Weekly cyber-facts in review 19/09/21 - Aiuken
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Weekly cyber-facts in review 19/09/21
2 | Weekly cyber-facts in review
Vulnerabilities In
Review3 | Weekly cyber-facts in review
Infrastructure
Citrix releases updates for its virtualizer (Xen Server). The vulnerabilities allow a potential attacker to take control of the affected asset. Cisco releases
patches for IOS XR correcting 4 vulnerabilities of high severity (which can lead to the exhaustion of the memory of the systems, obtain and load files,
elevating privileges). Citrix releases patches for Sharefile. The released patch prevents remote exploitation of said product, preventing a potential
adversary from taking control of it. .
Applications
SAP releases 17 security notes and updates another 2. The most serious vulnerability consists of the absence of authorization controls in Java
NetWeaver Application Server (middleware in SAP solutions). The second most serious vulnerability fixed allows SQL injection in Near Zero Downtime
Mapping Table Framework, which affects SAP HANA, LT Replication Server, Test Data Migration Server, Landscape Trasnformation and LTRS for S /
4HANA. Adobe Acrobat Reader, XMP Toolkit SDK, Photoshop, Premiere Elements, Framemaker, InDiseign, Adobe Digital Editions, and Coldfusion
receive updates for 59 bugs. 36 fixed vulnerabilities are classified as critical. Adobe Acrobat receives fixes for 26 vulnerabilities (13 critical).
OT
Siemens fixes or updates 46 vulnerabilities, of which are critical in Destigo CC building Management, Cerberus, Apogee and Talon products, Industrial
Edge App and SIPROTEC 5. These vulnerabilities allow remote code executions. Schneider Electric fixes 7 vulnerabilities affecting StruxureWare Data
Center Expert products (2 critical vulnerabilities), EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack RemoteConnect.4 | Weekly cyber-facts in review
Issues to keep
in mind5 | Weekly cyber-facts in review
A band aid for a bullet hole
Microsoft releases security updates. Microsoft patches 86 vulnerabilities in Azure,
Edge (Android, Chromium, and iOS), Office, SharePoint Server, Windows, Windows Microsoft's OMI patch
DNS, and Windows Subsystem for Linux (Open Manage Infrastructure) products. Vulnerabilities in OMI called OMIGOD are patched in September by
Microsoft.
The Zero-Day in MSHTML recently reported to Microsoft (CVE-2021-40444) is
resolved. The vulnerability CVE-2021-36958, CVE-2021-38667, CVE-2021-38671 These vulnerabilities allow elevating privileges or remote code executions
and CVE-2021-40447 is patched in print spooler. Fix for remote code execution on guest machines in Azure infrastructure. OMI (Open Manage
vulnerability CVE-2021-38647 is released in Open Management Infrastructure. Infrastructure) is an orchestration tool for Linux, equivalent to Windows
WLAN autoconfig CVE-2021-36965 allowing RCE is also patched. Finally, the Management Instrumentation (available for Windows environments). An
vulnerability CVE-2021-36968 is corrected, consisting of an elevation of privileges in attacker, using the OMI console (omicli), can make unauthenticated
Windows DNS. requests on the infrastructure to execute commands at the root level.
At least, vulnerabilities in the spooler and the one associated with the remote The vulnerabilities would allow taking control of Linux virtual machines on
content rendering engine mshtml are being exploited. Although the patches make Azure infrastructure. We believe that given the ease of exploitation of
Windows systems a bit more secure, holes are far from being closed, and the vulnerabilities, they will begin to be exploited shortly.
precautions which we have been giving throughout the summer, should be
considered.6 | Weekly cyber-facts in review
Ransomware
in Review7 | Weekly cyber-facts in review
REvil ransomware is back into the cyberthreat landscape
REvil ransomware operators haver reactivate its leak site and has reappeared o hacker forums, returning to the cyberthreat
landscape after a 2-month break (driven by the attention that Kaseya’s supply chain attack thrown onto them).
Medical technology giant Olympus has been hit by BlackMatter ransomware
The leading medical technology company, Olympus, suffered on September the 8th, an attack which affected its sale and
manufacturing areas on EMEA geographic region. The attack was orchestrated by threat group behind BlackMatter
ransomware.
Law firm suffers a ransomware attack and reports the incident to the High Court
A London law firm suffers a ransomware attack and requests a court order from the High Court to report the fact. The High
Court ruled in the firm's favour by default, as the criminals had "not engaged with the proceedings and have not filed an
Acknowledgement of Service or Defence." The ruling prohibits criminals from publishing the stolen data, although it doesn't
really make much sense against these types of criminals.8 | Weekly cyber-facts in review
Malware
in Review9 | Weekly cyber-facts in review
Zloader is capable of disabling MS Defender SOVA, an Android banking trojan
antivirus
SOVA is a baking trojan which was identified for the first
In a new spotted campaign of Zloader, the malware is time in August 2021, and its still in development.
capable of disabling Microsoft Defender antivirus to Following the roadmap its authors have announced on
evade detection. Its entry vector exploited has changed hacking forums, this baking trojan could be the most
from Spam and phishing campaigns to TeamViewer sophisticated until today, with DDoS, man in the middle
Google ads published through Google AdWords, which and ransomware functionalities.
redirects victims to fake download sites.
