Critical WordPress e-Learning Plugin Bugs Open Door to Cheating

The flaws in LearnPress, LearnDash and LifterLMS could have allowed unauthenticated students to change their grades, cheat on tests and gain teacher privileges.

Researchers have disclosed critical-severity flaws in three popular WordPress plugins used widely by colleges and universities: LearnPress, LearnDash and LifterLMS. The flaws, now patched, could allow students to steal personal information, change their grades, cheat on tests and more.

The vulnerable plugins have been installed on more than 130,000 school websites — including ones used the University of Florida, University of Michigan and University of Washington. Schools leverage these plugins as part of their learning management systems (LMS). LMS platforms, used to administer, track and organize coursework, are vital right now for schools quickly moving classrooms online during the coronavirus pandemic.

LearnPress is used on LMS platforms to create courses with quizzes and lessons for students, and has an install base of 80,000. LearnDash provides tools for selling online coursework, and is used by more than 33,000 websites. And, LifterLMS provides sample course and quizzes, and is used by more than 17,000 websites.

“We proved that hackers could easily take control of the entire e-learning platform. Top educational institutions, as well as many online academies, rely on the systems that we researched in order to run their entire online courses and training programs,” Omri Herscovici, Check Point vulnerability research team leader, said in a Thursday analysis. “The vulnerabilities found allow students, and sometimes even unauthenticated users, to gain sensitive information or take control of the LMS platforms. We urge the relevant educational establishment everywhere to update to the latest versions of all the platforms.”

The flaws range in seriousness and impact, but could allow third-party attackers to steal personal information (such as names, emails, usernames and passwords) or target the financial payment methods that are tied to the platforms. In addition, the flaws could have given students the ability to change the grades for themselves or their friends, retrieve tests before they are administered, escalate their privileges to those of a teacher and forge graduation certificates.

Threatpost has reached out to LearnPress, LearnDash and LifterLMS for further comment.

Technical Details

Researchers found the flaws in a span of two weeks during March. All vulnerabilities have since been reported to the plugins and patched.

A time-based blind SQL injection vulnerability (CVE-2020-6010) exists in versions and earlier of LearnPress, which researchers said “is very trivial to identify and exploit.” Specifically, the flaw exists in the method _get_items of the class LP_Modal_Search_Items. The method fails to sufficiently sanitize user-supplied data before using it in an SQL query. This can be exploited by an authenticated attacker by merely specially crafted request to the /wp-admin/admin-ajax.php endpoint page.

Doing so would “allow students and even unauthenticated users to retrieve the entire content of the database and steal personal information just like in any other compromised platform that has registered users (names, emails, usernames, passwords, etc…),” Herscovici told Threatpost. “Getting the administrator hash and cracking it allows the attacker to get full control over the server.”

In another flaw in LearnPress (CVE-2020-11511), the function learn_press_accept_become_a_teacher doesn’t check the permissions of the requesting user – so anyone can call the function, whether they’re a teacher or not. The privilege-escalation flaw can be leveraged by a student to upgrade to a teacher role – giving themselves access to grades, tests and more.

In versions earlier than 3.1.6 of LearnDash, researchers found an unauthenticated second order SQL injection (CVE-2020-6009), stemming from the ld-groups.php file. The file failed to sanitize user-suppled data before using it in an SQL query. Similar to CVE-2020-6010, this flaw enables attackers to access the entire content of the database and steal personal information. The flaw ranks 9.8 out of 10 on the CVSS scale, making it critical in severity.

Finally, researchers found an arbitrary file-write flaw (CVE-2020-6008) in versions earlier than 3.37.15 of LifterLMS. The flaw exists due to the insufficient validation of files during file upload; remote attackers can leverage the flaw to execute code and effectively take over the learning platforms. This flaw ranks 9.8 out of 10 on the CVSS scale, making it critical severity.

“The SQL injection is very dangerous since it allows stealing the entire database of the website with all the information, including the admin’s hashed password,” Herscovici told Threatpost. “But the most dangerous one is the arbitrary file-write (CVE-2020-6008) which allows the attacker to upload any code of their own to the server, thus instantly achieving full remote code execution.”

The flaws come as universities and colleges face unprecedented remote-work security issues, after having to send students home and set up courses online due to the coronavirus pandemic.

The threat is not hypothetical: Previously uncovered malware campaigns have targeted the education industries, including one looking to compromise a Canadian medical research university. Other schools have been hit by Zoom-bombing attacks, where attackers hijack online classes using the Zoom platform to spew hateful messages or videos. And last week, researchers said several U.S. universities were targeted in a widespread spear-phishing attack that uses adult dating as a lure. In reality, the emails spread the Hupigon remote access trojan (RAT), known to be leveraged by state-sponsored threat actors.

EFF: Google, Apple’s Contact-Tracing System Open to Cyberattacks

Malicious actors could potentially harvest data over the air and use it to shake confidence in the public-health system, EFF says.

Privacy advocates are urging developers to proceed with caution as they use technology released by Apple and Google to build COVID-19 contact-tracing apps — and are warning against the potential for cybercriminal use.

