Pulse Secure VPN Vulnerability Still Widely Exploited, CISA Warns

Pulse Secure VPN Vulnerability Still Widely Exploited, CISA Warns

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations that malicious hackers continue to exploit a widely known Pulse Secure VPN vulnerability.

A researcher revealed recently that cybercriminals had started exploiting CVE-2019-11510, a critical vulnerability affecting enterprise VPN products from Pulse Secure, to deliver a piece of ransomware known as Sodinokibi and REvil.

CVE-2019-11510 is an arbitrary file read vulnerability that can be exploited by unauthenticated attackers to obtain private keys and passwords. The attackers can then use these credentials in combination with a remote command injection vulnerability tracked as CVE-2019-11539 to gain access to private VPN networks.

Pulse Secure released patches in April, months before the researchers who discovered the flaws made their findings public, and the company says it has done everything in its power to convince customers to install the patches. Notifications have been sent out via email, product alerts, its community site, a partner portal, and its customer support website.

However, thousands of Pulse Secure VPN endpoints remain unpatched and malicious actors are taking advantage.

“Although Pulse Secure disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510,” CISA said.

Bad Packets reported on January 10 that there were still 3,623 vulnerable Pulse Secure VPN servers, including 1,233 in the United States. A similar scan conducted on January 4 showed 3,825 vulnerable servers — only a slight improvement over the past week.

“CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes,” CISA said.

UK-based foreign currency exchange Travelex appears to have been targeted with Sodinokibi ransomware via the Pulse Secure vulnerability. Bad Packets also reported earlier this week that the convenience store chain 7-Eleven also housed some vulnerable VPN servers and the company had not responded to notification attempts.

Pulse Secure told SecurityWeek that the attackers have delivered ransomware “through interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers.”

Related: NSA: Multiple State-Sponsored APTs Exploiting Enterprise VPN Flaws

Related: APTs Exploiting Enterprise VPN Vulnerabilities, UK Govt Warns

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Rockwell Automation to Acquire Cybersecurity Firm Avnet

Rockwell Automation to Acquire Cybersecurity Firm Avnet

Rockwell Automation on Wednesday announced that it has entered an agreement to acquire Israel-based cybersecurity solutions provider Avnet Data Security in an effort to expand its cybersecurity expertise.

Founded in 1995, Avnet provides a wide range of services and solutions for IT and OT environments, including penetration testing, assessments, training, and network and security products.

In terms of ICS and SCADA security, Avnet specializes in consultancy, training and research. The company claims to have assisted major utilities and other organizations secure their OT networks.

Rockwell Automation says it has decided to acquire Avnet because its extensive knowledge and experience will support its objective to “achieve double digit growth in Information Solutions and Connected Services by expanding our IT/OT cyber and network expertise globally.”

Frank Kulaszewicz, senior VP of Control Products & Solutions at Rockwell Automation, commented, “Avnet’s combination of service delivery, training, research, and managed services will enable us to service a much larger set of customers globally while also continuing to accelerate our portfolio development in this rapidly developing market.”

Financial terms of the deal have not been disclosed, but Rockwell says it does not expect the acquisition to have a material impact on its 2020 financial results. The acquisition is expected to close in early 2020.

“We are excited to join Rockwell Automation to further expand their already robust cyber offering,” said Igal Cohen, CEO of Avnet. “We are continuing to serve our existing clients while expanding our reach to service a much broader range of customers. Our passion and mission have always been to help as many organizations as possible secure their data from internal and external threats.”

Related: Tenable Acquires OT Security Firm Indegy for $78 Million

Related: ForeScout Acquires Industrial Security Firm SecurityMatters for $113 Million in Cash

Related: Cisco to Acquire OT Security Firm Sentryo

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Source: Rockwell Automation to Acquire Cybersecurity Firm Avnet

Tenable Acquires OT Security Firm Indegy for $78 Million

Tenable Acquires OT Security Firm Indegy for $78 Million

Tenable, a cybersecurity firm best known for its vulnerability management solutions, announced on Monday that it has acquired Indegy, a provider of cybersecurity solutions for operational technology (OT) environments, for $78 million in cash.

Indegy offers a platform that protects industrial control systems (ICS) from cyber, insider and operator error (non-malicious intent) threats, by providing visibility into ICS networks and identifying changes to controllers that could indicate an attack, including changes to firmware, logic, and configuration updates.

In June 2019, Indegy launched an industrial cybersecurity-as-a-service offering designed to help organizations monitor and protect their OT environments using cloud technologies and real-time threat intelligence sharing.