Vermilion Strike, a new Linux Cobalt Strike
beacon
Vermilion Strike has been identified in ongoing
cyberattacks against entities form different sector
worldwide as a hacker-made Linux Cobalt Strike
beacon. It has been developed in the same
configuration format as the official Windows beacon and
can speak with all Cobalt Strike servers.10 | Weekly cyber-facts in review
Identified new Mirai variant dubbed Meris
Researchers have identified a new Mirai botnet variant dubbed Meris. Meris has break a DDoS record, setting it to 21.8
million requests per second, in a massive attack against Yandex. Meris uses has hosts MikroTik devices, but it seems like
no new vulnerabilities have been spotted since 2018, which means the infected devices were compromised by exploiting
this flaw.
Malicious Linux binaries for WSL
They have been identified malicious Linux binaries created for the Windows Subsystem for Linux (WSL), so it is believed
that they are testing the use of WSL to install malware on Windows. The identified files, created for the Windows subsystem
for Linux (WSL), are primarily based on Python 3 and are packaged as an ELF executable for Debian using PyInstaller. Of
these, only one IP has been identified publicly, through which more data has been obtained. The malicious files have the
payload built in or get it from a remote server, and then inject the malware using Windows API calls, although other
variants have been observed that use standard Python libraries and others are powerShell-based.11 | Weekly cyber-facts in review
Exploitation of
vulnerabilities in
Review12 | Weekly cyber-facts in review
Microsoft zero-day CVE-2021-40444 vulnerability is currently being exploited
Researchers have identified links between ransomware operations conducted by Wizard Spider, in which Conti or Ryuk
ransomware families are launched, and the group they were tracking as DEV-0413 which is currently exploiting Microsoft zero-
day CVE-2021-40444 vulnerability. Meaning the exploitation of this vulnerability could result in a ransomware attack.
APTs exploiting ADSelfService Plus vulnerability
Several APTs have been found to have been actively exploiting vulnerabilities in the Zoho ADSelfService Plus platform since
August this year. The vulnerability, which is registered as CVE-2021-40539, allows an attacker to execute code remotely using
the REST API. Details about the vulnerability were made public on September 7, with the recommendation being to upgrade to
version 6114 or later. An attacker could exploit the vulnerability to maliciously reset all passwords to a company's corporate
accounts, denying access to the company and its employees.13 | Weekly cyber-facts in review
Phishing
Campaign in
Review14 | Weekly cyber-facts in review
Phishing campaign impersonating CaixaBank
A new phishing campaign has been identified impersonating the bank CaixaBank. In this, the threat actors
send an email indicating in the subject that from a specific date the user's account will be deactivated, so they
ask them to access the link provided to confirm their account. The link redirects you to a fraudulent website
impersonating CaixaBank in which the attackers, when the victims enter their credentials, steal their data. They
may later commit fraud among other unlawful actions with such information.15 | Weekly cyber-facts in review
Wild, Wild
Admin16 | Weekly cyber-facts in review
Wild, Wild Admin
This week a report made by Imperva shows the results of 5-year-long study regarding to database security. As we are accustomed, the outcome seems to be
worrisome. Study comprised around 27.000 on-premise databases. Such took into account both databases which appeared as standalone appliances on the
Internet, and databases integrated into applications exposed to the general public. Out of them, 61% was affected by at least one vulnerability. 46% was
affected by serious vulnerabilities. Many of those publicly exposed and vulnerable databases were apparently by several-years-old vulnerabilities.
In addition to such conclusions, reader may remember that a couple of weeks ago, Microsoft released an advisory about CosmosDB, acknowledging
vulnerabilities in its SaaS product, and asking customers to change passwords. Prior to this event, it was discovered a Power Apps data leakage, which
consisted of 47 companies leaking data (38 million registries) through an API which lacked security. These are the latest examples of a series of events that
might make the reader suspect about the diligence with which security is handled by database administrators.
So, what to do? One of the first easy answers would be "let's migrate to the cloud". Imperva's report indicates that more and more companies are migrating to
"the cloud" but even with that, security is still an obligation for the company. For such reason, companies are obliged to ask for certifications and references to
cloud providers. At the same time, even in the SaaS model, in some point an administrator would handle the infrastructure. Policies, procedures and security
controls must be implemented to retain secure environments. Measures passed by password management or API configuration. When cloud is not
considered, issues as redundancy and patching play a role in the previously mentioned policies, procedures and security controls. Forcibly involving IT team
in the patching process and overseeing their progress throughout the year seems to be necessary.
At the end, no matter where the data is, control over infrastructure is always required.Calle Francisco Tomás y Valiente nº 2
Boadilla del Monte · 28660 Madrid (España)
Teléfono:+34 912 909 805
aiuken.comYou can also read
