January 2020 / Threat Summary

1. Critical Flaw in Cisco Administrative Management Tool

A critical flaw has been identified by Cisco within the web-based management interface of their Cisco Firepower Management (FMC) platform, which manages a number of Cisco network security devices such as Next-Generation Firewalls and Advanced Malware Protection. This flaw could allow an unauthenticated remote attacker to gain administrator level privileges to effected devices by exploiting ‘improper handling’ of the Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server.

Cisco has released patches for the vulnerability (CVE-2019-16028), which has a score of 9.8 out of 10 on the CVSS scale, making it critical in severity.

2. Internet Explorer Zero-Day Vulnerability Actively Exploited

Microsoft has announced that an unpatched zero-day vulnerability in Internet Explorer is being exploited actively in the wild, which could allow an attacker to execute remote code and take control of the affected system with the same level of privileges as the currently logged in user. The attacker could lead an unsuspecting user to a malicious website to exploit the vulnerability using social engineering and phishing emails. The user will not be aware that the device has been controlled and the attacker could easily create, monitor and steal sensitive information, and implant ransomware or other malware.

Microsoft is working on a patch for the zero-day, CVE-2020-0674, which only affects versions of IE being used in Windows 7.

3. Continued Exploitation of Pulse Secure VPN Vulnerability

Pulse Secure announced a patch for a severe vulnerability (CVE-2019-11510) in its Pulse Connect Secure platform back in April 2019. The vulnerability allows bad actors without a valid username or password to connect to a remote corporate network, remove multi-factor authentication, view logs and harvest cached passwords stored in plain-text which can include Active Directory account passwords.

Earlier this month, Bad Packets reported that there were still close to 4,000 devices detected across the globe that were still not patched, almost 9 months after Pulse Secure released the patch.

4. Hacker Publishes Telnet Credentials to over 500K devices

A hacker scanned the entire internet for devices that were exposing their Telnet port (a remote access protocol that can be used to control devices over the internet) and then attempted to access these devices using factory default or commonly used passwords, resulting in a list of over 500,000 vulnerable devices which included the IP address, username and password. The devices ranged from servers and routers to ‘Smart Home’ Internet of Things (IoT) devices. The hacker then published this list, the largest of it’s kind known to date, to a popular hacker forum.

Although a number of the entries in the list will no longer be valid, an attacker could use the details to determine the current service provider, and then re-scan the ISP’s network to update the list with the latest IP addresses.

5. Microsoft Officially Ends Support for Windows 7

After a decade of service, Windows has officially ended support for its Windows 7 operating system. What does this mean for any devices still running Windows 7? Microsoft will no longer provide technical support, or security and software updates for Windows 7, leaving the operating system vulnerable to attacks from any number of new viruses and malware. A recent example of this can be seen in this month’s cyber threat awareness round-up.

6. Citrix Exploit Puts Thousands of Companies at Risk

Citrix has announced that a vulnerability present in the NetScaler/ADC products could allow an unauthorised attacker to perform arbitrary code execution if this flaw is left unpatched (CVE-2019-19781). It is understood that there are still thousands of companies across the globe that are at risk.

The flaw is likely to be related to SSL VPN requests (An SSL VPN is a secure tunnel into a remote network which uses the SSL protocol) Mitigation steps have been released by Citrix which block certain SSL VPN requests.

Citrix has now released official fixes for these vulnerabilities across their ADC, Gateway and SD-WAN WANOP products, available from the Citrix site.