Webex Desktop App Vulnerability
  • Advisory
  • June 24, 2020

During an internal security testing of the Cisco Meetings Desktop App (Webex), it was discovered that the application has a vulnerability that is due to improper validation of inputs supplied to the application’s URLs which if exploited can allow attacker to cause the Webex application to execute other programs that are already present on the end-user system. This vulnerability affects Cisco Webex Meetings Desktop App releases earlier than Release 39.5.12. However, Cisco has released software updates that address this vulnerability.

New EvilQuest Ransomware for macOS Systems
  • Advisory
  • July 1, 2020

The EvilQuest ransomware is discovered to encrypt the user's files as soon as it's executed. Once the file encryption scheme ends, a popup is shown to the user, letting the victim know they've been infected and their files encrypted. Then the victim is directed to open a note in the form of a text file that has been placed on their desktop. After the encryption process ends, the ransomware installs keylogger to record all the user’s keystrokes, open a reverse shell on the target computer so that the attacker can continue to access it and steal sensitive information users enter with the keyboard.  Those capabilities could allow attackers "full control over an infected host. EvilQuest appears to be solely distributed through torrenting websites and pirated versions of macOS software. Researchers have found it also bundled in a package called Google Software Update, while others have seen it hidden in pirated versions of DJ app Mixed In Key, Ableton Live and security tool Little Snitch. The malware is also able to see whether a system is running in a virtual machine, whether there are security and antivirus solutions running on the system, and to implement several persistence tricks.

 

Cisco Small Business Routers Vulnerabilities
  • Advisory
  • July 17, 2020

The reported vulnerabilities is said to affect the Cisco Small Business RV110W, RV130, RV130W and RV215W routers, and Cisco Prime License Manager. This vulnerabilities are as a result of the following:

  1.  The RV110W Wireless-N VPN Firewall routers system account has a default and static password which could allow an unauthenticated, remote attacker to take full control of the of the affected device.
  2. The RV110W, RV130, RV130W, and RV215W Routers has an improper validation of user-supplied input in the web-based management interface which could allow attackers to execute arbitrary code as a root user by sending crafted HTTP requests to a targeted device.
  3. The Cisco RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router vulnerabilities is due to improper session management on the devices which could allow attackers to bypass authentication and execute arbitrary commands with administrative commands by sending crafted HTTP request to the affected device.
  4. The Cisco Prime License Manager (PLM) Software vulnerability is due to insufficient validation of user input on the web management interface that could allow a remote attacker to gain administrative-level privileges on the system to access to an affected device by submitting a malicious request to an affected system.

Remote Access Vulnerability
  • Advisory
  • July 22, 2020

The Active Ransomware Campaign is a well-crafted and sophisticated ransomware attacks said to be a result of weak authentication, non-use of multi-factor authentication, and unpatched software. Once access is gained to a network through a remote access system, tools such as mimikatz, psexec, and Cobalt Strike is used to escalate privileges, move through the network and establish persistence on the network.

RV Series Routers Command Injection Vulnerabilities
  • Advisory
  • August 5, 2020

These vulnerabilities is due to improper validation of user-supplied input to scripts of the web-based management interface. A malicious attacker possessing administrative privileges sufficient to log in to the web-based management interface can exploit each vulnerability by sending malicious requests to an affected device.

It is confirmed that the vulnerabilities affect the following Cisco Small Business routers and firmware;

  • RV016 Multi-WAN VPN: 4.2.3.10 and earlier
  • RV042 Dual WAN VPN: 4.2.3.10 and earlier
  • RV042G Dual Gigabit WAN VPN: 4.2.3.10 and earlier
  • RV082 Dual WAN VPN: 4.2.3.10 and earlier
  • RV320 Dual Gigabit WAN VPN: 1.5.1.05 and earlie
  • RV325 Dual Gigabit WAN VPN: 1.5.1.05 and earlier

ReVoLTE Networks Vulnerability
  • Advisory
  • August 27, 2020

ReVoLTE, is an attack that exploits an LTE(Long Term Evolution) implementation flaw(frequently utilization of similar encryption key) to eavesdrop the call between two people, and recover the contents of an encrypted VoLTE call, by using a downlink sniffer to observe and designate the targets calls for decryption of conversations. The threat actors perform this by connecting to the same base station the victim was using, then the attacker place a downlink sniffer to observe and designate the ‘targeted call’ that are produced by the victim as these calls need to be decrypted. Once the threat actors are done with the targeted calls, now the attacker will call the victim, after 10 seconds of the designation. This will then force the unprotected network into starting a new call between victim and attacker on the same base station that is used by the previous targeted call. The threats actors keeps the victim confused and keep them busy in talking while all their conversation is recorded in the plaintext which will help the threat actor to later compute the call.