{"id": "THREATPOST:404B86130415376C2173D576AAD37DC8", "type": "threatpost", "bulletinFamily": "info", "title": "Threat Actors Can Exploit Windows RDP Servers to Amplify DDoS Attacks", "description": "Cybercriminals can exploit Microsoft Remote Desktop Protocol (RDP) as a powerful tool to amplify distributed denial-of-service (DDoS attacks), new research has found.\n\nAttackers can abuse RDP to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1, principal engineer Roland Dobbins and senior network security analyst Steinthor Bjarnason from Netscout said in [a report](<https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification>) published online this week.\n\nHowever, not all RDP servers can be used in this way. It\u2019s possible only when the service is enabled on port UDP port 3389 running on standard TCP port 3389, researchers said. \n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\nNetscout so far has identified more than 14,000 \u201cabusable\u201d Windows RDP servers that can be misused by attackers in DDoS attacks\u2014troubling news at a time when this type of attack is [on the rise](<https://threatpost.com/ddos-attacks-cresting-pandemic/158211/>) due to the increased volume of people online during the ongoing [coronavirus pandemic.](<https://threatpost.com/ddos-attacks-skyrocket-pandemic/159301/>)\n\nThis risk was highlighted earlier this week when researchers identified a new malware variant [dubbed Freakout](<https://threatpost.com/linux-attack-freakout-malware/163137/>) adding endpoints to a botnet to target Linux devices with DDoS attacks.\n\nWhat\u2019s more, while initially only advanced attackers with access to \u201cbespoke DDoS attack infrastructure\u201d used this method of amplification, researchers also observed RDP servers being abused in [DDoS-for-hire](<https://threatpost.com/fbi-ddos-for-hire/140280/>) services by so-called \u201cbooters,\u201d they said. This means \u201cthe general attacker population\u201d can also use this mode of amplification to add heft to their [DDoS attacks](<https://threatpost.com/law-enforcement-targets-users-of-ddos-for-hire-services/122465/>).\n\nRDP is a part of the Microsoft Windows OS that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. System administrators can configure RDP to run on TCP port 3389 and/or UDP port 3389.\n\nAttackers can send the amplified attack traffic, which is comprised of non-fragmented UDP packets that originate at UDP port 3389, to target a particular IP address and UDP port of choice, researchers said.\n\n\u201cIn contrast to legitimate RDP session traffic, the amplified attack packets are consistently 1,260 bytes in length, and are padded with long strings of zeroes,\u201d Dobbins and Bjarnason explained.\n\nLeveraging Windows RDP servers in this way has significant impact on victim organizations, including \u201cpartial or full interruption of mission-critical remote-access services,\u201d as well as other service disruptions due to transit capacity consumption and associated effects on network infrastructure, researchers said.\n\n\u201cWholesale filtering of all UDP/3389-sourced traffic by network operators may potentially overblock legitimate internet traffic, including legitimate RDP remote-session replies,\u201d researchers noted.\n\nTo mitigate the use of RDP to amplify DDoS attacks and their related impact, researchers made a number of suggestions to Windows systems administrators. First and foremost they should deploy Windows RDP servers behind VPN concentrators to prevent them from being abused to amplify DDoS attacks, they said.\n\n\u201cNetwork operators should perform reconnaissance to identify abusable Windows RDP servers on their networks and/or the networks of their downstream customers,\u201d Dobbins and Bjarnason advised. \u201cIt is strongly recommended that RDP servers should be accessible only via VPN services in order to shield them from abuse.\u201d\n\nIf this mitigation is not possible, however, they \u201cstrongly recommended\u201d that at the very least, system administrators disable RDP via UDP port 3389 \u201cas an interim measure,\u201d they said.\n\nInternet access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links.\n\nAt the same time, network operators should implement Best Current Practices (BCPs) for all relevant network infrastructure, architecture and operations, including \u201csituationally specific network-access policies that only permit internet traffic via required IP protocols and ports, researchers said.\n\nInternet-access network traffic from internal organizational personnel also should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links, they added.