TAG Cyber Corps Quarantine Security Advisory

TAG Cyber Corps

Quarantine Cyber Security Advisory

The global pandemic of Covid 19 has forced most of the population to move their work, school and social interactions to a virtual environment. There are several free or low-cost applications that are available to help businesses, governments and the general population navigate connectivity to IT environments. While these technologies perform well for the intended purpose, it is incumbent on the users to secure their environments the best they can. Like a car manufacturer installing seatbelts, it is the shared responsibility of the driver to buckle up for safety.

TAG Cyber Corps has compiled a list of commonly used applications that most organizations are employing during this time of shelter in place/work from home. Our team of researchers have provided the essential information necessary to keep the environments safe from cyber incidents. We have grouped the applications into four categories (Web-browser, remote access, video conferencing and remote desktop app). Each application has listed the latest install version available, update method, current vulnerabilities and recent attacks. Keeping up to date with known weaknesses and taking preventive measures is the most effective way to avoid cyber incidents effecting your organization.

We are all in this together. TAG Cyber is committed to keeping everyone as safe as possible during this time of global crisis. Providing truth in cyber security with this free analysis of common applications hopefully will reduce anxiety and help keep us all more secure.

Web Browsers - Chrome, Edge, Internet Explorer, Safari, Firefox

Remote Access - Citrix Workspace, Remote Desktop Services (terminal server), LogMeIn, Go To My PC, RemotePC

Video Conferencing - Zoom, Microsoft Teams, Go TO Meeting, Cisco Webex, Skype

Remote Desktop - Microsoft RDP, Linux Rdesk

______________________________________________________________________________________________________________________________________________________________________________________________________________

Application name: Chrome

Service type: Web Browser

Platform: Web app

Latest version: Windows & macOS: 80.0.3987

Update Method: Manual

Last Update: February 4, 2020

Vulnerabilities CVE-2020-6418; Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Recent Attacks: For the third time in a year, Google has fixed a Chrome zero-day (CVE-2020-6418) that is being actively exploited by attackers in the wild. The vulnerability was discovered and reported to the Chromium team by Clement Lecigne of Google’s Threat Analysis Group on February 18. The fix was already in place a day later but, as the code is public, researchers from Exodus Intelligence managed to analyze it and develop proof-of-concept exploit code.

Application name: Edge

Service type: Web Browser

Platform: Web app

Latest version: Windows & macOS: 80.0.361.62

Update Method: Manual

Last Update: February 11, 2020

Vulnerabilities: (September 11, 2019) A security feature bypass vulnerability exists when Microsoft Browsers fail to validate the correct Security Zone of requests for specific URLs, aka 'Microsoft Browser Security Feature Bypass Vulnerability.

Recent Attacks: (March 2020) Microsoft Edge virus – fake warning pushing people into calling non-existent support to fix their computers. Microsoft Edge virus is a term used to describe technical support scam targeting Windows 10 and other computer users. This cyber threat is typically reported in a fake warning alert informing victims that the only way to get rid of this issue is to dial a special number to let tech experts do all the work for them.

Application name: Safari

Service type: Web Browser

Platform: Web app

Latest version: 13.1

Update Method: Automatic

Last Update: March 24, 2020

Vulnerabilities: No major vulnerabilities

Recent Attacks: Security researchers have uncovered in Apple's Safari browser by Google researchers. According to a new report from the Financial Times, the flaws were found in Safari's Intelligent Tracking Prevention feature that is designed to protect users from cross-site tracking and other online privacy issues. The Intelligent Tracking Prevention platform left users' personal data exposed because of how it “implicitly stores information about the websites visited by the users”.

Application name: Firefox

Service type: Web Browser

Platform: Web app

Latest version: 74.0 Desktop version 24.0( IOS) 68.6.0(Android)

Update Method: Manual

Last Update: March 10, 2020

Vulnerabilities: (March 10, 2020) When removing data about an origin whose tab was recently closed, a use-after-free could occur in the Quota manager, resulting in a potentially exploitable crash.

Recent Attacks: No Recent Related Attacks

Application name: Citrix Workspace

Service Type: Internal Hosted Virtual Application Sharing

Platform: Web app

Latest Version: 20.2.0.25 (2002)

Update Method: Manual

Last Update: Mar 24, 2020

Vulnerabilities: CVE-2019-19781; A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

Attacks: In March 2019, the Federal Bureau of Investigation (FBI) alerted Citrix they had reason to believe cybercriminals had gained access to the company’s internal network. The FBI told Citrix the hackers likely got in using a technique called “password spraying,” a relatively crude but remarkably effective attack that attempts to access a large number of employee accounts (usernames/email addresses) using just a handful of common passwords. But in a letter sent to affected individuals dated Feb. 10, 2020, Citrix disclosed additional details about the incident. According to the letter, the attackers “had intermittent access” to Citrix’s internal network between Oct. 13, 2018 and Mar. 8, 2019.