Through the acquisition, Tenable plans to deliver a platform that will allow customers to view and manage OT security issues alongside IT vulnerabilities, and provide risk-based measurement to score, trend, and benchmark IT and OT together.

“For every company in every industry, OT is now part of the modern attack surface. CISOs are being asked to secure OT systems alongside IT, but lack the necessary visibility and technology to manage and measure OT cyber risk in the same way as IT risk,” said Amit Yoran, chairman and CEO, Tenable. “Indegy extends our depth of OT expertise and intelligence, and our breadth of OT-specific capabilities from vulnerability management to asset inventory, configuration management and threat detection,” he added.

Founded in 2014, Indegy had raised $36 million in funding, including a $12 million Series A round announced by the company in July 2016, and $18 million via a Series B funding round in August 2018.

The acquisition of Indegy marks the latest in a handful of industrial cybersecurity firms that have been snapped up, with more likely to follow in 2020. In November 2018, network access security firm ForeScout Technologies acquired SecurityMatters for approximately $113 million in cash. In March 2019, Industrial cybersecurity firm Dragos acquired NexDefense in what was mostly an asset sale. In June 2019, Cisco announced plans to acquire OT cybersecurity firm Sentryo for an undisclosed sum.

Indegy CEO Barak Perelman has been a SecurityWeek Expert Contributor since 2016.

Learn More at SecurityWeek’s ICS Cyber Security Conference

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.


Source: Tenable Acquires OT Security Firm Indegy for $78 Million

Threat From Pre-Installed Malware on Android Phones is Growing

Threat From Pre-Installed Malware on Android Phones is Growing

[Update] Pre-installed malware on Android phones is a growing menace — so much that on Wednesday this week, Privacy International and around 50 other international NGOs (including ACLU, EFF, Amnesty and the TOR project) sent an open letter to Google demanding a stop to the habit.

“We urge you to use your position as an influential agent in the ecosystem to protect people and stop manufacturers from exploiting them in a race to the bottom on the pricing of smartphones,” they wrote.

Now, in an unrelated report, Malwarebytes discusses one example of this apparent ‘race to the bottom’ in a low-priced phone. Adding insult to injury, the phone in question is manufactured in China with apparently pre-installed Chinese malware, yet sold to Americans for just $35 under the government funded Lifeline Assistance program. The phone in question is the UMX U686CL sold by Virgin Mobile (Virgin Mobile US is a subsidiary of Sprint).

Contacted by SecurittyWeek, Danielle Babbington, Senior Public Relations Manager at Sprint, said the carrier was looking into the report. “We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause, however, after our initial testing we do not believe the applications described in the media are malware,” Babbington said.

The FCC declined to comment, noting that it had not yet reviewed the report.

The pre-installed malware comprises a Wireless Update app detected by Malwarebytes as Android/PUP.Riskware.Autoins.Fota.fbcvd, and a Settings app that is malware detected as Android/Trojan.Dropper.Agent.UMX.

“From the moment you log into the mobile device,” say the Malwarebytes researchers, “Wireless Update starts auto-installing apps. To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it just installs apps on its own.” While it is possible to uninstall this app — which could potentially be used to secretly download malware — the user could miss out on critical operating system updates. “We think that’s worth the tradeoff, and suggest doing so,” says Malwarebytes.

The Settings app, however, cannot be uninstalled without converting the phone into ‘a pricey paper weight’ because it provides the dashboard from which all settings are changed. The code of this app is almost identical to two other know mobile trojan droppers, differing only in the variable names. One of these uses Chinese characters for the variable names — leading Malwarebytes to “assume the origin of this malware is China.”

Hidden within the app is a library file named com.android.google.bridge.LibImp. When this library is loaded into memory, it drops further malware known as Android/Trojan.HiddenAds. Malwarebytes could not reproduce this action on their test machine, but note that customers have reported that “a variant of HiddenAds suddenly installs on their UMX mobile device.”

Malwarebytes has no criticism of the phone itself. “It is not a bad phone,” say the researchers. “It feels solid in hand and runs smoothly. Sure, it’s not the fastest mobile device, but it’s a fully capable smart phone. In general, without the malware, this device is a good option for anyone on a budget.”

The issue is the malware, which is an escalating problem. This report was published just a day after more than 50 international NGOs wrote to Google asking for the Android company to be more proactive in ensuring their users’ security. The letter demands four urgent changes to Google’s practices. Firstly, users should be able to uninstall apps on their phone, including any background processes they might leave behind. Secondly, pre-installed apps should be subject to the same Google scrutiny as is applied to Play Store apps. Thirdly, pre-installed apps should have an update mechanism through Google Play. And fourthly, Google should refuse to certify a device on privacy grounds where manufacturers or vendors attempt to exploit users.

“We,” say the signatories, “believe these fair and reasonable changes would make a huge difference to millions of people around the world who should not have to trade their privacy and security for access to a smartphone.”

SecurityWeek asked Malwarebytes to comment on the letter. Nathan Collier responded enthusiastically, but with one rider. The ability for users to uninstall apps could be problematic with the Virgin Mobile phone. “For other security reasons,” he said, “I think the ability to remove system apps is a bad idea. Since we are seeing system apps like the Settings app laced with malware, the ability to remove would permanently damage the device. However, these apps should at least be able to be disabled. Many pre-installed malware, like Adups, you can’t even disable it.”

Elsewhere, he as very supportive, confirming the need for an update mechanism. “One of the biggest issues today,” he commented, “is that with system apps like the aforementioned Settings app, there is no solution. You should be able to easily update/replace system level malware with legitimate versions, even if generic, found on Google Play.”

*Updated with responses from Sprint and the FCC.

Related: Triada Trojan Pre-Installed on Low Cost Android Smartphones

Related: Enterprises Infected By Pre-installed Android Malware

Related: Raspberry Pi Gets Offer to Pre-Install Malware

Related: Malware Found Pre-loaded on Phones Sold in Asia, Africa: Research

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.


Firefox 72 Blocks Fingerprinting Scripts by Default

Firefox 72 Blocks Fingerprinting Scripts by Default

Mozilla this week released Firefox 72 to the stable channel with advanced privacy protections that involve the blocking of fingerprinting scripts by default.

Long focused on protecting users’ privacy when browsing the Internet, Mozilla launched Enhanced Tracking Protection (ETP) last year, which keeps users safe from cross-site tracking.

Last week, it also announced that it would let users delete telemetry data, a reaction to the California Consumer Privacy Act (CCPA).

The release of Firefox 72 this week marked another milestone in the organization’s effort toward a more private browsing experience, by expanding the protection to also include browser fingerprinting.

Scripts that have been designed for fingerprinting collect unique characteristics of a user’s browser and device, so as to leverage the information to identify that user. Collected details include screen size, browser and operating system, installed fonts, and other device properties.

The collected information is then used to differentiate one user’s browser from another, which allows companies to track users for long periods of time, even after they cleared browsing data.

Both standards bodies and browser vendors agree that fingerprinting is harmful, but its use has increased across the web over the past ten years, Mozilla says.

Protecting users from fingerprinting without breaking websites, the organization explains, involves blocking parties that participate in fingerprinting, and modifying or removing APIs used for fingerprinting.

With the release of Firefox 72, the organization is now blocking third-party requests to companies known to engage in fingerprinting.

Thus, these companies should no longer be able to gather device details using JavaScript and will not receive information revealed through network requests either — such as the user’s IP address or the user agent header.

The protection is provided in partnership with Disconnect, which maintains a list of companies known for cross-site tracking and a list of those that fingerprint users. Firefox now blocks all parties at the intersection of these two classifications.

Mozilla also adapted measurement techniques from previous academic research to help find new fingerprinting domains, and explains that Disconnect performs a rigorous evaluation of each potential domain that is added to the list.

Following this first step, Mozilla plans on expanding the fingerprinting protection through both script blocking and API-level protections.

“We will continue to monitor fingerprinting on the web, and will work with Disconnect to build out the set of domains blocked by Firefox. Expect to hear more updates from us as we continue to strengthen the protections provided by ETP,” Mozilla concludes.

In addition to this privacy enhancement, Firefox 72 includes patches for 11 vulnerabilities, including 5 rated high severity, 5 medium risk, and one low severity.

The high-severity bugs include a memory corruption in parent processes during new process initialization on Windows, bypass of @namespace CSS sanitization during pasting, type confusion in XPCVariant.cpp, and memory safety bugs in both Firefox 71 and Firefox ESR 68.3.

Medium-severity flaws patched this month include the Windows keyboard in Private Browsing mode retaining word suggestions; Python files could be inadvertently executed upon opening a download; Content Security Policy not applied to XSL stylesheets applied to XML documents; heap address disclosure in parent processes during content process initialization on Windows; and CSS sanitization does not escape HTML tags.

The low-severity bug patched in this release could result in an invalid state transition in the TLS State Machine, as the client may negotiate a lower protocol than TLS 1.3 after a HelloRetryRequest has been sent.

Related: Firefox 72 Will Let Users Delete Telemetry Data

Related: Mozilla Hardens Firefox Against Injection Attacks

Ionut Arghire is an international correspondent for SecurityWeek.