of the sender URL is enough to identify the false sender and website, both of which can clue the victim in to the nefarious meddling afoot. As always – check the sender, check the link, and if in doubt, enquire.
While this appears to be an isolated case, relying on targeted emails rather than indiscriminate ones, but it’s yet another example of how phishing techniques evolve, elaborate and adapt to their victims once a criminal has them in their sights.
The Problem Apps Just Keep on a-Comin’ for the Google Play Store
I know, I know – we pick on the Google Play store a lot. And while it might seem like poor form to neg a particular brand, I’m pretty sure the world’s biggest tech conglomerate can survive another ribbing.
This time, at least, it’s not another gaggle of malicious apps – but it is a wider batch of 306 potentially unsecure ones, all flouting cryptography best practice with some woefully insecure coding. It’s all detailed in this research paper from the boffins at Columbia University; a paper which I would charitably describe as ‘gargantuan’.
Thankfully, if you don’t fancy crawling through page after page of tech-talk, the story’s quite simple to follow – and it’s all thanks to a little app named CRYLOGGER. This app, designed to scour apps for any breakage in basic crypto rules, found the offending apps among a pool of 1,780. At almost 17% of all apps tested, that could raise further questions over just how many other apps are clogging the store with bad code.
The vulnerable apps have not been shared by the researchers at Columbia University, but this does at least prevent them from being exploited in the wild. With the university researchers now reaching out to the developers of these apps, here’s hoping they can be patched appropriately before more nefarious tech-heads discover them.
Until then, approach Google Play apps with caution. Like many online marketplaces, the service is something of a Wild West, with the more renowned brands and developers being most deserving of your trust.
Crying at the Cisco Text
We did it, guys; we finally found another way to squeeze a tenuous ‘Disco’ pun from another Cisco story.
This week, the company smashed a critical vulnerability in Cisco Jabber, their comms and collaboration app. Owing to their rise in prominence – what with this whole virus thing – comms apps are the software of choice for opportunist hackers, and this latest flaw put Jabber users at some pretty serious risk.
How serious? Well, at a whopping 9.9 on the Common Vulnerability Scoring System, this one’s bound to make security officers sweat (and round number enthusiasts froth at the mouth).
It all comes down to Jabber’s Extensible Messaging and Presence Protocol, or XMPP as it’s more sensibly referred to. As explained by Watchcom, the people behind this discovery, XMPP governs the instant messaging systems on Cisco Jabber. Unfortunately, Jabber’s filtering process suffered a significant flaw that would allow malicious HTML tags to slip through that filter.
In other words; hackers could compromise systems simply by sending a carefully-coded message.
What makes this even more troubling is that the messages would require no user interaction to activate, allowing hackers Remote Code Execution capabilities with few issue. There are further details in Watchcom’s technical rundown, but we wouldn’t necessarily call that ‘beginner-friendly’ either.
All you need to be aware of is which versions of Jabber are vulnerable, and the latest versions you’ll need to update to. Thankfully, that info is all in the link above – just look for the ‘Mitigation’ section.
Gee Whiz, Gang! It’s Time for Another Patch Tuesday Rundown!
Limericks. Stage plays. Interpretive dance. A Michael Bay film adaptation. Just some of the ways I’ve considered presenting Patch Tuesday in a bid to make it more interesting. Unfortunately, Mirus has shot down almost all my ideas, citing ‘budget’, ‘feasibility’ and ‘personal sanity’ as major barriers. You just can’t work under these conditions.
Even so, another month has passed and there’s a whole new batch of updates across major operating systems and software. Here’s everything for September.
Android’s latest Security Bulletin lists 8 critical vulnerability fixes across their system framework, media framework and the ever-important Qualcomm components that support Android hardware. By Android’s own reports, the most severe security flaws would have allowed our old friends the Remote Code Execution vulnerabilities to wreak havoc on affected systems. All in all, there were 30 security fixes made.
Microsoft put the kibosh on 129 vulnerabilities this month, squashing 23 critical vulnerabilities and fixing numerous security issues, most notably on Windows Server 2016 and above. Vitally important for enterprise owners and operators.
And Adobe stomped out multiple vulns over their Experience Manager, Adobe Framemaker, and InDesign software. Combined, the company patched 12 critical flaws this month, most of which were once again related to Remote Code Execution and at least one of which was divulged by an unnamed stranger. Maybe that’s your excitement for this month: the mystery of the anonymous bug reporter? No? Maybe next time, then.
Thus concludes another full-on week of the latest and most pertinent cyber security updates.
There’s no need to come to us next time, though – not when we can come to you.
For the latest Threat Thursday updates straight into your inbox, simply drop your email in the field on the right➡️ of this page. We’ll add you straight to our mailing list.