Cybersecurity Weekly: Microsoft customer support records exposed and GE Healthcare devices vulnerabilities

Breaches

• Five improperly configured Elasticsearch servers resulted in the exposure of 250 million Microsoft customer support records for several weeks late last year. The exposure was due to misconfigured security rules that were implemented on December 5, 2019. Microsoft was notified of the problem on December 29 and had fixed the problem by December 31. All five servers stored the same information.
• A hacker has published a list of credentials for more than 515,000 servers, home routers, and other Internet of Things (IoT) devices online on a popular hacking forum in what’s being touted as the biggest leak of Telnet passwords to date.
• German car rental company Buchbinder exposed the personal information of over 3.1 million customers including federal ministry employees, diplomats, and celebrities, all of it stored within a ten terabytes MSSQL backup database left unsecured on the Internet. The German company runs a worldwide network of over 5000 car rental stations directed by partners and franchise holders, with clients from more than 100 countries.

Vulnerabilities

• A collection of six cybersecurity vulnerabilities in a range of GE Healthcare devices for hospitals has been discovered. Dubbed “MDhex” by the researcherswho discovered them, the bugs would allow attackers to disable the devices, harvest personal health information (PHI), change alarm settings and alter device functionality.
• An unpatched remote code-execution vulnerability in Internet Explorer is being actively exploited in the wild. Microsoft is working on a patch. In the meantime, workarounds are available. The bug (CVE-2020-0674) which is listed as critical in severity for IE 11, and moderate for IE 9 and IE 10, exists in the way that the jscript.dll scripting engine handles objects in memory in the browser.
• US-CERT vulnerability summary for the week of January 20, 2020.

Patches & Updates

• Citrix has released patches for versions of its SD-WAN WANOP products that are vulnerable to a critical flaw that was disclosed in December. Citrix released patches for some vulnerable versions of its Application Delivery Controller (ADC) and Gateway products earlier this week. Fixes for the rest of the vulnerable version are scheduled to be released on Friday, January 24.
• Cisco informed customers that it has patched a vulnerability that allowed unauthorized users to join password-protected Webex meetings. The vulnerability, tracked as CVE-2020-3142 and classified as high severity, affected Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites, releases earlier than 39.11.5 and 40.1.3. However, the fixes apply only to the sites and users are not required to update their mobile or desktop Webex Meetings applications.
• Honeywell’s Maxpro VMS and NVR, network video recorders and video management systems deployed in commercial, manufacturing and energy facilities around the world, sport critical vulnerabilities that may allow attackers to take control of them. Both vulnerabilities have been deemed to be critical by the ICS-CERT, as they can be exploited remotely without authentication by low-skilled attackers. Honeywell has released patches for the vulnerabilities but recommend upgrading MAXPRO VMS and NVR to versions R560 and 5.6 before applying the patch.