April 2020 / Threat Summary
Your Monthly Roundup
By Daniel Morris
Learning from 6 Focus Threats in April 2020
The threat update from Accelerate provides a consolidated monthly summary of recent business threats that you need to be vigilant for. We are continuously monitoring the emerging threats, vulnerabilities and breaches from key industry security organisations, such as NCSE and Fortilabs. In this month’s threat summary:
- Microsoft Basic Authentication and Exchange Online – April 2020 Update
- Sophos XG Firewall Zero-Day Vulnerability Actively Exploited
- Study highlights sectors most likely to fall for phishing attacks
- Fixes released for critical vulnerability in VMware vCenter
- Critical Zero-Day Flaws in DrayTek Vigor Routers Patched
- 80% of exposed Exchange Servers remain unpatched for critical flaw
1. Microsoft Basic Authentication and Exchange Online – April 2020 Update
In response to the COVID-19 crisis Microsoft have decided to postpone disabling ‘Basic Authentication’ in Exchange Online for those actively using it until the second half of 2021.
Prior to COVID-19 outbreak, Microsoft were planning to turn off Basic Authentication for Exchange Online in October 2020 to enforce the use of Modern Authentication which follows the OAuth 2.0 framework, where applications request access tokens from Azure Active Directory rather than using a username and password to connect.
Read More2. Sophos XG Firewall Zero-Day Vulnerability Actively Exploited
An emergency security update has been published by Sophos to plug a previously unknown SQL injection vulnerability which was used to gain access to XG Firewalls that had their admin portal exposed on the internet. A hotfix has been prepared and pushed to all XG Firewalls with auto-update enabled, eliminating the vulnerability.
Sophos said the hackers used the SQL injection vulnerability to download a payload on the device. This payload then stole files from the XG Firewall. Stolen data could include usernames and hashed passwords for the firewall device admin, for the firewall portal admins, and user accounts used for remote access to the device. It also included the firewall’s license and serial number, and user emails.
Read More3. Study highlights sectors most likely to fall for phishing attacks
A new study from NCC Group shows the varied success of phishing attacks on organisations across different sectors. The study analysed data from more over 1,000 simulated phishing campaigns involving nearly 400,000 emails across a wide customer base.
The top three sectors by click-through rate were Charities, IT Services and local Public Sector organisations. It is understood that the biggest challenge to a successful phishing campaign is getting the target to click on the malicious link. Once clicked, however, half of all targets were likely to supply credentials regardless of which industry sector they worked in.
Read More4. Fixes released for critical vulnerability in VMware vCenter Server
A critical vulnerability within VMware vCenter Server infrastructure has been fixed by VMware. Left unpatched, the vulnerability could allow attackers to gain access to sensitive information and potentially take control of affected virtual appliances or Windows systems managed by the vCenter.
Due to the critical nature of this security vulnerability, it is strongly recommended that you upgrade vCenter Server as soon as possible.
Read More5. Critical Zero-Day Flaws in DrayTek Vigor Routers Patched
Researchers have uncovered threat groups exploiting two DrayTek zero-day vulnerabilities in the wild. The vulnerability allowed attackers to exploit command injection flaws to eavesdrop on traffic within corporate networks, among other exploits such as downloading and exploiting malicious code.
DrayTek has advised users to disable remote admin access wherever possible and apply the latest firmware updates which have been recently released.
Read More6. 80% of exposed Exchange Servers remain unpatched for critical flaw
Microsoft released a patch for critical vulnerability in February 2020 for a flaw in it’s Exchange Control Panel (ECP) component, which is ‘On’ by default. The flaw allows attackers to take over any vulnerable Exchange Server using previously stolen valid email credentials.
82.5% of all found Exchange Servers are not yet patched according to a report from Rapid7. Both the NSA and CISA have issued warnings urging organizations to patch the vulnerability as soon as possible, as multiple APT groups are already exploiting it in the wild.
Read MoreHave a question? Ask our technical specialists
