ISA is committed to keeping the security community up to date with the latest cybersecurity news.
Record-tying “Patch Tuesday” announcement from Microsoft
Microsoft’s monthly “Patch Tuesday” bulletin for September 2020 included patches to 129 vulnerabilities across 15 products, including Windows, Exchange, Dynamics, and SharePoint. The 129 fixes tie the all-time Patch Tuesday record set in June 2020.
Nearly a quarter of the vulnerabilities are classified as remote code execution (RCE) issues – that is, they permit potential attackers to exploit the vulnerabilities remotely over a network.
20 of the RCE vulnerabilities (and 23 in all) were categorized as “critical”, which is the highest rating on Microsoft’s severity scale. While the immediate risk is mitigated by the fact that none of the vulnerabilities has yet been seen to be exploited in the wild, the patches should be reviewed, tested, and applied to affected systems as soon as possible. Hackers also follow Patch Tuesday announcements, and can take the opportunity to reverse engineer patches to fully understand – and potentially exploit – the vulnerabilities against those who are too slow to act.
Perhaps the most severe issue resolved in the announcement is CVE-2020-16875. This RCE exposure could allow an attacker to compromise an Exchange server simply by sending a specially crafted email to a target with heightened admin privileges. Once compromised, the attacker could gain access to execute admin functions like account creation or access, and could even get control to change/delete data or install malware on the mail server.
Microsoft summarizes foreign attacks on U.S. election
In a wide-ranging report, researchers from Microsoft have outlined the scope of attacks they have seen from hackers in Iran, Russia, and China against American and European political interests. The primary target of many of these cyberattack campaigns is the U.S. election, scheduled for November 4, 2020.
The Microsoft report identified three key players:
+ “Strontium, operating from Russia, has attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants
+ Zirconium, operating from China, has attacked high-profile individuals associated with the election, including people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community
+ Phosphorus, operating from Iran, has continued to attack the personal accounts of people associated with the Donald J. Trump for President campaign”
Strontium, which was a player in hacking efforts during the 2016 election, has reportedly resumed activities from September 2019 to date, launching widespread attempts to harvest login information, use brute force attacks to determine passwords, and conduct credential stuffing exercises to reuse passwords from other compromised sites. Most of their targets have direct or indirect affiliations with the U.S. election.
Zirconium, meanwhile, reportedly was successful in about 150 of their thousands of persistent attacks against people closely affiliated with both presidential campaigns and candidates. Successful email compromise reports have come from both Biden and Trump supporters. According to the Microsoft report, “Zirconium is using what are referred to as web bugs, or web beacons, tied to a domain they purchased and populated with content. The actor then sends the associated URL in either email text or an attachment to a targeted account. Although the domain itself may not have malicious content, the web bug allows Zirconium to check if a user attempted to access the site.”
Iran-based Phosphorus (also known variously as APT 35, Charming Kitten or the Ajax Security Team) has been at work for years. Microsoft’s report outlined the steps that they have taken to attempt to subvert the recent efforts of the hackers, including the confiscation of some 155 registered domains, many of which were specifically selected to trick unsuspecting users into thinking they were on valid sites. For example, Phosphorus registered and used site names like “outlook-verify.net”, “yahoo-verify.net”, “verification-live.com”, and “myaccount-services.net” in an effort to dupe users into revealing login credentials. This summer, they also conducted (reportedly unsuccessful) attempts to penetrate the mail accounts of government officials and members of President Trump’s re-election campaign staff.
While the report advised that many of the attacks were stymied by Microsoft’s own defenses, they also confirmed that they are working with the victims of the breaches that had been identified over the past several months. As the election nears, fears grow that the attacks will only intensify.
The Microsoft bulletin comes on the heels of an official statement about election tampering, made last month by National Counterintelligence and Security Center (NCSC) Director William Evanina. Evanina suggested that while Russian interests are working to support Trump’s re-election bid and damage Biden’s campaign, China “prefers that President Trump – whom Beijing sees as unpredictable – does not win reelection,” and that Iran is working to undermine the president and U.S. democratic institutions.
Hackers targeting WordPress plug-in vulnerability
Researchers reported a critical vulnerability in the WordPress plug-in File Manager in early September; in the days that followed, a surge in attacks against the vulnerability has been seen among many of the 700,000 websites worldwide that use the software.
The File Manager plug-in allows users to manage files directly from the WordPress backend. The bug potentially allows unauthenticated attackers to upload scripts and execute code on unpatched, WordPress-based websites using the plug-in. All versions of the plug-in from release 6.0 to 6.8 are affected by the bug – Version 6.9 was released soon after the vulnerability was reported – users of the plug-in are strongly encouraged to review, test, and implement the patch as soon as possible.