On the latter point, the system is meant to help people know if they have come into contact with someone with the novel coronavirus. But the Electronic Frontier Foundation (EFF) warned that as it stands now, there’s no way to verify that the device sending the contact-tracing information out is actually the one that generated it. Thus, malicious actors could potentially harvest the data over the air and then rebroadcast it, undermining the system entirely, researchers said.

Threatpost has reached out to Apple and Google for comment on the security concerns and will update this post with any response.

EFF also reiterated its privacy concerns, and said that to protect the integrity of people using the apps, the program must “sunset” once the COVID-19 crisis is over, lest the technology be used to infringe upon personal privacy going forward without just cause.

“The apps built on top of Apple and Google’s new system will not be a ‘magic bullet’ techno-solution to the current state of shelter-in-place,” EFF staff technologist Bennet Cyphers and director of research Gennie Gebhart said, in a post on Tuesday on the organization’s blog. “Their effectiveness will rely on numerous tradeoffs and sufficient trust for widespread public adoption. Insufficient privacy protections will reduce that trust and thus undermine the apps’ efficacy.”

Apple and Google’s Contact-Tracing System

The EFF’s advice comes on the heels of an unprecedented step by Apple and Google to team up so that developers can build contact-tracing apps that will work across both platforms.

The plan hinges on the use of decentralized Bluetooth technology in smartphones. Any Android or iOS user who has opted in, is assigned an anonymous identifier beacon, which will be transmitted to other nearby devices via Bluetooth. This is similar to a Bluetooth signal tracing technique used by Singapore in a coronavirus tracking app called TraceTogether, rolled out in March.

When two people who have opted into the contact tracing are in close contact for a certain period of time, their phones will exchange their anonymous identifier beacons, otherwise  rolling proximity identifiers (RPIDs). If one of the two is later diagnosed with the coronavirus, that infected person can enter the test result into an app, such as a compatible app from a public health authority.

Then, the infected person can consent to uploading the last 14 days of his or her broadcast beacons to the cloud. Any other person who has been in close proximity to someone infected will then be notified via the phone that an exposure to someone who has tested positive for coronavirus took place.

Security and Privacy Worries

A top security issue at this point, according to the EFF, is that there is currently no way to verify that the device sending an RPID is actually the one that generated it, so trolls could collect RPIDs from others and rebroadcast them as their own.

“Imagine a network of Bluetooth beacons set up on busy street corners that rebroadcast all the RPIDs they observe,” Cypher and Gebhart wrote. “Anyone who passes by a ‘bad’ beacon would log the RPIDs of everyone else who was near any one of the beacons. This would lead to a lot of false positives, which might undermine public trust in proximity-tracing apps—or worse, in the public-health system as a whole.”

Another concern about the proximity-tracking system proposed by Apple and Google is that it “leaves open the possibility that the contacts of an infected person will figure out which of the people they encountered is infected.” This poses a security risk, Cyphers and Gebhart said.

“Taken to an extreme, bad actors could collect RPIDs en masse, connect them to identities using face recognition or other tech, and create a database of who’s infected,” they wrote.

The plan to have infected users publicly share their once-per-day diagnosis keys – instead of just their every-few-minute RPIDs – also could expose people to what are called linkage attacks, according to the EFF.

“A well-resourced adversary could collect RPIDs from many different places at once by setting up static Bluetooth beacons in public places, or by convincing thousands of users to install an app,” according to the post. “With just the RPIDs, the tracker has no way of linking its observations together…But once a user uploads their daily diagnosis keys to the public registry, the tracker can use them to link together all of that person’s RPIDs from a single day.”

Linking together multiple RPID pings could expose users’ daily routines, such as where they live and work, leaving this information open to exploitation, Cyphers and Gebhart wrote.

To avoid some of these security issues, EFF advised developers to respect the protocol on which they’re building and not try to centralize the decentralized model that Apple and Google have presented – which keeps users’ data on their devices. This could expose people to more risk, researchers said.

“Also, developers shouldn’t share any data over the internet beyond what is absolutely necessary: Just uploading diagnosis keys when an infected user chooses to do so,” they wrote.

Developers also should exercise transparency with their users about what data the app is collecting, and how to stop it if users so wish, allow them to access the list of RPIDs they’ve received, and provide deletion capability for that contact history, Cyper and Gebhart wrote.

“The whole system depends on trust,” they said. “If users don’t trust that an app is working in their best interests, they will not use it. So developers need to be as transparent as possible about how their apps work and what risks are involved.”

The EFF is not alone in its concerns.

“The COVID-19 contact tracing applications are made with the best intentions during an unprecedented time, but like most applications that collect users’ geographic locations and PII, they have the potential to be manipulated into malicious tracking devices,”  Erez Yalon, director of security research at Checkmarx, said via email. “While speed is critical in rolling out these tracing applications, a quick-to-market process might lower the focus on security and privacy, creating more issues than solutions for end users.”

He added, “It’s imperative that before these applications are rolled out, the design will be security-centric involving threat modeling methodologies and code reviews that are conducted either manually by professionals or automatically by application security testing and software composition analysis tools. Post-release, developers must constantly test the applications for security vulnerabilities and be on high alert to deploy patches as needed to safeguard users. Given the potential data that is monitored by these applications, they’re likely to be front and center on adversaries’ target lists.”