\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "published": "2021-01-22T12:45:42", "modified": "2021-01-22T12:45:42", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/threat-actors-can-exploit-windows-rdp-servers-to-amplify-ddos-attacks/163248/", "reporter": "Elizabeth Montalbano", "references": ["https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification", "https://threatpost.com/2020-reader-survey/161168/", "https://threatpost.com/ddos-attacks-cresting-pandemic/158211/", "https://threatpost.com/ddos-attacks-skyrocket-pandemic/159301/", "https://threatpost.com/linux-attack-freakout-malware/163137/", "https://threatpost.com/fbi-ddos-for-hire/140280/", "https://threatpost.com/law-enforcement-targets-users-of-ddos-for-hire-services/122465/", "https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook", "https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook"], "cvelist": ["CVE-2021-1257"], "lastseen": "2021-01-25T21:37:06", "viewCount": 167, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-1257"]}, {"type": "cisco", "idList": ["CISCO-SA-DNAC-CSRF-DC83CMCV"]}, {"type": "threatpost", "idList": ["THREATPOST:B2E59AD3F86FBC694619A8305DE20D3F", "THREATPOST:780FB57E292B3DD12FB990B4047AD469", "THREATPOST:BF4F0F3E3CEFCA14433C331F5D6493E2", "THREATPOST:7A1B0064EDE52909EB28393920C0EEA3", "THREATPOST:9ADEC71C063C7D96C17BBC40B54B9892", "THREATPOST:1A417E12B47411AE1C9B3C390AD7AEBE", "THREATPOST:2AA90910580F5C16939DCCD02048FED2", "THREATPOST:E6C79654DBBC30F1FC83DB9A786761AA", "THREATPOST:B6ADA96794F5920C56D057B5A4460A4F", "THREATPOST:E51BA9B40A1BAECBAC5DBBB428617531"]}], "modified": "2021-01-25T21:37:06", "rev": 2}, "score": {"value": 5.9, "vector": "NONE", "modified": "2021-01-25T21:37:06", "rev": 2}, "vulnersScore": 5.9}}

{"cve": [{"lastseen": "2021-02-02T07:55:04", "description": "A vulnerability in the web-based management interface of Cisco DNA Center Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to manipulate an authenticated user into executing malicious actions without their awareness or consent. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a web-based management user to follow a specially crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the device with the privileges of the authenticated user. These actions include modifying the device configuration, disconnecting the user's session, and executing Command Runner commands.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-20T20:15:00", "title": "CVE-2021-1257", "type": "cve", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1257"], "modified": "2021-01-27T16:28:00", "cpe": [], "id": "CVE-2021-1257", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1257", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "cisco": [{"lastseen": "2021-01-25T14:28:41", "bulletinFamily": "software", "cvelist": ["CVE-2021-1257"], "description": "A vulnerability in the web-based management interface of Cisco DNA Center Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to manipulate an authenticated user into executing malicious actions without their awareness or consent.\n\nThe vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a web-based management user to follow a specially crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the device with the privileges of the authenticated user. These actions include modifying the device configuration, disconnecting the user's session, and executing Command Runner commands.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-csrf-dC83cMcV [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-csrf-dC83cMcV\"]", "modified": "2021-01-25T14:01:28", "published": "2021-01-20T16:00:00", "id": "CISCO-SA-DNAC-CSRF-DC83CMCV", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-csrf-dC83cMcV", "type": "cisco", "title": "Cisco DNA Center Cross-Site Request Forgery Vulnerability", "cvss": {"score": 7.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L"}}], "threatpost": [{"lastseen": "2021-01-25T21:34:49", "bulletinFamily": "info", "cvelist": ["CVE-2021-1257"], "description": "Three malicious software packages have been published to npm, a code repository for JavaScript developers to share and reuse code blocks. The packages represent a supply-chain threat given that they may be used as building blocks in various web applications; any applications corrupted by the code can steal tokens and other information from Discord users, researchers said.\n\nDiscord is designed for creating communities on the web, called \u201cservers,\u201d either as standalone forums or as part of another website. Users communicate with voice calls, video calls, text messaging, media and files. Discord \u201cbots\u201d are central to its function; these are AIs that can be programmed to moderate discussion forums, welcome and guide new members, police rule-breakers and perform community outreach. They\u2019re also used to add features to the server, such as music, games, polls, prizes and more.\n\nDiscord tokens are used inside bot code to send commands back and forth to the Discord API, which in turn controls bot actions. If a Discord token is stolen, it would allow an attacker to hack the server.\n\n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\nAs of Friday, the packages (named an0n-chat-lib, discord-fix and sonatype, all published by \u201cscp173-deleted\u201d) were still available for download. They make use of brandjacking and typosquatting to lure developers into thinking they\u2019re legitimate. There is also \u201cclear evidence that the malware campaign was using a Discord bot to generate fake download counts for the packages to make them appear more popular to potential users,\u201d according to researchers at Sonatype.