Cyber Security Week in Review (March 1)

Top headlines this week

• Drupal patched a “highly critical” vulnerability that attackers exploited to deliver cryptocurrency miners and other malware. Some field types in the content management system did not properly sanitize data from non-form sources, which allowed an attacker to execute arbitrary PHP code. Users need to update to the latest version of Drupal to patch the bug. Snort rule 49257 also protects users from this vulnerability.
• Cryptocurrency mining tool Coinhive says it’s shutting down, but not due to malicious use. Attackers have exploited the tool for months as part of malware campaigns, stealing computing power from users to mine cryptocurrencies. However, the company behind the miner says it’s shutting down because it’s no longer economically viable to run. Snort rules 44692, 44693,45949 - 45952, 46365 - 46367, 46393, 46394 and 47253 can protect you against the use of Coinhive. 
• Several popular apps unknowingly share users’ personal information with Facebook. In many cases, this can include personal health information, including females’ menstruation cycle, users’ heart rate and recent home buying purchases. The data is sent to Facebook even if the user doesn’t have a Facebook profile. 

From Talos

• Attackers are increasingly going after unsecured Elasticsearch clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines.
• The latest Beers with Talos podcast covers the importance of privacy. Special guest Michelle Dennedy, Cisco’s chief privacy officer, talks about recent initiatives the company is taking on and how other organizations can do better. 

Vulnerability roundup

• A flaw in the Ring doorbell could allow an attacker to spy on users’ homes and even inject falsified video. The vulnerability could open the door for a man-in-the-middle attack against the smart doorbell app since the sound and video recorded by the doorbell is transmitted in plaintext. 
• Cisco disclosed multiple vulnerabilities in a variety of its products, including severe bugs in routers. The company urged users of its firewall routers and VPN to patch immediately Thursday, warning against a remote code execution vulnerability. There’s also a certificate validation vulnerability in Cisco Prime Infrastructure that could allow an attacker to perform a man-in-the-middle attack against the SSL tunnel between Cisco’s Identity Service Engine and Prime Infrastructure. Snort rule 49240 protects users from the Prime Infrastructure vulnerability. 
• New flaws in 4G and 5G could allow attackers to track users’ location and intercept phone calls. A new research paper discloses what is believed to be the first vulnerabilities that affect both broadband technologies. 

The rest of the news

• A new service from Cisco Duo launched a new product recently to scan Google Chrome extensions. CRXcavator provides customers and users by scanning the Chrome store and then delivering reports on different extensions based on their permissions required and potential use of those permissions. 
• Google is under fire for allegedly forgetting to inform users of a microphone inside of its Nest smart hub. While the company says it was never supposed to be a secret, users, security researchers and even politicians now are questioning why the microphone was installed in the first place. 
• Talos Take: "To be clear, because some news outlets have reported this microphone as being present in the Nest THERMOSTAT.  It is NOT present in the thermostat, it’s present in the Smart Hub, which is the centerpiece of their home security solution," Joel Esler, senior manager, Communities Division.