Reserve Cyber Wing hosts 2nd annual Leadership Summit

JOINT BASE SAN ANTONIO-CHAPMAN TRAINING ANNEX, Texas – The 960th Cyberspace Wing hosted its second annual Leadership Summit here April 13-15, overcoming social distancing initiatives put into place due to COVID-19.

Originally, the event was intended to bring leaders from across the wing together at Robins Air Force Base, Georgia, to discuss the strategic alignment of the unit; however, the onset of COVID-19 caused an abrupt change in plans.

The 960th CW Commander, Col. Lori Jones, said that the summit ended up looking a lot different than what was originally envisioned.

“I was excited at the prospect of us hosting the event at Robins AFB, but that wasn’t meant to be,” Jones said. “The staff did a superb job pivoting to provide a virtual platform which allowed us to accomplish our important work and give us an opportunity to come together as a team.”

According to Jones, the purpose of this year’s leadership summit was to help reinvigorate the strategic planning process in order to lean forward in organizational maturation.

“It’s a constant journey and a unit is never quite finished maturing,” she said. “The summits we hold are an opportunity for leaders to coalesce around topics and areas we feel require our attention. We focus on our wing’s strategic plan to look at where we have come from, where we are and where we want to be.”

Maturing the wing is a top priority for senior leaders due to how new the wing is. Air Force Reserve Command activated the 960th CW Nov. 18, 2018, which was cultivated from and formerly known as the 960th Cyberspace Operations Group.

The 960th CW is the first and only cyberspace wing in AFRC.

According to the 960th CW acting command chief, Chief Master Sgt. Christopher Howard, this is significant because the wing takes the lead for AFRC in defensive cyber operations.

“Our work can be correlated to what security forces does for a base, but on a cyberspace front,” Howard said. “We monitor, secure and defend the network to ensure unauthorized access to AFRC’s most sensitive data doesn’t happen, and we do it successfully every day.”

In order to perform its mission, the 960th CW needs to maintain its trajectory and momentum by building on last year’s strategic goals, he said.

The individual charged with helping wing and unit leaders move forward in accordance with AFRC standards is Bud Boehnke, 960th CW Continuous Process Improvement Program manager.

“It was my job to carry out the strategic planning evolution during the summit and it was like running a 100 meter sprint,” Boehnke said. “The operating environment cultivated constraints which had some adverse effects, however, wing staff worked tirelessly to mitigate those and produced a platform that resembled a live, in-person Leadership Summit. I believe all expectations and goals were not only met, but also exceeded.”

According to Boehnke, strategic alignment is important not only at leadership levels, but also at the Airman level.

“Without strategic planning, an Airman is flying solo without wingmen to support course correction towards an identified target,” he said. “Strategic alignment utilizes two-way communication, problem solving and continuous improvement to align, validate and communicate headquarters, Numbered Air Force, wing and intra-wing strategies up and down the chain of command.”

By the end of the summit, the leadership team successfully determined the wing and groups’ mission statements, vision statements and the top three wing priorities.

They are as follows:

960th Cyberspace Wing

Mission statement: Provide combat-ready Citizen Airmen to dominate cyberspace.

Vision: Cyber dominance! Any time. Any place. Any domain.

Priorities:      1. Empower Airmen and families

                     2. Optimize readiness

                     3. Execute the mission

960th Cyberspace Operations Group 

Mission statement: Provide combat-ready Citizen Airmen to operate, secure and defend in cyberspace.

Vision: Cyber dominance protected by experience and innovation of Citizen Airmen.

860th Cyberspace Operations Group

Mission statement: To establish, operate, sustain and defend Air Force and Department of Defense networks globally.

Vision: Operationally minded experts delivering cyber capabilities throughout the globe.

Single Malicious GIF Opened Microsoft Teams to Nasty Attack

Now patched flaw allowed attacker to take over an organization’s entire roster of Microsoft Teams accounts.

Microsoft has fixed a subdomain takeover vulnerability in its collaboration platform Microsoft Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization’s Teams accounts.

The attack simply involved tricking a victim into viewing a malicious GIF image for it to work, according to researchers at CyberArk who also created a proof-of-concept (PoC) of the attack.

Microsoft neutralized the threat last Monday, updating misconfigured DNS records, after researchers reported the vulnerability on March 23.

account, they could use the account to traverse throughout an organization (just like a worm),” wrote Omer Tsarfati, CyberArk cyber security researcher, in a technical breakdown of its discovery Monday. “Eventually, the attacker could access all the data from your organization Teams accounts – gathering confidential information, competitive data, secrets, passwords, private information, business plans, etc.”

The attack involves malicious actors being able to abuse a JSON Web Token (“authtoken”) and a second “skype token”. The combination of these two tokens are used by Microsoft to allow a Teams user to see images shared with them – or by them – across different Microsoft servers and services such as SharePoint and Outlook.