\n\nThe authors are the same operators behind the CursedGrabber Discord malware, the researchers said, and the packages share DNA with that threat.\n\nThe CursedGrabber Discord malware family, discovered in November, targets Windows hosts. It contains two .exe files which are invoked and executed via \u2018postinstall\u2019 scripts from the manifest file, \u2018package.json\u2019. One of the .exe files scans user profiles from multiple web browsers along with Discord leveldb files, steals Discord tokens, steals credit-card information, and sends user data via a webhook to the attacker. The second unpacks additional code with multiple capabilities, including privilege escalation, keylogging, taking screenshots, planting backdoors, accessing webcams and so on.\n\nIn the case of the three npm packages, these \u201ccontain variations of Discord token-stealing code from the Discord malware discovered by Sonatype [on numerous occasions](<https://threatpost.com/rubygems-packages-bitcoin-stealing-malware/162360/>),\u201d said Sonatype security researcher Ax Sharma, in a Friday [blog posting](<https://blog.sonatype.com/cursedgrabber-strikes-again-sonatype-spots-new-malware-campaign-against-software-supply-chains?&web_view=true>).\n\n## **Open-Source Software Repository Malware**\n\nUploading malicious packages to code repositories is an increasingly common tactic used by malware operators. In December for instance, RubyGems, an open-source package repository and manager for the Ruby web programming language, [had to take](<https://threatpost.com/rubygems-packages-bitcoin-stealing-malware/162360/>) two of its software packages offline after they were found to be laced with malware.\n\nThe gems contained malware that ran itself persistently on infected Windows machines and replaced any Bitcoin or cryptocurrency wallet address it found on the user\u2019s clipboard with the attacker\u2019s. So, if a user of a corrupted web app built using the gems were to copy-paste a Bitcoin recipient wallet address somewhere on their system, the address would be replaced with that of the attacker.\n\n\u201cWe have repeatedly seen\u2026open-source malware striking [GitHub](<https://blog.sonatype.com/gitpaste-12>), [npm](<https://blog.sonatype.com/discord.dll-successor-to-npm-fallguys->) and [RubyGems](<https://blog.sonatype.com/nexus-intelligence-insights-protect-your-bitcoins-from-700-malicious-rubygems-with-sonatype-2020-0196>), attackers can exploit trust within the open-source community to deliver pretty much anything malicious, from sophisticated spying trojans like [njRAT](<https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware>), to\u2026[CursedGrabber](<https://blog.sonatype.com/npm-malware-xpc.js>),\u201d Sharma told Threatpost.\n\nThe latest findings reiterate that software supply-chain attacks will only become more common and underscore how crucial it is for organizations that protect against such attacks and continuously improve their strategies against them, according to Sonatype.\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-01-22T18:35:24", "published": "2021-01-22T18:35:24", "id": "THREATPOST:2AA90910580F5C16939DCCD02048FED2", "href": "https://threatpost.com/discord-stealing-malware-npm-packages/163265/", "type": "threatpost", "title": "Discord-Stealing Malware Invades npm Packages", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-26T20:38:57", "bulletinFamily": "info", "cvelist": ["CVE-2021-1257"], "description": "UPDATE\n\nSonicWall is investigating \u201cprobable\u201d zero-day flaws in its remote access security products that have been targeted by \u201chighly-sophisticated\u201d attackers. The company says it is investigating the attack and will update customers within 24 hours.\n\nThe security company said it is currently investigating its Secure Mobile Access (SMA) 100 series hardware for potential vulnerabilities linked to a reported cyberattack. SMA 100 is a gateway for small- and medium-sized businesses that lets authorized users access resources remotely. SMA 100 also gives system administrators visibility into remote devices that are connecting to the corporate network \u2013 and grants endpoints access based on corporate policies.\n\n\u201cRecently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products,\u201d according to SonicWall, which [first alerted the public of the attack on Friday evening](<https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability-updated-jan-23-2021/210122173415410/>). \n[](<https://threatpost.com/newsletter-sign/>) \nSonicWall said current SMA 100 series customers may continue to use NetExtender for remote access with the SMA 100 series, as it has determined that this use case is not susceptible to exploitation. NetExtender is SonicWall\u2019s VPN client for Windows and Linux, and allows customers to connect to SMA 100 for secure access to their company\u2019s network.