You know the drill: it's Thursday!
Welcome to another Threat Thursday! This week, there’s an update on the much-publicised Citrix vulnerabilities and a sizeable data leak at Microsoft that you’ll want to be aware of. Elsewhere, Windows 7 vulnerabilities are ripe for exploit in the system’s first month without product support. Stay awhile, and listen…
Penny-Pinching PayPal Pillagers Profit from Foul Phishing Frenzy
I’ll try and get through this with as little alliteration as possible.
Users of the popular payment portal PayPal (See me - Ed) fall under the threat of an advanced new Malware-as-a-Service (MaaS) kit dubbed 16Shop. Developed by Indonesian cybercrime collective Cyber Army, 16Shop began life as an Apple and Amazon customer phishing kit, but has since expanded to target American Express and PayPal customers.
The grift begins with a phishing email to the targeted customer, informing them that their target account has been compromised and needs a payment reset. The victim would then be redirected to a malicious website, where they’d be invited to enter their account details. Naturally, these details would then be hoovered up by our malwaring miscreants.
So far, so typical. Yet 16Shop’s new MaaS kit is advanced. It contains a blacklist of security company IPs, so intrepid new cyber criminals don’t accidentally target the very people they’re up against, bless ‘em. It generates and sends phishing emails automatically, and even has a dashboard allowing users to effectively track the progress of their phishing campaign. Designed to steal as much of a victim’s personal information as possible, it’s a worryingly sophisticated upgrade to the phishing kit.
Like all phishing scams, however, this one starts with that simple, suspicious email. So long as you’re aware of the threats of phishing emails, treat unexpected messages with scrutiny, and ensure that the message is truly coming from the business it claims to be, you’ll likely avoid the threat.
Oh, Come On Now: Microsoft Misconfigures its Own Cloud Databases, Putting Millions of Users at Risk
I mean, really.
Microsoft has accidentally exposed a staggering 250 million customer support records over the space of 25 days thanks to unsecured databases; or, as Microsoft calls them, “misconfigured security rules”.
The database contained customer support logs going as far back as 2005 and right up to the present day, the one saving grace being that most of the personally identifiable info had already been redacted. Payment details and contact numbers are therefore considered safe, yet some details, stored in plain text format, revealed email and IP addresses, internal confidential information and details of customer support cases. That’s… still not great.
Furthermore, Microsoft’s automated redaction process isn’t foolproof; any personal details entered in an unsupported format are unlikely to have been redacted. Microsoft’s own example compares the email address “XYZ @contoso.com” to XYZ@contoso.com – the former potentially left unredacted due to its invalid address format. Given the volume of the exposure, it’s likely that thousands of users have been left vulnerable thanks to this picky profiling.
The leak, discovered by security research experts at Comparitech, could have been a goldmine for phishers had they discovered it first. While nothing immediately identifiable was available, details such as email addresses and case numbers could have been more than enough to start a phishing attempt. Microsoft is a commonly-mimicked entity when it comes to phishing campaigns, so for them to potentially dump all this ammo right into scammer’s laps is damning.
If you’re a Microsoft user – and we’re willing to bet you are – be suspicious of any emails supposedly from Microsoft. With case numbers and details potentially made available, scammers might be creating some incredibly convincing phishing emails in order to squeeze more out of you. Microsoft will be contacting any users affected by this leak but until then, just be cautious.
Quick Fix For Citrix
Last week, we advised readers of a remote code execution vulnerability in Citrix Gateway and Citrix Application Delivery Controller.
In this second, (direly predictable) episode of the ongoing saga, we’re pleased to report that the first fix is now available. The vulnerability CVE-2019-19781 now has a patch available for users of Gateway 11.1, Gateway 12, Application Delivery Controller 11.1 and Application Delivery Controller 12.
In even more encouraging news, the fixes for older versions of both software that were scheduled for the end of the month have had their release date brought forward. Citrix now believes these fixes will be ready as early as tomorrow (24/01/2020), so if you’re running either software, you should ensure they’re all patched up before you clock off for the weekend.
Still Using Windows 7? Here’s Your First Security Issue
As we’ve mentioned a few times now, Windows 7 has reached it’s end-of-life period and is no longer supported by Microsoft. That means that security updates will slow to a drip-feed before tapering off entirely, leaving users vulnerable to any unresolved exploits from here on out.
As a perfect demonstration, allow us to introduce you to CVE 2020-0674; a moderately severe exploit in Internet Explorer 9 and 10, upgraded to ‘critical’ status when found in Internet Explorer 11. This vulnerability, in its simplest terms, allows an attacker to hijack a system while a user with administrative rights is logged in. If you fancy a more nerdy explanation, Microsoft has you covered on their official security advisory, here.
What does this have to do with Windows 7? Well, it turns out that this vulnerability is exclusive to the way Windows 7 handles what’s called its ‘scripting engine’, which acts differently to currently-supported browsers and systems. Microsoft aren’t treating the matter with much urgency either, claiming that a fix won’t be released until next month’s Patch Tuesday. This is despite the flaw already being exploited by malicious actors, who are accessing user machines via the tried-and-true method of phishing emails and malicious documents.
Look, we’re all going to miss Windows 7; let’s not sour the memories by watching it torn asunder by decades-old vulnerabilities. Come join us over here in Windows 10. The tea’s nice and warm.
Thus concludes this week’s edition of Threat Thursday. We’ll be back at the same time, in the same place next Thursday with more on the week’s super-susceptible security slip-ups (you’re fired – Ed).
Have you signed up for the regular Threat Thursday email? The latest Threat Thursday report in your inbox every week – just add your email into the subscribe box on the right of this blog.