Weekly cyber-facts in review 22/08/21 - Aiuken
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Weekly cyber-facts in review 22/08/21
2 | Weekly cyber-facts in review
Vulnerabilities In
Review3 | Weekly cyber-facts in review
Voltage Glitching Attack on AMD Chips
Researchers have discovered a voltage failure attack on AMD chips, specifically related to SEV (Secure Encrypted Virtualization) technology, which is present in AMD's EPYC processors
and is designed to protect virtual machines (VMs) and the data they store against internal threats with elevation of privilege. This is used in cloud environments. SEV protects data by
encrypting VM memory, and encryption keys are protected with AMD's Secure Processor (SP). An attacker who has physical access to the target system can gain access to the memory
contents of the SEV-protected VM by launching a voltage failure injection attack on the SP.
New Drupal patches
The Drupal content management system has released several updates as part of its support program. Patches have been released to address several detected vulnerabilities that could
affect versions 8.9, 9.1, and 9.2. An attacker could use these vulnerabilities to try to take control of the affected systems.
Vulnerability in Wordpress SEOPress
It has been discovered a stored cross-site scripting (XSS) vulnerability in the SEOPress WordPress plugin. SEOPress is a search engine optimization (SEO) tool that lets site owners
manage SEO metadata, social-media cards, Google Ad settings, etc., and is installed on more than 100.000 sites. The vulnerability is tracked as CVE-2021-34641, which allows any
authenticated user, like a subscriber, to call the REST route with a valid nonce, and to update the SEO title and description for any post. Depending on what an attacker performs, it could
allow them to perform various malicious actions, including taking full control of the site.
Vulnerabilities in the GPAC Project library
Cisco Talos has made public vulnerabilities tracked as TALOS-2021-1297 (CVE-2021-21834 - CVE-2021-21852), TALOS-2021-1298 (CVE-2021-21859 - CVE-2021-21862), and
TALOS-2021-1299 (CVE-2021-21853 - CVE-2021-21858), both of which affect the GPAC Project on Advanced Content library. GPAC Project is an open-source cross-platform library
that implements the MPEG4 system standard and provides tools for media playback, vector graphics, and 3D rendering. The project comes with the MP4Box tool that allows the user to
encode or decode media containers into multiple supported formats. Attackers can use these vulnerabilities to cause buffer overflow and therefore memory corruption4 | Weekly cyber-facts in review
Adobe Plugs Photoshop Security Flaws
Adobe, as part of its support program, releases updates to address vulnerabilities in Photoshop 2020 and 2021. By exploiting these, an attacker could use the patched vulnerabilities to
execute code as a prelude to taking control of the target system. They also include patched notices for Adobe Media Encoder, Adobe Bridge, Adobe Captivate, and Adobe XMP Toolkit.
Apple Security Update
Apple has released a security update to address vulnerabilities in iCloud for Windows 12.5. The patched vulnerabilities are identified as CVE-2021-30779 and CVE-2021-30785, whereby
processing a maliciously crafted image may lead to arbitrary code execution. In addition, by exploiting these vulnerabilities, an attacker could take control of an affected system.
Vulnerability in Daemon Tools Pro
It has been discovered a memory corruption vulnerability in Disc Soft Ltd.'s Daemon Tools Pro, which is a professional emulation software that works with disc images and virtual drives
that allows user to mount ISO images on Windows systems. This vulnerability is tracked as TALOS-2021-1295 (CVE-2021-21832) and can cause memory corruption in the application if
the user opens an adversary-created ISO file that causes an integer overflow.
Mozilla security updates
Mozilla has released security updates to address vulnerabilities in Firefox 91.0.1 and Thunderbird 91.0.1, including CVE-2021-29991, header splitting possible with HTTP/3 Responses.
These vulnerabilities could be exploited by an attacker to take full control of the affected system.
Chrome update
Google has released a security update for the Chrome web browser to address several identified vulnerabilities. In total, the update includes 9 security fixes, including 7 vulnerabilities
identified by third parties (CVE-2021-30598, CVE-2021-30599, CVE-2021-30600, CVE-2021-30601, CVE-2021-30602, CVE-2021-30603, CVE-2021-30604). The most severe
vulnerabilities are CVE-2021-30598 and CVE-2021-30599, two type confusion issues in the V8 JavaScript engine.5 | Weekly cyber-facts in review
Vulnerability in Autodesk
A vulnerability has been discovered that affects the Autodesk licensing service, which is tracked as CVE-2021-27032, Autodesk Licensing Service: Local Privilege Escalation, with a
CVSS of 7.8. This has been discovered during client penetration test. Autodesk is a world leader in 3D design and development software, whose products are present in many fields,
such as architecture, engineering, construction, design, etc.