\n\nSonicWall said that at this time, it is \u201ccritical\u201d that organizations with active SMA 100 series appliances enable two-factor authentication (2FA). More information [for doing so can be found here](<https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-time-based-one-time-password-totp-in-sma-100-series/180818071301745/>).\n\nOrganizations that utilize SMA 100 series products should also consider enabling geo-IP/botnet filtering and creating a policy to block web traffic from countries that don\u2019t need to access their applications; configuring end point control to verify user devices before establishing a connection; and restricting access to the portal by enabling scheduled logins/logoffs, SonicWall recommends.\n\nNot affected by the hack are SonicWall\u2019s lineup of firewall products, the company\u2019s SMA 1000 series, SonicWall SonicWave access points (APs) and the NetExtender VPN client. Initially, in its Friday disclosure SonicWall had identified the NetExtender 10.X VPN client as potentially being targeted by attackers \u2013 however, the company said that has now been ruled out.\n\n\u201c[NetExtender] may be used with all SonicWall products,\u201d according to the company. \u201cNo action is required from customers or partners.\u201d\n\nFurther information about the cyberattack itself is not available at this time; when asked by Threatpost for further comment a SonicWall spokesperson said the only information it will currently divulge is within its security alert. On Monday, SonicWall [said on Twitter](<https://twitter.com/SonicWall/status/1353729425683214337>) said that it will provide another update on the attack \u201cwithin 24 hours\u201d and is \u201ccommitted to transparency during our ongoing investigations.\u201d\n\n> There will be another update within 24 hours. We are committed to transparency during our ongoing investigations.\n> \n> \u2014 SonicWall (@SonicWall) [January 25, 2021](<https://twitter.com/SonicWall/status/1353729425683214337?ref_src=twsrc%5Etfw>)\n\nSonicWall said it has recently tracked a dramatic surge in cyberattacks on governments and businesses, specifically on firms that provide critical infrastructure and security controls to those organizations. The recent cyberattack also comes [during a surge in remote workforces due to the COVID-19 pandemic](<https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/>). The presence of vulnerabilities in remote access products gives attackers the abilities to tap into the increased number of remote employees.\n\nIn October 2020, SonicWall disclosed a critical security bug [in its SonicWall VPN portal](<https://threatpost.com/critical-sonicwall-vpn-bug/160108/>) that can be used to crash the device and prevent users from connecting to corporate resources. It could also open the door to remote code execution (RCE), researchers said. And in 2018, [researchers discovered variants](<https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/>) of the Mirai and Gafgyt IoT botnets targeting well-known vulnerabilities in SonicWall.\n\n_This article was updated on Jan. 26 at 12pm ET with further guidance from SonicWall for system administrators._\n", "modified": "2021-01-25T17:04:19", "published": "2021-01-25T17:04:19", "id": "THREATPOST:E51BA9B40A1BAECBAC5DBBB428617531", "href": "https://threatpost.com/sonicwall-breach-zero-days-in-remote-access/163290/", "type": "threatpost", "title": "SonicWall Breach Stems from \u2018Probable\u2019 Zero-Days", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-25T21:24:59", "bulletinFamily": "info", "cvelist": ["CVE-2021-1257"], "description": "Two major browsers \u2013Microsoft Edge and Google Chrome \u2013 are rolling out default features, which they say will better help notify users if their password has been compromised as part of a breach or database exposure.\n\nEdge and Chrome\u2019s moves signify a bigger push by browsers to solve the [big \u201cpassword problem\u201d](<https://threatpost.com/troy-hunt-messy-password-problem/145439/>) plaguing the security industry. Over the past two years, major browsers (including [Mozilla Firefox)](<https://threatpost.com/mozilla-announces-firefox-monitor-tool-testing-firefox-61/133087/>) have launched built-in tools for helping users identify passwords that are increasingly wrapped up in data breaches \u2013 and easily change them.\n\n## Microsoft Password Monitor\n\nMicrosoft [on Thursday](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel>) said that its next version of Edge (version 88.0.705.50) will generate alerts if a user password is found in an online leak. The tool, called Password Monitor, will check users\u2019 passwords against a data repository of known, breached credentials. If the passwords saved to the browser matches those on a list of leaked credentials, Password Monitor will send users alerts and prompt them to update their password.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cTo ensure security and privacy, user passwords are hashed and encrypted when they\u2019re checked against the database of leaked credentials,\u201d said Microsoft.