The weakness is in the application programming interfaces (APIs) used to facilitate the communication between services and servers, Tsarfati said. The TL;DR version of the hack is, Microsoft validates the cookie called “authtoken” and “skype token” via * Next, researchers were able to isolate and manipulate the tokens for the PoC attack.

The “authtoken” and “skypetoken_asm” cookie is sent to – or any sub-domain under to authenticate GIF sender and receiver, Tsarfati wrote.

As part of CyberArks research, they found two insecure Microsoft subdomains “” and “” ripe for takeover.

“If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim’s browser will send this cookie to the attacker’s server, and the attacker (after receiving the authtoken) can create a Skype token. After doing all of this, the attacker can steal the victim’s Teams account data,” the research said.

“Now with both tokens, the access token (authtoken) and the Skype token, [an attacker] will be able to make APIs calls/actions through Teams API interfaces – letting you send messages, read messages, create groups, add new users or remove users from groups, change permissions in groups,” researchers wrote.

The novel aspect of this PoC is that all it takes to trigger the hack is the target of the attack viewing a malicious GIF sent by the rogue Teams user.

“The reason that Teams sets the ‘authtoken’ cookie is to authenticate the user for loading images in domains across Teams and Skype,” explained the researcher. “When the victim opens this message, the victim’s browser will try to load the image and will send the authtoken cookie to the compromised sub-domain.”

This allows the attacker to get their hands on the victim’s “authtoken” and ultimately provides a pathway to access the victim’s Microsoft Teams data.

“The fact that the victim needs only to see the crafted message to be impacted is a nightmare from a security perspective. Every account that could have been impacted by this vulnerability could also have been a spreading point to all other company accounts. The vulnerability can also be sent to groups (a.k.a Teams), which makes it even easier for an attacker to get control over users faster and with fewer steps,” researcher wrote.

Researchers said they worked with Microsoft Security Research Center after finding the account takeover vulnerability on March 23. They said Microsoft quickly deleted the misconfigured DNS records of the two subdomains, which mitigated the problem.

Nintendo Confirms Breach of 160,000 Accounts

After gamers reported unauthorized logins and purchases, Nintendo confirmed that over 160,000 accounts had been hacked.

Nintendo said over 160,000 accounts have been hacked, due to attackers abusing a legacy login system.

Over the past few weeks, Nintendo gamers have been reporting suspicious activities on their accounts. According to the complaints, aired out on Twitter and Reddit, unauthorized actors were logging into victims’ accounts and abusing the payment cards connected to the accounts to buy digital goods on Nintendo’s online stores, such as V-Bucks, in-game currency used in Fortnite.

In a Friday statement, Nintendo said that attackers have been abusing its NNID (Nintendo Network ID) legacy login system since the beginning of April to hack into the accounts. NNID was primarily used for the Nintendo 3DS handheld and Wii U console (both now discontinued). This is different from a Nintendo account, which is used for the Nintendo Switch (Nintendo’s most recent gaming console, released in 2017).

A NNID can be linked to a Nintendo account and used as a login option. If attackers were able to access a linked NNID, they could then access the linked Nintendo account. From there, they’d have access to payment methods (via PayPal or payment cards) necessary for making in-game purchases.

Nintendo did not provide further detail about how attackers had accessed NNID accounts other than to say they were “obtained illegally by some means other than our service.” It has now disabled the ability to log into a Nintendo account using NNID.

Attackers may have also been able to access users’ nicknames, dates of birth, countries and email address information, all of which were associated with the NNID, Nintendo warned. Credit card data was not accessed.

The Japanese consumer electronics giant said it is also resetting passwords for the affected accounts – but it also advised players to set up two-factor authentication to add another layer of security to their accounts.

“Users will be notified by email to reset your Nintendo Network ID and Nintendo account,” according to the translated version of the statement. “If you have already logged into your Nintendo account via your Nintendo Network ID, please log in using your registered Nintendo account email address or login ID.”

Beyond the massive install base of almost 20 million (for Nintendo Switch), the gaming community as a whole is a lucrative target for cybercriminals.

The discovery of leaked source code for two popular games – Counter-Strike: Global Offensive (CS:GO) and Team Fortress 2 – this week  led to security concerns and even calls for gamers to uninstall the software from their computers In 2019, for instance, researchers warned of a ransomware family, “Syrk,” targeting Fortnite’s enormous user base, purporting to be a game hack tool.

Threatpost has reached out to Nintendo for further comment on the hacks.

“We sincerely apologize for any inconvenience caused and concern to our customers and related parties,” according to Nintendo. “In the future, we will make further efforts to strengthen security and ensure safety so that similar events do not occur.”

Cyberattackers Ramp Up to 1.5M COVID-19 Emails Per Day

Research analyzing three months of coronavirus-themed attacks show cybercriminals adjusting threat levels to evolve with pandemic and typical employment trends.

Cyberattackers have reached a peak of sending 1.5 million malicious emails per day related to the COVID-19 pandemic over the course of the last three months, according to new research.

Research from Forcepoint analyzing coronavirus-themed attacks between Jan. 19 to April 18 found cybercriminals adjusting threat levels to evolve with pandemic and typical employment trends.

