Weekly cyber-facts in review 29/08/21 - Aiuken
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Weekly cyber-facts in review 29/08/21
2 | Weekly cyber-facts in review
Vulnerabilities In
Review3 | Weekly cyber-facts in review
Microsoft
38 million records exposed using Microsoft PowerApps. 47 companies, including Microsoft, US airlines, Ford, JB Hunt, as well as several civil administrations in
the US have failed to configure the API (ODATA). This API requires enabling authentication. PowerApps is a Microsoft SOA-like application that allows individuals
with no coding experience to develop applications. On the other hand, a new critical vulnerability is observed in Cosmos DB. Cosmos DB is a NoSQL database
manager marketed by Microsoft in SaaS format. Using a number of exploited vulnerabilities in the Jupyter Notebook file format, it is possible to recover the
credentials of Cosmos DB, Jupyter Notebook Compute, and Jupyter Notebook Storage. Microsoft indicates that it has resolved the configuration error but, it is
recommended to regenerate the primary keys of Cosmos DB, as a precaution .
Atlassian
Atlassian releases patches for Confluence. The patched vulnerability consists of the possibility of executing Java code by a user with least privileges or by
unauthenticated users using the Object-Graph Navigation Language (OGNL). We do not know if the vulnerabilities are being exploited. .
Infrastructure
VMware releases patches for several of its products. All the patched vulnerabilities have their origin in an authentication failure in the vRealize Operations Manager
API, allowing to add or remove nodes in an infrastructure, read any type of log, perform SSRF, modify user information or take control of their accounts. Synology
publishes an advisory on the impact of products by vulnerabilities in OpenSSL (which, by issuing data in ASN1 and SM2 format, an attacker could remotely
execute code, leak information or cause denial of service conditions). They affect your DSM 7.0, DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus
Server, and VPN Server products.4 | Weekly cyber-facts in review
Issues to keep
in mind5 | Weekly cyber-facts in review
AppUnContained
This week Google has disclosed a vulnerability in AppContainer, a virtualization
service for applications for Microsoft's environment. The vulnerability leverages a
weak default configuration in Windows Filtering Platform. Such configuration would Realmess SDK
allow certain types of executables to reach TCP sockets and, thus elevating The Realtek SDK for the RTL8xxx chips is under exploitation.
privileges as consequence.
The exploited vulnerabilities affect the RTL8xxx SDK. The RTL8xxx chip is
Open OpenSSL used by 65 manufacturers of routers, IP cameras, IP repeaters and
Patches released for a high severity vulnerability in OpenSSL. The vulnerability residential gateways (Asus, Belkin, D-Link, Huawei, LG, Logitech, Netgear,
affects SM2 decryption. This means that an attacker who presents information ZTE or Zyxel). Due to the type of systems, it affects, the impact is not only
formatted in SM2 to be decrypted, can cause a buffer overflow on the application limited to logical environments, but also to physical environments.
that tries to proceed with the decryption process. Such an overflow can cause
unpredictable behavior in the application or lead to denial of service (DoS) An attacker could use the vulnerabilities to take control of the affected
conditions. An attacker could exploit the vulnerability to leak sensitive information systems. Botnets have been observed exploiting vulnerabilities.
or cause a system crash.
Since OpenSSL is an integrated component in multiple applications and projects,
we believe that eventually the vulnerability will be exploited6 | Weekly cyber-facts in review
Ransomware
in Review7 | Weekly cyber-facts in review
LockFile ransomware targets MS Exchange servers
The LockFile ransomware has been identified by exploiting ProxyShell vulnerabilities affecting Microsoft Exchange servers.
Specifically, it refers to vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. They use them to compromise
and access vulnerable MS Exchange servers, and then introduce web shells with which they load other programs and execute
them, proceeding to infect the systems and encrypt the data with their ransomware.
LockFile ransomware exploits PetitPotam vulnerability
It has been observed that attackers are exploiting the vulnerability known as PetitPotam (CVE-2021-36942) to deploy the LockFile
ransomware. PetitPotam is a method by which attackers carry out an NTLM (New Technologies Land Manager) relay attack that
allows them to take over the domain controller or other Windows servers. Regarding the vulnerability, it is recommended to use
NETSH filters (a Windows command-line utility that allows administrators to configure network interfaces, add filters, and modify
the firewall settings of Windows hosts) in order to block the PetitPotam attack vector, since there is currently no full patch from
Microsoft.
Emails requesting the installation of DemonWare
Researchers have uncovered a campaign of emails sent by Nigerian threat actors in which they ask employees of an organization
to implement the DemonWare ransomware to get a $1 million in bitcoin reward. They also included a way to communicate with the
attacker, with the aim of accepting and sending them the links to the executable file with which to infect the systems. The
attackers appear to be related to the DemonWare ransomware group, also known as Black Kingdom or DEMON, whose latest
attacks were targeted against the detected Vulnerabilities ProxyLogon of Microsoft Exchange.8 | Weekly cyber-facts in review
Threat Groups
in Review9 | Weekly cyber-facts in review
FBI releases details about the OnePercent group
The FBI publishes details about the activities of the OnePercent group, which is a criminal group that has been involved in
ransomware attacks against organizations in the U.S. since November 2020, using phishing emails as an input vector. These
send emails which contain malicious attachments, specifically Microsoft Office documents with malicious macros. Once the user
opens the document, the IcedID banking Trojan is deployed, then installing Cobalt Strike and moving laterally using PowerShell.
Finally, they use several tools, including Rclone, Mimikatz, SharpKatz, BetterSafetyKatz and SharpSploit, for data exfiltration and
to encrypt data with ransomware (which is usually Sodinokibi).