\n\nIn addition, Microsoft\u2019s newest Edge version will include a built-in \u201cstrong password generator,\u201d which it hopes will promote strong passwords for internet users who are signing up for a new account, or changing an existing password.\n\nSecurity experts applauded the new measures. \u201cBy having the password management feature in the browsers look for compromised credentials, it allows the potential victim to change the password in other places before it impacts them,\u201d Erich Kron, security awareness advocate at KnowBe4 told Threatpost. \u201cHopefully, it will also demonstrate to the individual the importance of not reusing passwords across multiple services.\u201d\n\n## Google Chrome\u2019s Latest Password Protections\n\nMeanwhile, [Google this week announced](<https://security.googleblog.com/2021/01/new-year-new-password-protections-in.html>) it will introducing new features that will consolidate its password protections \u2013 and make them for seamless for users \u2013 in Chrome 88 over the coming weeks. Chrome 88 will give allow users to launch a simple check to identify any weak passwords and \u201ctake action easily.\u201d By navigating to the top of their browser and clicking on passwords and \u201cCheck Passwords,\u201d users are able to easily check whether all of their passwords have been compromised in a breach \u2013 and on the same page edit their passwords to choose safer alternatives if need be.\n\nChrome [already alerts users if their passwords have been compromised](<https://threatpost.com/google-adds-password-checkup-feature-to-chrome-browser/148838/>) and prompts them to update \u2013 However, the idea here is to give users the ability to update multiple usernames and passwords easily all in one place.\n\n\u201cThat\u2019s why starting in Chrome 88, you can manage all of your passwords even faster and easier in Chrome Settings on desktop and iOS (Chrome\u2019s Android app will be getting this feature soon, too),\u201d said Google.\n\nChrome also provided an update on its existing password protection tools, including Safety Check, launched in 2020, which tells Chrome users if passwords they\u2019ve asked the browser to remember have been compromised. Google said as a result of Safety Check it has seen a 37 percent reduction in compromised credentials stored in Chrome.\n\n## Password Health Continues to Fail\n\nWith data breaches continuing to hit companies, attackers are accessing credentials across the board. However, compromised data isn\u2019t leading to actionable changes by consumers \u2013 in fact [a 2020 survey found that half of respondents](<https://threatpost.com/threatlist-people-know-reusing-passwords-is-dumb-but-still-do-it/155996/>) hadn\u2019t changed their password in the last year \u2013 even after they heard [about a data breach](<https://threatpost.com/healthcare-giant-magellan-ransomware-data-breach/155699/>) in the news. This \u201cpassword problem\u201d has challenged the security industry for years, with companies grappling with issues like poor password hygiene, password reuse or easy-to-guess passwords. Making matters worse, passwords are appearing left and right online as part of major data breaches \u2013 yet victims aren\u2019t changing their passwords at all across various platforms. The [Collection #1](<https://threatpost.com/773m-credentials-dark-web/140972/>) data dump in 2019 for instance, which included 773 million credentials, and subsequent [Collection #2-5 dumps](<https://threatpost.com/collection-1-data-dump-hacker-identified/141447/>), show exactly how many passwords are available on the Dark Web and underground forums.\n\n\u201cPassword compromise is a huge ongoing issue leading to everything from data breaches to ransomware or other malware infections,\u201d Kron said. \u201cThis in large part due to the practice of credential stuffing. This is where cybercriminals take known usernames and passwords from previous breaches and attempt to use them on other services. Knowing that people tend to reuse passwords across multiple services, they know the odds of success are worth the effort.\u201d\n\nLamar Bailey, senior director of security research with Tripwire, said that passwords are \u201cthe Achilles heel of cybersecurity.\u201d\n\n\u201cThe vast majority of breaches start with stolen, weak or reused passwords,\u201d Bailey said. \u201cOur brains can\u2019t keep up with a long list of passwords that map to all of the various sites, assets and services we access on a given day. Third-party password vaults\u2026 have become the de facto standard to solve this problem. With the latest update, Chrome and Edge will be competing with these third-party products by offering some of the same features.