Researchers sifted through their telemetry for the keywords “COVID” and “corona” in URLs accessed directly over the web or embedded with an email, according to a blog post posted Tuesday by Stuart Taylor, senior director of X-Labs at Forcepoint.

They noticed that there was an “undercurrent of browsing requests to legitimate COVID- or coronavirus-themed URLs” beginning in mid-January, that related to either tracking sites set up to share data points or news websites, he wrote. This shows the public’s initial interest in the pandemic, and would have been the first alert to threat actors that a trend existed that could be exploited.

This activity peaked during the first two weeks in March as governments around the world began implementing lockdown efforts and employees began working remotely, according to the post. Not coincidentally, this is when threat activity began in earnest, Taylor noted.

“We saw a rise in unwanted emails (malicious, spam or phishing) containing embedded URLs using the keywords of ‘COVID’ or ‘corona,’ from negligible values in January 2020 to over half a million blocked per day the end-of-March onwards,” he wrote in the post.

During peak volumes, researchers dentified 1.5 million total COVID-related emails per day, signifying both legitimate and malicious traffic related to the current global crisis, according to Forcepoint.

Legit and Malicious Corona-Trends

Forcepoint researchers categorized the pandemic-related activity they observed in the three-month period in six ways: Legitimate web traffic, malicious web traffic, newly registered domains, legitimate email traffic, spam emails and malicious email traffic.

Each category showed specific activity trends, researchers noted. For example, public interest in COVID-19 in the form of legitimate web traffic started in January and then dipped in the three weeks following early lockdown measures in mid-March – possibly relating to so-called “news fatigue” and gradual understanding of the “new normal,” Taylor wrote. However, this activity picked up again last week.

In terms of malicious activity related to COVID-19, this began increasing noticeably in March, peaking around the middle of the month and waning as the pandemic entered the beginning of April. However, there have been spikes in malicious activity since the second week of the month that will likely continue, researchers said.

Email activity in particular has followed this trend in all three categories, Taylor wrote. Legitimate emails concerning COVID-19 ramped up in March, declined slightly, and then picked up again after the Easter and Passover holidays, he said.

Scammers also increased spam-email activity in mid-March to make adjustments to existing spambots, with more than half a million scams per day blocked by Forcepoint X-Labs from mid-March onwards, Taylor said. This trend also declined during respective periods of Easter and Passover, which is typical behavior.

Malicious email activity, like spam, also was significantly higher than normal during this period, researchers observed.

“Traditionally, the number of malicious emails seen per day through Forcepoint Cloud Email Security solutions are orders of magnitude less than the number of observed spam emails,” Taylor wrote. “The same can be said of COVID and coronavirus-themed malicious emails.”

The largest increase in malicious email activity happened in the week March 23, with a 35 percent increase in these types of emails over the final working day of the previous week, he noted.

“The first week of April saw a significant decline but the number of malicious emails has increased ever since,” Taylor wrote.

Researchers expect to continue to see a surge in COVID-19-related email- and Web-based attacks as the pandemic and lockdown efforts continue, he added.

A Pattern of Campaigns

Indeed, threat actors have taken good advantage of the coronavirus pandemic and people’s interest in information related to COVID-19, particularly through email- and web-based threats.

For instance, one recent campaign used socially engineered emails promising access to important information about cases of COVID-19 in the receiver’s local area. The mails evaded top email-detection software to spread malware stealing the user’s Microsoft log-in credentials.

Another spearphishing campaign used emails claiming to be from the World Health Organization to send an attachment that unleashes the infostealer LokiBot.

How Hackers Take Advantage of a Crisis

While people are focused on maintaining their physical and fiscal health, there’s another threat they’re likely not considering — a digital one. It should come as no surprise that cyber criminals are taking advantage of current events to profit, but companies and individuals need to do more to protect themselves. It’s time to ramp up your cybersecurity efforts to protect your data and users.

The most common exploits against businesses are as follows:

  • Phishing with crisis-related content
  • Ecommerce fraud leveraging “in-demand” wholesale products
  • Pandemic-related phone scams

Tried-and-true phishing scams are just one method that scammers employ. When victims open their inboxes to see messages purportedly from their financial institutions or even employers, they want to act quickly to avoid any unwanted consequences. However, the links in those messages bring phishing victims to sites that imitate those institutions — sometimes shockingly well. When the victim types their credentials into the login form, they are not signed into a trusted website. Instead, their information is sent to the scammer who can then access the user’s account, including private and financial information, on the legitimate website.

Related: The One Cybersecurity Risk You’re Probably Not Even Thinking About

Cyber criminals use email for another type of attack, one in which they purport to be from a medical organization such as the World Health Organization or the Johns Hopkins Center for Systems Science and Engineering. Although both organizations are legitimate and have been tracking the global health crisis, these emails do not contain the helpful information that the recipient might expect. Rather, the attachments contain malware that infects the victim’s computer. These infections can track the victim’s computer usage, steal sensitive data or use the infected system to spread to other computers, as was the case with malware known as AZORuIt that began circulating in early February 2020, Proofpoint reports.

