Cyware Daily Threat Intelligence, December 06, 2019

Share Blog post

VPNs are a vital part of the security infrastructure but they can be vulnerable or hackable and can be weaponized against you. In the past 24 hours, security experts have unearthed two critical VPN security risks which, if exploited, could result in dire consequences. One of the threats can lead to the hijacking of active TCP connections in a VPN tunnel due to a vulnerability in Linux and Unix operating systems.

The other threat is related to the Aviatrix VPN used by NASA, BT, and Shell. The VPN has been found to be affected by multiple local privilege escalation vulnerabilities. The flaws can allow a threat actor to gain extra levels of privilege, thus enabling them to dive into confidential files, folders, and network services.

In other development, the Department of Homeland Security has alerted companies in the financial services sector about ongoing Dridex campaigns. The malware is being distributed via phishing emails. The alert includes a list of mitigation measures to beat potential attacks from the malware.

Top Breaches Reported in the Last 24 Hours

Theatre suffers an attack
The New Jersey Shakespeare Theatre has been hit by a ransomware attack. This has affected the ticketing system of their shows. The theatre’s website claims that customers’ data including credit card details are safe as they were encrypted before the attack took place.

Fort Worth residents affected
About 3,000 Fort Worth residents have fallen victim to a data breach. The affected ones are those who used credit cards to pay their water bills online. The stolen information may include names, addresses, and credit card data, including numbers and security codes.

Top Malware Reported in the Last 24 Hours

DHS issues alert about Dridex attacks
The Department of Homeland Security has issued an alert about the risks from ongoing Dridex trojan attacks. The alert is especially for institutions in the financial services sectors. The campaigns are carried out through phishing emails. The issued alert includes a list of previously unreported indicators of compromise derived from FinCEN. DHS has encouraged security admins to configure their companies’ defense tools to detect Dridex banking trojan activities and avoid potential attacks. It has recommended a list of mitigation measures to reduce risks.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft issues guidance
Microsoft has released guidance regarding Windows Hello for Business (WHfB) public keys that persists even after the devices they are tied to are removed from Active Directory. The issue arises when WHfB is deployed on Active Directory 2016 or 2019, either in hybrid mode or on-premises only. It affects those WHfB keys which are generated on TPMs impacted by CVE-2017-15361.

VPN-related issues
Academics have disclosed that a security flaw impacting Linux, Android, macOS, and other Unix-based operating systems could allow an attacker to sniff, hijack, and tamper with VPN-tunneled connections. The vulnerability that impacts the operating systems has been tracked as CVE-2019-14899. In another incident, the Aviatrix VPN used by NASA, Shell, and BT has been found to be affected by multiple local privilege escalation vulnerabilities.

OpenBSD addresses bugs
Four high-severity security issues discovered in OpenBSD have been fixed recently. While one is a type authentication bypass issue, the other three are privilege escalation bugs. The three flaws could be exploited by local users or malware to gain privileges of an auth group or system roots.

Top Scams Reported in the Last 24 Hours

Renew your vehicle license scam
The New Zealand Transport Agency has issued an alert to all vehicle owners about an email scam that asks the users to renew their vehicle licenses. The email appears to be a standard vehicle license renewal reminder and includes links to the online transaction website. Vehicle owners should thoroughly check the sender’s address to stay safe from the scam. The address used in the scam includes ‘nzta.co.nz’ suffix, however, the official NZTA email address is ‘nzta.govt.nz’. It is not known whether anyone has been affected by the scam.


 Tags

aviatrix vpn
new zealand transport agency
openbsd
new jersey shakespeare theatre

Posted on: December 06, 2019



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.