SparklingGoblin APT group
The group behind the backdoor SideWalk or ScreambleCross is known as SparklingGoblin or Earth Baku, which is an advanced
persistent threat (APT) group. This was first discovered in May 2020 by tracking the APT Winnti Group, known since 2013, and
identifying artifacts of this group in the different samples. Also, although it is believed that they are related, because some
differences were identified this was named as a new group, SparklingGoblin.10 | Weekly cyber-facts in review
Backdoor
in Review11 | Weekly cyber-facts in review
New SideWalk backdoor
A new backdoor called SideWalk or ScrambleCross has been identified, whose responsible group is known as SparklingGoblin or
Earth Baku. This has been used in attacks against the academic sector in Macau, Hong Kong and Taiwan, against the education
sector in Canada, among others, although it has been seen in general in attacks against Windows systems in companies in Asia
and North America. Esta is a modular backdoor that can dynamically load additional modules sent from its command-and-control
server, makes use of Google Docs as a dead drop resolver, and Cloudflare as a C&C server.
It can also be installed in different ways, by injecting a SQL script into the Microsoft SQL Server of a system, by the Microsoft
Exchange Server ProxyLogon vulnerability (CVE-2021-26855), by an attachment in a malicious email, etc.12 | Weekly cyber-facts in review
Phishing
Campaign
in Review13 | Weekly cyber-facts in review
Phishing campaign impersonating UPS
The attackers used an XSS (cross-site scripting) vulnerability on the official UPS website to modify the page to make it look
like a legitimate download website. Specifically, they distributed a malicious document ("Invoice") through a remote
Cloudflare worker, looking like it was being downloaded directly from the official website. To achieve this, the attacker
includes in the email a tracking number that is actually a link to the UPS website that includes an exploit for an XSS
vulnerability, which injects malicious JavaScript into the browser when opening the page. The aim of this campaign is the
theft of data and the infection of devices to achieve this end.14 | Weekly cyber-facts in review
Data Breaches
in Review15 | Weekly cyber-facts in review
Ford bug exposed customer and employee data
A bug on Ford Motor Company's website allowed for accessing sensitive systems and obtaining proprietary data, such as
customer databases, employee records, internal tickets, etc. The error was due to a misconfigured instance of the Pega Infinity
client engagement system running on Ford servers, in particular, it was caused by a misconfigured information exposure
vulnerability in instances of the client management system (CVE-2021-27653). Among the data exposed are from account
numbers, names and personal information, search history, profiles of users in the organization, among other sensitive data.
SAC Wireless suffers a data breach
As a result of an attack with the Conti ransomware, Nokia's EE.UU.-based subsidiary, SAC Wireless, has suffered a data breach.
The company helps its customers design, build and upgrade their phone networks, including 5G, 4G LTE, small cell and FirstNet,
with data primarily from EE.UU. customers, although they may have data from users from other countries. The attackers gained
access to the systems and uploaded the files to their cloud storage and then implemented the ransomware by encrypting the files
on the systems. Among the stolen data are: names, dates of birth, contact information, identification document, medical history,
etc
AT&T data breach
One of the largest phone providers in the United States and North America, AT&T, has suffered a data breach. This was known in
mid-July 2021 and is believed to have occurred after one of the company's suppliers was attacked. The group, allegedly
responsible for the leak is ShinyHunters, having affected its attack on the Americas region.16 | Weekly cyber-facts in review
War
On-premise17 | Weekly cyber-facts in review
War On-premise
Once a major change in politics, economics or culture happens, a plethora of minor changes happens at the same time in other different aspects. During the last wo
weeks USA has been dismantling its positions in Afghanistan, triggering a geopolitical change in the region, and possibly in the rest of the Asian continent. With stakes
put in the region, China, Rusia, Pakistan or India are contesting their direct influence. Other countries moved by indirect interests may pronounce themselves about the
friction point.
Link among state affairs, military and intelligence renders itself as obvious. At the same time, with the appearance of cases like NSO Group with Pegasus spyware, and
the recent attributions made by USA to the attacks against Microsoft infrastructure at the beginning of the year (SolarWinds), relationship between intelligence agencies
and intelligence operations have started to be proben and explicit too. Without any intention to discuss the political complexities of this complex situation, Aiuken
Cybersecurity's intelligence unit is worried about the expected surge in spyware after the leave of US from Afghanistan, and the security of its clients in relation with the
former.
During the last three years, Aiuken Cybersecurity has observed an increased usage of malware in warzones. Most of this malware was classified under the category of
spyware, and much of it, was intended to mobile devices. Some of such was served in the form of phishing kits, but the most dangerous families were deployed by
abusing Zero-Days. Zero-Days are linked to the need of research, and such research it is the most worrisome aspect for entities alien to any given conflict.
The biggest threat for most individuals and companies is organized criminals. Among the latest and greatest examples are ransomware (with its flamboyant Ransomware
as a Service business model) and spyware (with its equivalent, Access as a Service). Phishing, fake landing pages and poisoned content are delivered at industrial
quantities. And in such competitive environment, the strongest gets the most. That is why organised criminals tend to copy and reuse code.
When APT innovation meets the desire of criminals to be more effective, the result could be monstruous. This is how, it is believed that most trendy commercial spyware
families were born. If Afghan conflict reactivates, more dangerous spyware is expected to turn out.Calle Francisco Tomás y Valiente nº 2
Boadilla del Monte · 28660 Madrid (España)
Teléfono:+34 912 909 805
aiuken.comYou can also read