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-01-22T21:57:10", "published": "2021-01-22T21:57:10", "id": "THREATPOST:B2E59AD3F86FBC694619A8305DE20D3F", "href": "https://threatpost.com/microsoft-edge-google-chrome-roll-out-password-protection-tools/163272/", "type": "threatpost", "title": "Microsoft Edge, Google Chrome Roll Out Password Protection Tools", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-25T19:51:58", "bulletinFamily": "info", "cvelist": ["CVE-2021-1144", "CVE-2021-1257", "CVE-2021-1264", "CVE-2021-1299", "CVE-2021-1300"], "description": "A cross-site request forgery (CSRF) vulnerability in the Cisco Digital Network Architecture (DNA) Center could open enterprise users to remote attack and takeover.\n\nThe flaw, tracked as CVE-2021-1257, exists in the web-based management interface of the Cisco DNA Center, which is a centralized network-management and orchestration platform for Cisco DNA. It carries a CVSS vulnerability-severity score of 7.1, making it high-severity.\n\nCisco DNA is the networking giant\u2019s software-defined approach for aligning campus, branch, WAN and remote-worker elements of enterprise networks. The DNA Center allows admins to provision and configure all network devices, and it uses artificial intelligence (AI) and machine learning (ML) to proactively monitor, troubleshoot and optimize networks. It also integrates with third-party systems. In short, the DNA Center allows deep reach and visibility into an organization\u2019s network, all from one point of entry.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe web-based management interface used for accessing and using the Cisco DNA Center has insufficient CSRF protections in software versions prior to 2.1.1.0. The patch issued today addresses the problem.\n\nCSRF is an attack that forces an end user to execute unwanted actions on a web application in which the person is currently authenticated. Thus, the bug could allow an unauthenticated, remote attacker to \u201cconduct an attack to manipulate an authenticated user into executing malicious actions without their awareness or consent,\u201d according to [Cisco\u2019s advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-csrf-dC83cMcV>), issued on Monday.\n\nAn attacker could exploit the vulnerability by socially engineering a web-based management user into following a specially crafted link, say via a phishing email or chat. If the user clicks on the link, the attacker can then perform arbitrary actions on the device with the privileges of the authenticated user.\n\nThese actions include modifying the device configuration, disconnecting the user\u2019s session and executing Command Runner commands, Cisco noted.\n\nThis vulnerability is fixed in Cisco DNA Center Software releases 2.1.1.0, 2.1.2.0, 2.1.2.3 and 2.1.2.4, and later. Cisco credited Benoit Malaboeuf and Dylan Garnaud from Orange for reporting the bug. vulnerability.\n\n## **More 2021 Cisco Security Bugs **\n\nThis is just the latest concerning security vulnerability for Cisco this year. Last week, [it warned of multiple, critical vulnerabilities](<https://threatpost.com/critical-cisco-sd-wan-bugs-rce-attacks/163204/>) in its SD-WAN solutions and DNA Center, among others.\n\nOne critical-severity flaw (CVE-2021-1299) exists in the web-based management interface of Cisco SD-WAN vManage software. The bug (which ranks 9.9 out of 10 on the CVSS scale) could allow an authenticated, remote attacker to gain root-level access to an affected system and execute arbitrary commands as the root user on the system.\n\nA second critical flaw is CVE-2021-1300, which ranks 9.8 out of 10 on the CVSS scale, could allow an attacker to execute arbitrary code on the underlying operating system with root privileges.\n\nAnd, a critical-severity flaw was found in the Command Runner tool of Cisco DNA Center (CVE-2021-1264), which ranks 9.6 out of 10 on the CVSS scale. A successful exploit could allow the attacker to execute arbitrary CLI commands on devices managed by Cisco DNA Center, according to Cisco.\n\nEarlier in January, Cisco [fixed high-severity flaws](<https://threatpost.com/cisco-flaw-cmx-software-retailers/163027/>) tied to 67 CVEs overall, including ones found in its AnyConnect Secure Mobility Client and in its RV110W, RV130, RV130W and RV215W small-business routers.\n\nThe most serious flaw (CVE-2021-1144) afflicted Cisco Connected Mobile Experiences (CMX), a software solution that is utilized by retailers to provide business insights or on-site customer experience analytics. The solution uses the Cisco wireless infrastructure to collect a treasure trove of data from the retailer\u2019s Wi-Fi network, including real-time customer-location tracking. The high-severity issue (8.8 out of 10 on the CVSS vulnerability-severity scale) could allow an authenticated attacker to impersonate any user on the system.\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) [_**Healthcare Security Woes Balloon in a Covid-Era World**_](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-01-25T17:53:51", "published": "2021-01-25T17:53:51", "id": "THREATPOST:7A1B0064EDE52909EB28393920C0EEA3", "href": "https://threatpost.com/cisco-dna-center-bug-remote-attack/163302/", "type": "threatpost", "title": "Cisco DNA Center Bug Opens Enterprises to Remote Attack", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}