image
Patrick Domingues
Vulnerabilities

Hackers Bypassing cPanel 2FA All Day Long

Researchers have discovered quite a big issue with cPanel which Hackers can exploit your 2FA authentication to obtain access to your cPanel Hosting service. 

 

 

What was found by Digtial Defense, Inc.

Digital Defense, Inc., a leader in vulnerability and threat management solutions, today announced that its Vulnerability Research Team (VRT) uncovered a previously undisclosed vulnerability affecting the cPanel & WebHost Manager (WHM) web hosting platform.” reads the post published by Digital Defense. “c_Panel &WHM version 11.90.0.5 (90.0 Build 5) exhibits a two-factor authentication bypass flaw, vulnerable to brute force attack, resulting in a scenario where an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on an account.”

This exploitation can have a big impact towards web hosting providers and the 70 million domains around the world if not dealt with quickly. However there is some good news even though they can by pass the 2FA they will still need the correct credentials to log into the account. But as you know Hackers will turn around and start using  some sort of brute force attack.

 

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques.” reads a security advisory released by the company. “Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”

What to do?

Take this opportunity to not procrastinate and update cPanel to either of the following versions or later.

  • 11.92.0.2
  • 11.90.0.17
  • 11.86.0.32

Leave a Reply

g

Have you asked yourself, are you doing enough to protect your business and from phishing attacks? if your second guessing yourself you are most likely have been or going to be a victim of a phishing attack. Read these shocking phishing facts you may or may not know–and how these facts may apply to your own vulnerability against a phishing attack.

 

 

Interesting Phishing Facts

Phishing Fact Source
33% of breaches included social attacks Verizon Data Breach Investigations Report (DBIR) 2019
65% of attacker groups used spear phishing as the primary infection vector Symantec Internet Security Threat Report (ISTR) 2019
29% of breaches involved use of stolen credentials Verizon Data Breach Investigations Report (DBIR) 2019
48% of malicious email attachments are Office files Symantec Internet Security Threat Report (ISTR) 2019
94% of malware was delivered via email Verizon Data Breach Investigations Report (DBIR) 2019
32% of breaches involve phishing Verizon Data Breach Investigations Report (DBIR) 2019
64% of organizations have experienced a phishing attack in the past year Check Point Research Security Report 2018
22% of organizations see phishing as their greatest security threat EY Global Information Security Survey 2018
77% of IT professionals feel their security teams are unprepared for today’s cybersecurity challenges Check Point Research Security Report 2018
34% of organizations see careless or unaware employees as a vulnerability EY Global Information Security Survey 2018
59% of phishing attacks in the Americas relate to finance NTT Security Global Threat Intelligence Report  2018
85% of organizations say their security reporting does not meet their expectations EY Global Information Security Survey 2018
59% of companies consider ransomware to be their biggest threat Check Point Research Security Report 2018
70% of breaches associated with a nation-state or state-affiliated actors involved phishing Verizon Data Breach Investigations Report (DBIR) 2018
71.4% of targeted attacks involved the use of spear-phishing emails Symantec Internet Security Threat Report 2018
66% of malware is installed via malicious email attachments Verizon Data Breach Investigations Report (DBIR) 2017
49% of non-point-of-sale malware was installed via malicious email Verizon Data Breach Investigations Report (DBIR) 2018
43% of all breaches included social tactics Verizon Data Breach Investigations Report (DBIR) 2017
93% of social attacks were phishing related Verizon Data Breach Investigations Report (DBIR) 2017
64% of organizations have experienced a phishing attack in the past year Check Point Research Security Report – 2018
28% of phishing attacks are targeted Verizon Data Breach Investigations Report (DBIR) 2017
21% of ransomware involved social actions, such as phishing Verizon Data Breach Investigations Report (DBIR) 2017
Finance faced 59% of phishing attacks in the Americas. NTT Security – Global Threat Intelligence Report  2018
74% of cyber-espionage actions within the public sector involved phishing Verizon Data Breach Investigations Report (DBIR) 2018
82% of manufacturers have experienced a phishing attack in the past year Check Point Research Security Report  2018

 

Did you know that 81% of Data Breaches happen due to poor password practices and one of are due to human errors like password sharing which can lead to massive data breaches.