In some instances, the malware might hijack the user’s system until they pay an exorbitant fee to “unlock” their data. Of course, there is no promise that cyber criminals will make good on their word or that the malware will be fully removed from an infected computer. However, many victims are willing to pay the price because they lack backups or the tools to restore the data themselves. The risk of malware is even greater with so many people now working remotely to promote social distancing. Employees transfer others’ sensitive data from devices and over connections that may have more vulnerabilities than company devices and systems.

Where do these attacks originate? Cybersecurity firm FireEye has detected increased activity in China, North Korea and Russia, and users in the U.S., Europe and Iran are frequent targets. Research shows a spike in domain name purchases that relate to current events since late February — domains that could be used in phishing attacks — according to research by Recorded Future.

These cyber criminals don’t even need to be skilled and experienced programmers, either. Resecurity, an American cybersecurity company, reports that one Russian hacking forum, XSS, even sells “phishing kits” that would-be scammers can deploy against their targets for just a few hundred dollars. That’s a small price to pay for the potential payoff.

Although the World Health Organization has released an advisory about these cyber attacks, most people are concerned about the risks of the illness in the physical world. IT teams and companies have worked to increase awareness of these attacks, but it might already be too late for people who have fallen prey to such scams. These digital infections can take hold before anyone is aware.

Your final checklist of what to look out for:

  1. Fraudulent emails, seemingly coming from your bank, or healthcare provider asking you to take action via the email (log-in, open attachments, etc.)
  2. Offers or opportunities to acquire in-demand solution products for resale
  3. Unusual “opportunities” being proposed
  4. Phone scams from the government or other industries

Be safe out there.

Some experts doubtful enough Americans will get on board with new contact tracing system

WASHINGTON (SBG) — Going from competitors to collaborators, Apple and Google are launching a Bluetooth contact tracing system for coronavirus cases that some are concerned won’t be effective.Some experts doubtful enough Americans will get on board with new contact tracing system

The voluntary system will run through public health applications to keep track of who is infected with the virus and notifies other people who were in their proximity.

The system is set to launch next month, and some estimate it could be used in over three billion phones worldwide.

“Tracking will raise a lot of privacy questions even though honestly, it’s the only way that we can get out of this, by testing and tracking,” said MIT Professor Yossi Sheffi.

Apple and Google stated they are prioritizing user privacy. If a person doesn’t want their data shared, they shouldn’t download a public health application that uses the system.

Experts say for the system to be effective, the majority of the population has to participate.

“Most of the experts I’ve talked to said you need probably 75% of your population,” said cyber and terrorism analyst Brad Garrett. “So if you were in, for example, Washington, D.C. metropolitan area has maybe five or six million people total, could you get 75% of them to download an app? My guess is no.”

Other countries, like China, have implemented GPS-based surveillance systems. Sheffi believes Americans are less likely than people in other countries to agree to participate in this kind of surveillance.

“There are countries like Sweden, where people just trust the government and they trust the government does the right thing,” said Sheffi. “We are not exactly in this situation.”

Google and Apple state there will be no names or locations exchanged. Still, the hope is enough Americans will give up some privacy if it means stopping the spread of the virus.

Garrett is not optimistic this will be the case.

“People are generally a little wary of both Google and Apple as far as privacy,” said Garrett. “I’m not optimistic you’re ever gonna get a big enough group of people to do it to make it effective.”

Alleged Zoom Zero-Days for Windows, MacOS for Sale, Report

Alleged Windows flaw allows for remote code execution and is being flogged for $500,000.

Hackers claim they have discovered two zero-day vulnerabilities for the Zoom video conferencing platform that would allow threat actors to spy on people’s private video conferences and further exploit a target’s system.

Flaws target Zoom clients for the Windows and the MacOS operating system, according to a published report by Vice Motherboard. According to the report, the hackers are asking $500,000 for the Windows exploit. The article cites two unnamed cybersecurity zero-day brokers who claim hackers have approached them in an attempt to sell the zero-day code.

It’s important to note, the Motherboard report states brokers have not reviewed the actual zero-day code and are basing opinion on what hackers are claiming to have for sale. According to the article, hackers allege the Windows-based exploit is a Remote Code Execution that would need to be chained to an additional exploit to infiltrate a target’s system. As for the macOS-base Zoom zero-day,  it can only be executed locally, meaning it is not a RCE-class bug, according to the report.

In a statement to Motherboard, Zoom said it could not find evidence substantiating the claims made by the publication. One of the Motherboard sources speculated the hackers behind the alleged exploits are “just kids who hope to make a bang”.

The Windows code could a significant threat to Zoom users, according to experts quoted by Motherboard. “[It is] a nice, a clean RCE perfect for industrial espionage.”

The Windows-based zero-day exploit includes an additional prerequisite that requires the attacker to be a Zoom meeting participant with its target to launch the alleged attack.

Earlier this month, Zoom did patch two zero-day flaws in its macOS client that could give local, unprivileged attackers root privilege allowing access to victims’ microphone and camera.

Zoom Woes Have Been Mounting 

There is already evidence that Zoom enterprise and business users have been compromised by hackers. Last week, researchers uncovered a database shared on an underground forum containing more than 2,300 compromised Zoom credentials, including usernames and passwords for Zoom corporate accounts belonging to banks, consultancy companies, educational facilities, healthcare providers and software vendors.

