Cyber Round-up

Cyber Round-up for 12th April

Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

  • Microsoft Patch Tuesday April 19
  • Newham Council Fined by ICO for Gang Data Leak
  • Ethical Hackers Breach University Networks in Two Hours
  • Yuzo WordPress Plugin Exploit Sends Users to Scam Sites
  • DragonBlood Vuln Found in Wi-Fi WPA3

Microsoft Patch Tuesday April 19

It’s the time of the month again where Microsoft release the news on their vulnerable products and the patches available to fix them. This month there are a total of 74 vulnerabilities disclosed with 16 rated Critical, 54 Important, 1 Moderate and 3 Low.

These updates cover issues found in software products such as, MS Windows Operating Systems, Internet Explorer, MS Edge, Office, MS Exchange Server, the scripting engine, Team Foundation Server and more.

CVE-2019-0803 & CVE-2019-0859 cover two vulnerabilities rated Important, that exist in the Win32K component of the Windows operating system. By failing to handle memory objects properly, these vulns allow an attacker to run code in kernel mode and elevate their privileges, so they can view, change and delete data. New accounts could also be created with full user rights.

Note that both of these vulns are currently being actively exploited in the wild, so its very important to address these quickly.


Newham Council Fined by ICO for Gang Data Leak

Last week it was reported that the ICO have fined London based Newham Council, £145,000 after it was responsible for leaking the personal information of alleged gang members.

After the London Riots in 2011 the Met Police created a database that captured intelligence which identified possible gang members, based on their history of violent crime and other information provided by local councils.

An unredacted copy of information from this database was leaked in 2017, after a Newham council worker sent the list in an email to 44 recipients which included both internal departments and numerous external organisations.

Through the use of Snapchat, photographic copies of this list found its way into the hands of rival gang members. Although there was an increased level of gang related violence that year it is unclear whether this data leak was the cause.

We are unfortunately all to familiar with the constant data breaches we see in news each week, often resulting in personal and financial information loss, but rarely do we see breaches such as this that directly threatens human life.

This drills home the importance and simple fact that organisations of all types and sizes, are still not doing enough to secure their data and educate their users on how to use it, both appropriately and securely.

Read More on BBC …

Ethical Hackers Breach University Networks in Two Hours

UK University networks have been subject to a series of tests in order to understand how good their defences were against cyber-attacks. Unfortunately, the results of these tests have highlighted that in every case valuable data was obtained within two hours.

These penetration tests were jointly organised by JISC (the Joint Information Systems Committee) and HEPI (Higher Education Policy Institute) and were scheduled to take place against 50 universities in the UK.

Ethical Hackers from the JISC’s in house team were tasked with carrying out the tests, which not only saw a 100% success rate against all tested universities, but they also managed to reach personal information for staff and students, and access research databases, within two hours of starting the test.

It won’t be a surprise to most familiar with cyber security that spear phishing attacks were the most effective method used in these tests.

Spear phishing attacks use crafted emails that are sent to specific targets within an organisation, pretending to be from a trusted source, with the intent to convince the user to click on a bad link or download malicious attachments / software.

Universities hold a wealth of valuable information for both cyber criminals and nation state actors working for foreign governments. Not only do they contain a vast amount of personal information for staff and students, but they also store research data and intellectual property that is worth great value to these foreign governments.

These tests highlight how vulnerable our UK universities are to cyber-attack, meaning greater focus on improving cyber defences is urgently required.

Talking to the BBC, a UK spokeswoman for UK Universities stated that they are now working with the UK’s National Cyber Security Centre (NCSC), to help improve and strengthen security practices to better protect the sector from cyber threats.

Read more on BBC ….

Yuzo WordPress Plugin Exploit Sends Users to Scam Sites

An exploited vulnerability has been identified in the popular Yuzo Related Posts WordPress plugin, which allows attackers to inject malicious JavaScript into the pages of the target systems website.

Exploiting this vuln allows an unauthenticated attacker to modify the plugins settings, to a value that includes a malicious JavaScript. Once the JavaScript is injected it can be used to redirect visitors of the compromised website to attacker-controlled websites or fraudulent scam sites.

The JavaScript used here contains a redirect that sends visitors to following URL:


Once the user reaches this URL, numerous other redirects occurs, which eventually leads them to various scam sites, including a tech support scam page.

Researchers at Wordfence believe that this exploit shares a lot of commonalities with two other vulns, found in the Social Warfare and Easy WP SMTP plugins. The same IP address (176[.]123[.]9[.]53) used for accessing the URL above was also used in these previous exploits, both of which delivered malicious redirects as part of their campaigns.

This vulnerability is believed to impact over 60,000 sites that currently have this plugin actively installed within WordPress. The plugin developer became aware of this vuln and on March 30th the plugin was removed from the WordPress Plugin directory. This prevented any new users from downloading the plugin, but left the existing user still exposed.

The exploit of this vulnerability has been the unfortunate result of a security researcher’s irresponsible actions, who publicly disclosed the vuln along with a proof of concept, prior to a fix being released by the developer.

Website JavaScript injection has become a common method for attackers in recent times. Formjacking techniques such as those used by the Magecart exploit in the Ticketmaster and British Airways breaches last year, have been used to steal customer credit card information from the website, without having to compromise the server or network infrastructure first.

The developer recommends that any users of their Yuzo Related Posts plugin should remove it from their WordPress site immediately, until they can release a fix for this vulnerability.

To protect yourself from these types of WordPress threats, always ensure that your WordPress site and its plugins are always kept up to date with the latest versions of software.

In addition, WordPress users should also strongly consider the use of a WordPress or Web Application Firewall, to provide an extra layer of defence against such web attacks.

Read more on WordFence ….

DragonBlood Vuln Found in Wi-Fi WPA3

As with most new technologies its never plain sailing when it comes to developing secure solutions, and it’s been no different with the new Wi-Fi Security standard WPA3.

The WPA3 or Wi-Fi Protected Access 3 protocol is the next-generation in Wi-Fi Security and is due to replace the aging and less secure WPA2 protocol we use today.

In their April 10th press release the Wi-Fi alliance have issued an update on two identified vulns found in a limited number of early implementations of WPA3-Personal, where devices running attacker software, can capture information and expose passwords due to improper implementation of cryptographic functions.

Researchers have released a paper titled DragonBlood that covers the two vulns. The first is a downgrade attack that forces WPA3 supported devices to connect using an insecure WPA2 handshake. This is then followed by the second flaw that incorporates two side-channel attacks which lead to the attackers obtaining the Wi-Fi password through an offline dictionary style attack.

The Wi-Fi alliance state that multiple CVEs have been raised under the IDs CVE-2019-9494 to CVE-2019-9499 to cover these flaws, but limited information is currently available from Mitre.

A simple software update is already available from the small number of device manufacturers affected by these WPA3 flaws.

More details can be found on The Hackers News website.

Read more on The Hacker News ….

And that’s it for this week round-up, please don’t forget to tune in for our next instalment.

Why not follow us on social media using the links provided on the right.

Edition #36 – 12th April 2019

Ironshare – Security Simplified