I’m sure your open minded just like me and when you read these statics it will provide the criticality of password security in today’s date:

  • Did you know that 81% of the data breaches have been reported because of poor password security.
  • Fun fact, by the end of 2020, password usage across the globe will grow by 300 billion. 
  • Just about 25% of employees use the same password for all their login credentials.
  • About 61% of companies have accounts with non-expiring user passwords.
  • Around 54% of the small and medium-sized businesses don’t check up on their employee password practices.


Do Not Share Your Work Password.

How would you feel giving your personal password to someone? You wouldn’t do it right? What you have is private. Well it’s the same thing with a company password. Their data is important and private which you have to protect. Here’s the other aspect of it… You plain and simple, just can’t trust people to keep it secure. If your organization lacks cyber security awareness training should make it even more of a red flag to not share your password. You must keep an open mind and realize that the person you shared your password with could do something malicious with your email or even use your account to bring down the company to get you fired. The purpose of using a password is to safeguard data or sensitive information from unauthorized access. Can you imagine if your one of those companies that use the same account and password for all the computers, what can actually happen when a hacker gets in? You just gave them the keys to the kingdom without even a fight. Management also needs to get onboard and create a positive culture around security, trust me it will benefit everyone. 

 

What can we do?

  1. Single sign-on (SSO)

    Each User have their own SSO. SSO is an authentication scheme that allows users to use a single ID and password to access multiple corporate software and applications. An employee can use one password to access dozens of enterprise login accounts at the same time.

  2. Cyber Security Awareness Training

    Every organization must provide security awareness training to its employees in order to understand the basic cybersecurity practices and how they must be followed in their day to day life.

What is this Digital Weapon?

This type of weapon is called Malicious Software or for short Malware. This type of software is designed intentionally to hurt and infect your network and computers and their are many type in the wild.

Types of Digital Weapon Threats

There are many types of malware however the weapons mostly used today are not directly installed on your device but instead hackers use loopholes that they exploit to launch scripts.

What is Malware?

What are the types of digital weapon payloads?   

  • Social Engineering: 

When an attacker manipulates the user to extract sensitive information for personal gains, it is known as social engineering. Sometimes the malicious links or malicious files are sent to the victim during social engineering. As soon as the victim clicks on the malicious link or downloads the malicious file, the malware gets installed in the victim’s device.

  • Email: 

The attacker sends lucrative emails that tempt the user to click on the link provided in the email. As soon as the link is clicked, the malware gets downloaded itself in the background and infects the user’s PC.

  • Website cookies: 

Malware tampers web cookies. Thus, when you open a genuine site, this malicious cookie triggers and redirects you to the malicious sites. Thus, these sites may extract information or can download the malware into your system.

  • Planted Removable Medias: 

Sometimes the attacker intentionally plants the removable media with malware loaded in it to tempt the victim to check its data. As soon as you will plug it in your system, the malware will be automatically installed and will end up infecting your device.

What are the types of Malware?

As you discovered previously the malware is categorized and named based on the way these hackers infect the systems. Which more details can be found below: 

  • Worm: 

Worms exploit your operating system. These types of malicious software use your network bandwidth, steal your data, and send it to the attacker. It has the property to self-replicate and thus, it copies itself through the network.

  • Trojan Horse: 

Trojan Horse is that comes attached to a normal file. Trojan malware disguises itself in the necessary files and then sends the data of your device to the attacker.

  • Spyware: 

This extracts important credentials of data from a user’s device and sends it to the attacker. This kind of malware exploits the vulnerabilities in the software.

  •  Ransomware: 

This is a kind of malicious software that infects the victim’s device by encrypting its data. The data can only be decrypted with a key that is provided by the attackers once you pay the ransom amount to them. Thus, it is advisable to keep backup of your data.