BadAlloc Vulnerability
CISA has issued an alert warning of the need to apply the mitigations provided by BlackBerry QNX to reduce the impact of a BadAlloc vulnerability. Specifically, BlackBerry's QNX Real
Time Operating System (RTOS) has been affected by this vulnerability, which is tracked as CVE-2021-22156. Likewise, BadAlloc is a collection of vulnerabilities affecting multiple RTOSs
and supporting libraries. This vulnerability could be exploited by an attacker to cause a denial-of-service attack or execute code on the affected devices, taking control of the system.
Server Name Identification (SNI) flaw
Cisco warns of a vulnerability, specifically CVE-2021-34749, in Server Name Identification (SNI) request filtering that affects multiple products (3000 Series Industrial Security Appliances
(ISAs), FTD Software, WSA Software) and all open-source Snort project releases earlier than Release 2.9.18. In addition, other products are currently being investigated to determine if
they are affected by this vulnerability. A successful exploit could allow the attacker to execute a command-and-control attack on a compromised host and exfiltration attacks.6 | Weekly cyber-facts in review
Issues to keep
in mind7 | Weekly cyber-facts in review
ThroughTek’s Kalay cloud platform
Privacy and security of millions of ThroughTek’s Kalay cloud platform
end-users are in potential risk: A critical vulnerability tracked as CVE-
2021-28372 has been identified in a core component of the Kalay cloud
platform which is used by millions of IoT devices (noting CCTV cameras
and domestic surveillance devices) from many vendors. The
exploitation of this vulnerability will allow an attacker to eavesdrop audio
and video data and/or take complete remote control of the affected
device, the only thing the attacker needs is the Kalay unique identifier
(UID) of the targeted user.8 | Weekly cyber-facts in review
Ransomware
in Review9 | Weekly cyber-facts in review
Insurer Tokio Marine suffers a ransomware attack
Tokio Marine Holdings, a multinational insurance holding company in Japan, has confirmed that its Singapore branch, Tokio
Marine Insurance Singapore (TMIS) has suffered a ransomware attack. At the moment it is unknown when and how the attack
occurred, which is being investigated by a third party in order to analyze the systems and evaluate the impact of the attack. Also,
at the time the company detected it, it isolated the network and informed government agencies.
National Treasury of Brazil suffers a ransomware attack
The Brazilian Ministry of Economy has confirmed that the National Treasury has suffered a ransomware attack last weekend,
which hit some of their computing systems. At the moment the incident is being investigated with the help of federal police,
although it is known that they did not damage the structuring systems of the National Treasury Secretariat, such as the Integrated
Financial Administration System (SIAFI) and those related to Public Debt. Likewise, the Brazilian government also issued a joint
statement with the Brazilian Stock Exchange on Monday regarding the incident.10 | Weekly cyber-facts in review
Hive ransomware gang attacks Memorial Health System
Memorial Health System, network of three hospitals in Ohio and West Virginia, was apparently attacked past weekend (August
13th to 15th) by Hive ransomware gang. Consequently, they suffered disruptions of clinical and financial operations.
Another ransomware gang is exploiting PrintNighmare vulnerabilities to compromise Windows Servers
Once again, as past week, evidence on another ransomware dubbed Vice Society is exploiting PrintNightmare vulnerabilities to
launch the so-called ransomware has been identified. We are confident more ransomware gangs are exploiting PrintNightmare
vulnerabilities to launch their ransomware families.11 | Weekly cyber-facts in review
Phishing
Campaigns
in Review12 | Weekly cyber-facts in review
New phishing campaign impersonating FINRA
The US Financial Industry Regulatory Authority (FINRA), a non-profit organization supervised by the Securities and Exchange
Commission (SEC) and authorized by the US government to regulate all publicly active securities firms and exchange markets,
has warn US brokerage firms and brokers of an ongoing phishing campaign impersonating the organization. A very similar
campaign was already identified last June, although in this case, the attackers are using at least three different domains,
specifically finrar-reporting[.] org, finpro-finrar[.] org and gateway2-finra[.] Org. Currently they have been requested to remove the
domains identified as malicious, however it is not ruled out that they are using more.