News of the vulnerabilities is the latest issue to plague Zoom since a surge in its use over the last month or so since governments around the world issued stay-at-home orders in the wake of the COVID-19 pandemic. Usage of the video-conferencing service has skyrocketed as millions have turned to the free platform to connect with friends, host work meetings, attend school lessons and do myriad other online activities.

ZoomBombing became the initial way hackers would break into video conferences, using the ease with which they could access links to Zoom conferences and jump on calls uninvited to disrupt them with pornography, hate speech or even physical threats to users.

Zoom eventually made a tweak to its user interface by removing meeting ID numbers from the title bar of its client interface to mitigate the attacks from threat actors. Before the tweak, anyone could join a Zoom meeting if they knew the meeting link, which many users would send via social-media channels.

A raft of other security threats emerged soon after, forcing Zoom to take action to mitigate and eliminate these threats. Zoom eliminated a feature called LinkedIn Sales Navigator that came under fire for “undisclosed data mining” of users’ names and email addresses, which the service used to match them with their LinkedIn profiles.

The company is currently facing a class-action lawsuit filed last week by one of its shareholders which alleges that the company made “materially false and misleading statements” that overstated its privacy and security measures, and claims that Zoom didn’t disclose its lack of end-to-end encryption.

All of these mounting woes inspired Zoom last week to recruit an industry heavy-hitter – former Facebook CISO Alex Stamos – to provide special counsel as well as name third-party expert security advisory teams to help clean up its act.

April Patch Tuesday: Microsoft Battles 4 Bugs Under Active Exploit

Microsoft issued 113 patches in a big update, unfortunately for IT staff already straining under WFH security concerns.

Microsoft has released its April 2020 Patch Tuesday security updates, its first big patch update released since the work-from-home era truly got underway. It’s a doozie, with the tech giant disclosing 113 vulnerabilities.

Out of these, 19 are rated as critical, and 94 are rated as important. Crucially, four of the vulnerabilities are being exploited in the wild; and two of them were previously publicly disclosed.

In all, the update includes patches for Microsoft Windows, Microsoft Edge (EdgeHTML-based and the Chromium-based versions), ChakraCore, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, and Microsoft Apps for Android and Mac. They run the gamut from information disclosure and privilege escalation to remote code execution (RCE) and cross-site scripting (XSS).

Microsoft has seen a 44 percent increase year-over-year in the number of CVEs patched between January to April, according to Trend Micro’s Zero Day Initiative (ZDI) – a likely result of an increasing number of researchers looking for bugs and an expanding portfolio of supported products. In March, Patch Tuesday contained 115 updates; in February, Microsoft patched 99 bugs; and in January, it tackled 50 flaws.

Also for this week, Oracle patched a whopping 405 security vulnerabilities – while on the other end of the spectrum, Adobe went light, with only five CVEs addressed for April.

Bugs Under Active Exploit

On the zero-day front, Microsoft patched CVE-2020-0968, a critical-level memory-corruption vulnerability in Internet Explorer that was exploited in the wild. The bug allows RCE, and exists due to the improper handling of objects in memory by the scripting engine.

“There are multiple scenarios in which this vulnerability could be exploited,” Satnam Narang, principal research engineer at Tenable, told Threatpost. “The primary way would be to socially engineer a user into visiting a website containing the malicious code, whether owned by the attacker, or a compromised website with the malicious code injected into it. An attacker could also socially engineer the user into opening a malicious Microsoft Office document that embeds the malicious code.”

Chris Hass, director of information security and research for Automox, told Threatpost that CVE-2020-0968 is a perfect vulnerability for use for drive-by compromise.

“If the current user is logged in as admin, an attacker could host a specially crafted website, hosting this vulnerability, once the unpatched user navigates the malicious site, the attacker could then exploit this bug, allowing the attacker to gain remote access the host,” he explained. “This bug would allow the attacker to view, change, delete data or even install ransomware.”

Although the scope of this vulnerability is somewhat limited because IE has seen a steady decline in user-base, it still remains an attractive vector for cybercriminals, Hass added.

Meanwhile, two of the actively exploited bugs are important-rated RCE issues related to the Windows Adobe Type Manager Library.

The first, CVE-2020-1020, was already made public. It arises because the library improperly handles a specially-crafted multi-master font, the Adobe Type 1 PostScript format.

“Attackers can use this vulnerability to execute their code on affected systems if they can convince a user to view a specially crafted font,” according to Dustin Childs, with ZDI, in a Patch Tuesday analysis. “The code would run at the level of the logged-on user.”

The related bug is the zero-day CVE-2020-0938, an RCE vulnerability that impacts an OpenType font renderer within Windows. Again, an attacker could execute code on a target system if a user viewed a specially crafted font.

Though the two are related, “there is currently no confirmation that the two are related to the same set of in-the-wild attacks,” Narang told Threatpost. As for attack vector, “to exploit these flaws, an attacker would need to socially engineer a user into opening a malicious document or viewing the document in the Windows Preview pane,” he added.