Application Name: Remote Desktop Services (Microsoft Terminal Server)

Service Type: Remote Desktop Services

Platform: Web app

Latest Version: Windows Server 2019

Update Method: Automatic

Last Update: 10/02/2018

Vulnerabilities: No major vulnerabilities.

Attacks: No recent related attacks.

Application name: Log Me In (several products)

Service Type: Remote collaboration software (SAAS & Cloud based)

Platform: Web and Mobile App

Latest version: Web: Several versions, Mobile App: 4.1.8025 (IOS)

Update Method: Manual

Last Update: 02/25/2020

Vulnerabilities (last 6 months): No major vulnerabilities after September 2019, CVE-2019-16371 reported wherein “LogMeIn LastPass before 4.33.0 allows attackers to construct a crafted web site that captures the credentials for a victim's account on a previously visited web site, because do_popupregister can be bypassed via clickjacking”.

Attacks (last 6 months): No major recent attacks.

Application name: Go To My PC

Service Type: Remote access software

Platform: Web App/Installed app

Latest Version: IOS 4.7.2563 September 12, 2019, Android 5.0 January 17, 2020, desktop app (v10.2.0) – January 08, 2020

Update Method: Manual

Last Update: January 08, 2020

Vulnerabilities: No major vulnerabilities reported.

Attacks: No recent related attacks.

Application Name: Remote PC

Service Type: Remote access software

Platform: Web App

Latest Version: IOS 7.6.24, Android 4.1.2, Mac 7.6.18, Windows 7.6.25

Update Method: Manual

Last Update: 3/6/2020

Vulnerabilities: No major vulnerabilities reported.

Attacks: No recent related attacks.

Application name: Zoom

Service Type: video Conference company

Platform: webapp

Latest Version

Update Method: manual

Last Update: March 26, 2020

Vulnerabilities: cybersecurity research companies have discovered that due to the large number of possible participants that zoom video conferences allow a person to have, it has opened the possibilities for hackers to eavesdrop on videoconferences.

Attacks: since zoom has moved to universities holding temporary classes while we flatted the curve of the virus. certain video conferences have been attacked by users spewing racist and misogynistic comments on people’s video conferences.

Application name: Microsoft Teams

Service Type: Online Conferencing

Platform: Web App

Latest Version: IOS 2.0.5 Mar 27, 2020, Android 1416/1.0.0.2020032405 March 30, 2020

Update Method: Automatic

Last Update: March 30, 2020

Vulnerabilities: CVE-2019-5922; Untrusted search path vulnerability in the installer of Microsoft Teams allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Attacks: bad actors can log into Office 365, access Teams and attack corporations internally as they impersonate a trusted user. Malicious files and URLs introduced from inside an organization can also have damaging effects.

Application name: Go To Meeting

Service Type: Online Conferencing

Platform: Web App

Latest Version

Update Method: Manual

Last Update: March 16, 2020

Vulnerabilities: No major vulnerabilities

Attacks: No recent related attacks

Application name: Cisco Webex

Service Type: Virtual Meetings

Platform: Web App

Latest Version

Update Method: Manual

Last Update: March 23, 2020

Vulnerabilities: No major vulnerabilities

Attacks: No recent related attacks

Application name: Skype

Service type: Communication Tool Calls/Chat

Platform: Web App

Latest version: 8.58.0.93 Desktop Version 8.58 (IOS) 8.58 (Android)

Update Method: Manual

Last Update: March 20, 2020

Vulnerabilities: No Major Vulnerabilities

Recent Attacks: No Recent Related Attacks

Application name: Microsoft RDP

Service type: Windows Remote Desktop

Platform: Installed App

Latest version: version 1.2.790

Update Method: Manual

Last Update: March 24, 2020

Vulnerabilities: CVE-2019-0708; A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

Recent Attacks: Check Point experts say they did find a weakness related to the fact that the client and the server share clipboard data – this feature is enabled by default. If a client connects to a malicious RDP server and the user copies any file, the attacker can paste their own files – in addition to the files copied by the user – to an arbitrary location on the client device. For example, an attacker can drop a malicious file into the Windows “Startup” folder so that it would get executed every time the system is booted.

Application name: Rdesk

Service type: Linux Remote Desktop

Platform: Installed app

Latest version: v1.9.0

Update Method: Manual

Last Update: October 2019

Vulnerabilities: A manual code audit of the open source rdesktop tool led to the discovery of 19 vulnerabilities (mostly heap-based buffer overflows), including 11 with a major impact. Some of these flaws can be exploited by an attacker controlling an RDP server to remotely execute code on an RDP client connecting to it.

Recent Attacks: No Recent Related Attacks