Morse code in phishing campaigns
After several researchers conducted research for more than a year, they have observed that attackers changed obfuscation and
encryption mechanisms every 37 days on average, with the aim of improving their ability to prevent campaigns from being
detected. In addition, attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old
and unusual encryption methods like Morse code, to hide these attack segments. In short, attackers will continue to improve or
reuse tactics in order to improve both their evasion and effectiveness.13 | Weekly cyber-facts in review
Data Breaches
in Review14 | Weekly cyber-facts in review
T-Mobile is investigating an alleged data breach
T-Mobile is investigating a possible data breach after a threat actor claimed it has stolen a database containing the information of
the company's 100 million customers. T-Mobile is currently investigating the incident, in order to confirm or not both the attack
and the theft of the information. Among the data allegedly stolen is information about names, dates of birth, driver's license
numbers, IMEI, security PIN, social security numbers, among others. At the moment the input vector used by the attackers is
unknown, although they have included a capture of an SSH connection to a production server running Oracle, also claiming to
have hacked the production, preparation and development servers.
Chase Bank accidentally leaked customer information
Chase Bank has accidentally leaked customer information to other customers due to a technical error in its website and online
banking application. JPMorgan Chase Bank is a financial services with a $120 billion annual revenue and over 250,000
employees worldwide, based in New York City. The issue is believed to have occurred between May 24 and July 14, 2021,
causing the personal data of the bank's customers to be leaked, including statements, transaction list, names and account
numbers. On the other hand, Chase Bank has found no evidence thus far indicating that the information was misused.15 | Weekly cyber-facts in review
Threat Groups
in Review16 | Weekly cyber-facts in review
AdLoad malware splits through Apple’s XProtect antivirus
AdLoad, a trojan targeting macOS systems, is executed to deploy various malicious payloads, including adware and Potentially
Unwanted Applications (PUAs). While researchers were investigating this campaign, they realized macOS antivirus’ XProtect did
not preserve devices form AdLoad.
Pakistan-linked threat group compromise WordPress sites to distribute RAT
Pakistan-linked threat group, tracked as Aggah, is actively conducting a cyberespionage campaign targeting manufacturing
companies in Taiwan and South Korea. The entry vector exploited is a spear-phishing campaign designed to delivered
compromised WordPress sites infected with the Warzone RAT.
Indra threat group has been linked to recent cyberattacks against Iran
July’s attacks against Iran’s transport ministry and national train system have been attributed to Indra threat group, who has
presumably conducted the attacks using a wiper malware dubbed Meteor. Indra is an Iranian gang which identified itself as a
regime opposition group who has previously attacked different targets in Syria.17 | Weekly cyber-facts in review
Other Incidents
in Review18 | Weekly cyber-facts in review
Colonial Pipeline is warning the victims of the cyberattack it suffered in May
The largest fuel pipeline in the United States, Colonial Pipeline, is sending notification letters to individuals affected by the data
breach resulting from the DarkSide ransomware attack that hit its network in May. The attack caused the company to have to
temporarily close due to the incident. After the attack it was known that some of their confidential information had been stolen,
although it is now, after learning that the personal information of the users had been affected, when they are notifying the people
affected after the attack
Exploits for vulnerabilities affecting Internet Explorer are being leverage by InkySquid APT group
It has been identified that North Korea-linked APT group InkySquid is exploiting two vulnerabilities affecting Internet Explorer to
launch watering hole attacks against very specific targets and collect intelligence19 | Weekly cyber-facts in review
INFRA:HALT
vulnerabilities’
impact20 | Weekly cyber-facts in review
Major industrial control system vendors have issued security
advisories regarding INFRA:HALT vulnerabilities’ impact
Recently, researchers found 14 vulnerabilities in NicheStack, a TCP/IP stack used by many OT vendors. These vulnerabilities were communicated
to HDD Embbeded, who released patches in May 2021. This week several major ICS vendors have released security advisories regarding the
impact of these vulnerabilities on its products. Among them, we would like to highlight Schneider Electric, Siemens, Rockwell Automation, and
Phoenix Contact. the impacted products are Schneider Electric’s Lexium motion control drivers; Siemens’ SENTRON low voltage products;
Rockwell Automation’s 20-COMM-ER EtherNet/IP and 1715-AENTR EtherNet/IP adapters, ArmorStart distributed motor controller, and AADvance
safety controllers, and AADvance Eurocard controllers; Phoenix Contact’s LC1x0, ILC1x1 and AXC 1050 industrial controllers, and CHARX
programmable charging controller. All of which are exposed to DoS attacks and PLC’s corruption.Calle Francisco Tomás y Valiente nº 2
Boadilla del Monte · 28660 Madrid (España)
Teléfono:+34 912 909 805
aiuken.comYou can also read