  • Adware: 

Adware is a kind of malicious software that is injected into the victim’s device using the advertisement pop-ups of needful software. Pop-ups of urgent requirements of antivirus, malware remover, etc. are embedded with the malicious link. As soon as the victim clicks on the link, the malicious file is downloaded in his/her system and infects the device.

  •  Virus:

This is a kind of malicious software that steals information and credentials of the user. The virus is also sometimes used to make the victim a bot. It can self-replicate itself but it cannot be transferred to the other device without human intervention. It can be attached to a document, mail attachments, scripts, etc.

7 Prevention Tips

  1. Never click on random links as they may end up infecting your system.
  2. Do not click on any link unless provided by the trusted source. 
  3. Always keep your computers patched up with latest updates. 
  4. Change your passwords and check your passwords.
  5. Do not open emails and attachments from unknown senders. 
  6. Do not plug in random USBs drives found laying around form public places.
  7. Take Cyber Security Awareness Training.

Below you will be provided details on how to resolve the access denied to the CD/DVD RW drive. This should also resolve users not being able to access blank DVD’s or CD’s to burn them.

Just follow the instructions to permit the fix CD/DVD access denied issue in Windows:

1. Go to Start >> Run >> type ‘regedit‘ and hit enter.

2. Navigate to Hkey_local_machine\SYSTEM\CurrentControlSet\Control\Class{4D36E965-E325-11CE-BFC1-08002BE10318}

3. Right clicked, then on right panel click new, then create two new key D-word.
Then rename it to Properties. In Properties create two new dwords

  • a. Name: DeviceType
    Type: reg_dword
    Hex Value: 00000002

  • b. Name: DeviceCharacteristics
    Type: reg_dword
    Hex Value: 00000100


4. Most important: uninstall the driver of cd/dvd from Device manager.

5. Restart. Scan for New Hardware.

6. Problem Solved.


At some point you may run into an issue “The trust relationship between this workstation and the primary domain failed” and here are a few steps to rejoin domain using CMD.

  1. Have the ability to log in with a local Administrator account, For EX: by typing, “.\Administrator” in the login window. If you’re creative and resourceful you can hack your way in without the password.


  2. Now you need to make sure that netdom.exe is working. Netdom.exe depends on what version of Windows you’re running. With Windows Server 2008 and Windows Server 2008 R2 netdom.exe needs to be enabled in the Active Directory Domain Services role. On Windows Vista and Windows 7 you will have to get it from Remote Server Administration Tools (RSAT). Google can help you get them. For other platforms see this link: http://technet.microsoft.com/en-us/library/ee649281(WS.10).aspx


  3. Oce step 1 and 2 are done we can run netdom.exe to change the password. Open “CMD” command prompt as administrator and type the following command: netdom.exe resetpwd /s:<server> /ud:<user> /pd:*
netdom.exe resetpwd /s:<server> /ud:<user> /pd:<PW>

<server> = The domain controller hostname, you may have to use full FQDN.

<user> = This would be the DOMAIN\DomainAdmin Account to join domain.
  
<PW> = Would be the DomainAdmin password.

4. Once you get a successful message Reboot the machine.

NOTE: If you are getting an error message that you cannot find domain or server make sure discovery is turned on. You can also edit your hosts file with the ip and host name of the DC.

Online scammers have found another avenue to lure their desperate victims. These scams are being sent through emails stating that you can purchase a vaccine for around $150 and the COVID-19 Vaccines can be delivered within a few days.

Doing searches in dark web forums and on messaging app Telegram found seven different offers for alleged COVID-19 vaccines.

These Scams include emails stating that your VIP and on the sort list for early vaccine access. Robocalls presenting themselves as government agencies selling COVID-19 vaccines and text messages being sent to your cell phones requesting payment for vaccines.

There also has been a number of new website domains registered with variants of the words COVID-19 and Vaccine since October there have been around 2,500 domains registered which mostly will be used for online fraud.

Please disregard those scams and if you cannot tell the difference it should be time to put in place some cybersecurity awareness training. There are free YouTube videos that you can learn from as well.

