Weekly Threat Report - 30th August 2019
Popular VPNs targeted by password stealing hackers
Hackers are actively attempting to steal passwords by taking advantage of servers that have failed to patch two virtual private network (VPN) products.
Users of Fortigate SSL VPN and Pulse Secure are being warned that hackers are attempting to steal passwords, as well as encryption keys and other sensitive data.
Researchers at the Black Hat security conference in Las Vegas explained that the vulnerabilities could be taken advantage of by sending unpatched servers web requests that contain a special sequence of characters.
Other vulnerabilities found could also allow attackers to remotely execute malicious code and change passwords.
Users of these VPN products should look to install patches for the products as soon as possible. The Fortigate update was issued in Maywhilst the Pulse Secure update was made available back in April.
However, organisations patching their products are being told that updating to the latest version could cause service disruptions such as downtime of the VPN.
The NCSC always recommends patching products, devices and software with the latest security updates. Patching is not a magic bullet, but not doing so is the quickest way to undermine your own security.
Apple release a patch to fix jailbreak flaw
Apple has released an update (12.4.1) to fix a jailbreaking vulnerability – one which had previously been fixed back in iOS 12.3.
Jailbreaking allows the user to take more control over their device so, with an iPhone, it could be possible to install apps and access functionality which are otherwise not approved by Apple.
However, jailbreaking an iPhone device can open devices up to further security risks and expose users to malicious apps because you would be undercutting the security setup put in place by Apple to protect users.
The vulnerability, which was fixed in iOS 12.3 but accidently reintroduced in iOS 12.4, made it easier to jailbreak updated Apple devices, including the iPhone XS, XS Max, and XR or the 2019 iPad Mini and iPad Air, if it ran iOS 12.4, iOS 12.2 or earlier.
Users of Apple devices should now ensure they have updated to iOS 12.4.1.
Apple has published a security note about the update, which includes recognition for the researcher that flagged the vulnerability, and users should also keep track of Apple’s latest security updates.
National Cyber Security Centre Weekly Threat Reports