Both of these bugs have been used for Windows 7 systems – and Childs noted that not all Windows 7 systems will receive a patch since the OS left support in January of this year.

The final actively exploited bug – also not previously publicly disclosed – is CVE-2020-1027, which exists in the way that the Windows Kernel handles objects in memory. “An attacker who successfully exploited the vulnerability could execute code with elevated permissions,” according to Microsoft, which labeled the flaw “important.”

To exploit the vulnerability, a locally authenticated attacker would need to run a specially crafted application.

Other Priority Patches

Microsoft also patched several notable other bugs that researchers said admins should prioritize in the large update.

CVE-2020-0935 is the second previously disclosed issue, an important-rated privilege-elevation vulnerability found in OneDrive for Windows. It exists due to improper handling of symbolic links (shortcut links), and exploitation would allow an attacker to further compromise systems, execute additional payloads that may need higher privileges to be effective, or gain access to personal or confidential information that was not available previously.

“An attacker that has gained access to an endpoint could use OneDrive to overwrite a targeted file, leading to an elevated status,” Hass told Threatpost. “OneDrive is extremely popular and often installed by default on Windows 10. When you combine this with remote work, and the ever-growing use of personal devices for remote work, it makes the potential scope for this vulnerability pretty high.”

ZDI’s Childs also flagged an important-rated Windows DNS denial-of-service (DoS) bug, CVE-2020-0993, which affects client systems.

“An attacker could cause the DNS service to be nonresponsive by sending some specially crafted DNS queries to an affected system,” Childs wrote. “Considering the damage that could be done by an unauthenticated attacker, this should be high on your test and deploy list.”

Another, CVE-2020-0981, is an important-rated Windows token security feature bypass vulnerability that comes from Windows improperly handling token relationships in Windows 10 version 1903 and higher.

“It’s not often you see a security feature bypass directly result in a sandbox escape, but that’s exactly what this bug allows,” Childs explained. “Attackers could abuse this to allow an application with a certain integrity level to execute code at a different – presumably higher – integrity level.”

Critical SharePoint Bugs

SharePoint, a web-based collaborative platform that integrates with Microsoft Office, is often used as a document management and storage system. The platform saw its share of critical problems this month, including four critical RCE bugs, which arise from the fact that the software does not check the source markup of an application package, according to Microsoft’s advisory.

The bug tracked as CVE-2020-0929 paves the way for RCE and affects Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2010 Service Pack 2, Microsoft SharePoint Foundation 2013 Service Pack 1 and Microsoft SharePoint Server 2019.

A second critical bug (CVE-2020-0931) also would allow RCE; it affects Microsoft Business Productivity Servers 2010 Service Pack 2, Microsoft SharePoint Enterprise Server 2013 Service Pack 1, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1, and Microsoft SharePoint Server 2019.

Yet another RCE problem (CVE-2020-0932) impacts Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1 and Microsoft SharePoint Server 2019; and CVE-2020-0974 affects Microsoft SharePoint Enterprise Server 2016 and Microsoft SharePoint Server 2019.

For all of the RCE bugs, “an attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account,” Microsoft said in the individual bug advisories. An attacker could exploit any of them by uploading a specially crafted SharePoint application package to an affected version of SharePoint.

SharePoint also harbors a fifth critical bug, CVE-2020-0927. This is an XSS flaw that affects Microsoft SharePoint Server 2019 and Enterprise Server 2016 and would allow spoofing.

Not One to Skip Amidst WFH

Even though IT and security organizations are already strained with the added stress of the sudden shift to remote working in the face of the coronavirus pandemic, April’s Patch Tuesday is not one to skip, Richard Melick, senior technical product manager at Automox, told Threatpost — least of all given the four actively exploited bugs.

“From increasingly diverse technological environments to a list of unknown connectivity factors, IT and SecOps managers need to create a deployment plan that addresses today’s zero-day, exploited and critical vulnerabilities within 24 hours and the rest within 72 hours in order to stay ahead of weaponization,” he advised. “Hackers are not taking time off; they are working just as hard as everyone else.”

Melick also said that the consequences of exploitation could be exacerbated given the work-from-home (WFH) lapses in security that may be present.

“With today’s remote workforce environment and the necessity of sharing documents through email or file share, all it takes is one phishing email, malicious website or exploited document to open the door for an attacker,” he said. “Once in, a malicious party would have the ability to modify data, install backdoors or new software, or gain full user rights accounts. While older versions of Windows are more susceptible to both exploits, the adoption rate of Windows 10 is only a little above 50 percent, leaving more than enough targets for attackers.”

Teams should be ready for plenty of overhead in terms of the patching work involved, added Jonathan Cran, head of research at Kenna Security.

“Given the shift to remote work for many organizations in combination with the current patch load from Oracle’s update earlier this week and what looks like a backlog of patching, this looks like a busy month for many security teams,” Cran told Threatpost. “We have yet to see how work from home impacts patching rates, but for security teams, installing numerous patches on remote employee laptops, likely via a corporate VPN to the Windows Server Update Services or Microsoft System Center Configuration Manager, will be a resource- and time-intensive endeavor.”