The HHS, FBI and U.S. Department of Justice have urged the public to report any COVID-19 vaccine scams, including people asking for out-of-pocket payments for the vaccine and online vaccine advertisements.

Do you have Microsoft Outlook 365 , 2016 or 2019? Did a recent Windows Update break the ability to open the signature window? Here are the steps to take to resolve that issue.

  1. Follow the path to Widows Settings>Default Apps>Apps and Features>
  2. Uninstall the Microsoft Office \ Outlook version you installed.
  3. Uninstall Microsoft Office Desktop Apps which is the default apps windows installs. 
  4. Open up Registry Editor as Administrator.
  5. Now lets make a backup of registry, Click File > Export and save this backup to the desktop.
  6. On your keyboard press CTRL + F to open the find window
  7. Search for the following and delete all keys containing: 0006F03A-0000-0000-C000-000000000046 
  8. Reboot Computer
  9. Grab your Microsoft Office \ Outlook Software and reinstall. 
  10. Configure your Outlook account.
  11. Go in your mail options and you should now be able to open the signatures window.

If you are having problems your Unifi UAP-AP AC DHCP Not Working Using Firmware 4.3.24 follow these steps to rollback back the firmware. 

How to rollback 4.3.24 firmware.

  1. Log into your Unifi Controller.
  2. Make sure that Auto Update is disabled
    • Settings > Site > Services , uncheck Automatically Upgrade Device Firmware.
    • Also check scheduled upgrades. Settings > Services > Scheduled Upgrades and remove them.


  3. On the left hand side menu Click on Unifi Device Icon
    Unifi Device

  4. Click on the the wireless access point you would like to start with so the side menu expands to display a gui like below.


  5. Click on the gear\config icon 



  6. Scroll down to the bottom and expand MANAGE DEVICE


  7. In the Custom upgrade section use the copy/paste the following known working firmware provided: https://dl.ui.com/unifi/firmware/U7PG2/4.3.20.11298/BZ.qca956x.v4.3.20.11298.200704.1347.bin

  8. Click Custom Upgrade

  9. Wait a few and you should be good to go!

As the title said, the microsoft.com domain is being spoofed to phish office 365 users. This is quite alarming for one, why is Microsoft allowing its domain to be spoofed is beyond me. They can easily fix this with proper SPF, DKIM, and DMARC records within their DNS.

In a recent report posted online by Lomy Ovadia, Ironscales vice president of research and development said that many industries are being targeted and lots of damage is being done. 

The email phishing attack is so realistic looking that victims fall for the scam. It sure doesn’t help that the domain Microsoft.com is being spoofed. 

Spoofed Email Headers

The email is also composed in a way that will lure you into making a bad decision.

“Specifically, the fraudulent message is composed of urgent and somewhat fear-inducing language intended to convince users to click on what is a malicious link without hesitation,” Ovadia wrote. “As inferred by the message, the link will redirect users to a security portal in which they can review and take action on ‘quarantined messages’ captured by the Exchange Online Protection (EOP) filtering stack, the new feature that has only been available since September.”

Spoofed Email Message

Once you click on the link within the email it will take you a fake office 365 login page where you may type in your email address and password and compromising your account. 

To mitigate attacks, Ironscales has advised everyone to configure their email defense and protection systems for DMARC, which should detect and reject emails coming from this Office 365 campaign.

I would suggest being extra careful always review the website domain and do not type your username and password onto anything that’s not legit. If your not expecting it, do not open it. 

Veeam Backup is great but once you run into a problem Veeam backup can be quite tricky. 

There are some cases that you may happen to get jobs stuck or the console just won’t open up for you, you always can rely on restarting eventually the services and avoid an unnecessary server restart.

You can either make a script or use line by line the following commands

Get-process | where {($_.Name -like "Veeam*")} | stop-process -Force
Get-Service | where {($_.Name -like "Veeam*")-and ($_.Status -eq "Running")} | Stop-service -Force
Get-Service | where {($_.Name -like "Veeam*")-and ($_.Status -eq "Stopped")} | Start-service

Recent Posts

Recent Comments

Archives

Categories

Meta