Threat Report

Thursday December 27th 2018

We hope you had a happy holiday, but it is time to get back to the grind. Holiday cheer wasn’t the only thing spreading this season. Tenable gave the gift of vulnerability disclosure to Cisco, the Department of Justice handed out indictments for Chinese hackers like candy, and 500K students are eagerly waiting to find out what they will get from the San Diego School District.

Cisco ASA privilege escalation disclosed and patched

Cisco Adaptive Security Appliance (ASA) Software is reportedly affected by privilege escalation vulnerability CVE-2018-15465. Researchers at Tenable discovered that a remotely authenticated, unprivileged user can change or download the running configuration. And, that’s bad.

The vulnerability could be exploited by an attacker sending a crafted HTTP request as an unprivileged user. The Cisco ASA Web management interface improperly validates user. The attacker can retrieve files (including the running configuration) or upload and replace the software image. Cisco released an update to patch the vulnerability.

CVE-2018-15465 impacts ASA software running on any Cisco product that has Web management access enabled, with command authorization disabled. Users are advised to update to the latest patch according to the Fixed Releases table located in the Cisco Security Advisory.

Stone Panda indicted and linked to Chinese state-sponsored economic espionage

The United States Department of Justice indicted two Chinese nationals, Zhu Hua and Zhang Shilong, who participated in a 12-year campaign that targeted U.S. managed security providers. This duo is believed to be part of Stone Panda aka Red Apollo (APT10). The activity breached at least 45 companies through their managed service providers (MSP) in 12 countries. The campaign was performed by a company fronting for the Chinese Ministry of State Security (MSS). The indictments show MSS’ continued use of front companies for international economic/technology espionage operations. Washington’s indictments send a clear message to China, intrusions to improve economic competitiveness are unacceptable.

The modus operandi for the campaign was straight-forward. Leverage stolen credentials to gain access to an MSP network and use the MSPs access to steal their clients’ intellectual property. A little birdie told us these IPs were used in APT10 operations:

185.111.74.127

194.68.44.108

167.114.171.8

195.54.163.74

185.211.247.52

37.10.71.100

176.31.117.82

66.70.135.104 

500K records exposed in San Diego school district breach

Stolen credentials aren’t just being reused against MSPs and their clients. Hackers are credential phishing, reusing previously breached passwords, and deploying password stealing malware to gain access to your networks and the networks you trust. The education sector has recently been learning that lesson.

San Diego School District recently disclosed a data breach for 500K students. We regularly hear about universities being targeted, but public-school districts are a target too. Many of the social security numbers breached won’t be valuable until the students can get approved for credit; but children are victims of identity theft as well. If you were born today, just how long would it take for your SSN to be breached? I’m betting that a large percentage of children born today will have PII breached before they can talk.

Attackers phished San Diego School District faculty to gain access to just about every type of sensitive information they had from the last 10 years including:

  • Student enrollment information like schedule, discipline incident information, health information, attendance records, transfer information, legal notices on file, and attendance data
  • Student and staff State Student ID Number
  • Student and staff parent, guardian, and emergency contact personal identifying information (including first and last name, phone numbers, address, email address, employer information)
  • Staff benefits information
  • Staff payroll and compensation information (including viewable paychecks and pay advices, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information)

Earlier this month Cape Cod Community College (CCCC) was cyber-swindled for 800K dollars. The threat actor was using phishing emails with attached viruses to land a first stage infection. The second stage infection was password stealing malware. The Boston Globe reported that CCCC President, John Cox, emailed staff and students stating, “the school believes the same hackers tried to infiltrate other colleges in the area” but said “he did not know which ones.” This statement perfectly highlights that organizations need to join relevant information sharing communities.

That’s all for now. So long, and thanks for all the phish.

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn