Cisco issues urgent fixes for SD-WAN router flaws

By John E Dunn

Cisco has patched a clutch of high-priority vulnerabilities in its SD-WAN routes and their management software that admins will want to apply as soon as possible.

SD-WAN is a technology that allows large companies to manage different types of Wide Area Network (WAN) communications links such as carrier MPLS, conventional broadband, and mobile 4G as a single virtual entity.

Making SD-WAN work requires specific routers that support it, spread out across the WAN, as well as management software to interact with this infrastructure. It is this software that is vulnerable.

There are five CVEs in total, three of which are rated high, including one, CVE-2020-3266, given a CVSS severity score of 7.8.

The latter is a privilege escalation vulnerability in the SD-WAN management software used with a range of Cisco routers, including the vEdge 100 Series, 1000 Series, 2000 Series, 5000 Series, and Cloud Router.

Read more at https://nakedsecurity.sophos.com/2020/03/23/cisco-issues-urgent-fixes-for-sd-wan-router-flaws/

Tour guide/Chinese spy gets four years for SD card dead drops

By Lisa Vaas

A naturalized US citizen who was working as a tour guide in San Francisco has been sentenced to four years in prison for being a Chinese spy.

Last Tuesday, 56-year-old Xuehua (Edward) Peng, also known as Edward Peng, was sentenced in US District Court in San Francisco and ordered to pay a $30,000 fine for acting as an agent of the People’s Republic of China’s Ministry of State Security (MSS).

The MSS instructed an agent – a double agent working for the FBI, as it turns out – to dead-drop SD cards full of classified data at various hotels. (“Dead drop” is spy-speak for techniques to pass information or items between two individuals using a secret location, so they never meet, to thereby keep the lid on the operation.)

What classified information was on those cards, and from what government agency, private business or government contractor was it copied? The US isn’t saying.

According to the criminal complaint, Peng’s undoing started in March 2015, when the FBI planted its double agent in the MSS. The double agent met with MSS intelligence officers and handed over classified information relating to US national security, for which he was paid.

At one point, the spy bosses told the double agent that they had a new way to pass classified information: on an SD card, stuck in a book, wrapped in a bag addressed to “Ed”, and left at the front desk of a hotel in Newark, California.

Ed’s reliable, he’s got family in China, and he’s had business dealings in China, the MSS agents told the FBI mole.

Peng pleaded guilty in November 2019. According to his plea agreement, Peng, who lives in Hayward, California, admitted that in March 2015, a Chinese official introduced himself while Peng was on a business trip to China. The official – whom Peng eventually figured out was working for the MSS – asked Peng to use his citizenship in the US to assist the official with “matters of interest” to the PRC.

Read more at https://nakedsecurity.sophos.com/2020/03/23/tour-guide-chinese-spy-gets-four-years-for-sd-card-dead-drops/

Stolen data of company that refused REvil ransom payment now on sale

By Lisa Vaas

Operators of the Sodinokibi (aka Sodin or REvil) Ransomware as a Service (RaaS) recently published over 12GB of data that allegedly belongs to one of its victims – Brooks International – that refused to pay ransom.

As if that weren’t bad enough, cyber-intelligence firm Cyble told BleepingComputer that it’s seen the data up for sale on hacking forums.

RaaS is the malware for lazy crooks who just want to launch attacks at the press of a button: it enables novice cybercriminals to build automated campaigns using third-party kits sold on the dark web. They don’t have to break a sweat by learning about malware, teaching themselves how encryption works, writing ransomware code, running an anonymous webserver on Tor to collect the loot, distributing decryption keys, or otherwise getting their hands dirty with technical details.

Sodinokibi – a GandCrab derivative blamed for numerous attacks that took place last year – is a prime example of RaaS.

BleepingComputer shared a screengrab of one such hacker forum post that showed a member advertising a link to the stolen data for 8 credits: that’s worth about €2 (USD $2.15, £1.72).

Brooks International is a global professional services firm that says it’s got clients in all industries and sectors. The data dump, if it proves legitimate, will prove highly valuable to cybercrooks, as it contains usernames and passwords, credit card statements, alleged tax information, and far more, according to BleepingComputer.

Read more at https://nakedsecurity.sophos.com/2020/03/23/stolen-data-of-company-that-refused-revil-ransom-payment-now-on-sale/

Firefox is dropping FTP support

By Danny Bradbury

Heads up, Firefox users who rely on FTP: the browser is eliminating support for this venerable protocol.

First written in 1971, the file transfer protocol predates TCP/IP, the protocol stack that underpins the modern internet. In its original form, the protocol is insecure. For example, it transmits login credentials in plain text. In 1999, the IETF published a draft RFC listing its various shortcomings. These included everything from problems in the way it responded to invalid login attempts through to an inability to segment file permissions when using anonymous FTP (which doesn’t require user credentials at all).

Now, Mozilla is planning to turn off FTP by default in version 77 of Firefox, which will ship this June. Users will be able to turn it on again temporarily so that they can carry on using FTP from within the browser. Firefox Extended Support Release (ESR) will continue to have FTP turned on by default in ESR version 78.

The real crunch will come at the start of next year, when Michal Novotny, a software consultant at Mozilla, said that the Foundation will remove FTP code from the browser altogether. He added:

We’re doing this for security reasons. FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources.

Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past.

Read more at https://nakedsecurity.sophos.com/2020/03/23/firefox-is-dropping-ftp-support/

Trolls ZoomBomb work-from-home videocall with filth

By Lisa Vaas

With so much of the world self-isolating, physically distancing themselves from others and remotely working from home, people are flocking to remote-work apps such as Microsoft, Slack and Zoom – anything that can make them feel connected by teleconference or videoconference.

Well, hang on to your hats, hosts: before you set up meetings, you need to know how to block the trolls. Specifically, if you’re using the Zoom videoconferencing app to connect people, you need to configure meetings so your participants don’t wind up connecting to the closest receptacle as their guts suddenly start to churn.

I’m talking about ZoomBombing: a new form of trolling in which asshats use Zoom’s screensharing feature to scorch other viewers’ eyeballs with the most revolting videos they can find, be they violent, pornographic, or a mixture of multiple revolting ingredients into a bile-rising cocktail.

As TechCrunch reports, on Tuesday, WFH Happy Hour – a popular daily public Zoom call hosted by The Verge reporter Casey Newton and investor Hunter Walk – got ZoomBombed. Dozens of attendees were suddenly exposed to disturbing imagery when a troll entered the call and screenshared a brain-scorching fetish video along with other “horrifying” sexual videos, Josh Constine reports.

Read more at https://nakedsecurity.sophos.com/2020/03/20/trolls-zoombomb-work-from-home-videocall-with-filth/