Cyber Pulse: Edition 165 | 26 November 2021

Authorities urge admins to urgently patch Microsoft email systems

Cyber authorities across the US, UK, and Australia have called for administrators to immediately patch a quartet of vulnerabilities – CVE-2021-34473, 2020-12812, 2019-5591 and 2018-13379. Rather than going after a certain sector of the economy, the authorities said the attackers were simply focused on exploiting the vulnerabilities where possible and, following operation, they then tried to turn that initial access into data exfiltration, a ransomware attack, or extortion. Using the Fortinet and Exchange holes for access, the attackers would then add tasks to the Windows Task Scheduler and create new accounts on domain controllers and other systems to look like existing accounts to maintain access. The next step was to turn on BitLocker, leave a ransom note, and get the data out via FTP.

Meanwhile researchers from TrendMicro have observed cybercriminals targeting Microsoft email conversations of users. The attackers behind this campaign are believed to be TR, a threat actor known for spreading emails laden with malicious attachments that drops IcedID, Qbot, Cobalt Strike and SquirrelWaffle. Upon infection, the attackers use these compromised Exchange servers for simple social engineering tricks, convincing the recipients into opening malicious attachments sent with the emails.

Attackers would reply to a company's internal emails in reply-chain attacks and add links to malicious documents. The emails originate from the internal network and seem to be a continuation of a previous discussion that happened between two employees. Hackers curate malicious emails on the organisation’s network and thus bypass the email gateways, and further increase the element of trust of the reader that the emails are legitimate. The attachments in these emails are laden with standard malicious Microsoft Excel templates that urge the recipients to Enable Content option to view a protected file. Although Microsoft has already fixed ProxyLogon in March and ProxyShell in April and May, there are still possibilities of unpatched servers being exposed to the internet. Therefore, organisations should apply the latest patches for the vulnerabilities as soon as possible.

Web hosting giant GoDaddy 1.2millon customer data breach

GoDaddy has reported a data breach and warns that data on 1.2 million customers may have been accessed. In a filing with the Securities and Exchange Commission, GoDaddy detected unauthorised access to its systems where it hosts and manages its customers, noting that an unauthorised person used a compromised password to get access to GoDaddy’s systems around 6 September. GoDaddy said it discovered the breach last week on 17 November. It’s not clear if the compromised password was protected with two-factor authentication.

The filing said that the breach affects 1.2 million active and inactive managed WordPress users, who had their email addresses and customer numbers exposed. GoDaddy said this exposure could put users at greater risk of phishing attacks. The web host also said that the original WordPress admin password created when WordPress was first installed, which could be used to access a customer’s WordPress server, was also exposed. The company said that active customers had their sFTP credentials (for file transfers), and the usernames and passwords for their WordPress databases, which store all the user’s content, exposed in the breach. In some cases, the customer’s SSL (HTTPS) private key was exposed, which if abused could allow an attacker to impersonate a customer’s website or services. GoDaddy said it’s reset customer WordPress passwords and private keys and is in the process of issuing new SSL certificates.

Over 9 million Android phones running malware apps from Huawei's AppGallery

At least 9.3 million Android devices have been infected by a new class of malware that disguises itself as dozens of arcade, shooter, and strategy games on Huawei's AppGallery marketplace to steal device information and victims' mobile phone numbers. The mobile campaign was disclosed by researchers from Doctor Web, who classified the trojan as Android.Cynos.7.origin, owing to the fact that the malware is a modified version of the Cynos malware. Of the total 190 rogue games identified, some were designed to target Russian-speaking users, while others were aimed at Chinese or international audiences. Once installed, the apps prompted the victims for permission to make and manage phone calls, using the access to harvest their phone numbers along with other device information such as geolocation, mobile network parameters, and system metadata.

"At first glance, a mobile phone number leak may seem like an insignificant problem. Yet in reality, it can seriously harm users, especially given the fact that children are the games' main target audience," Doctor Web researchers said.

While the malware-laced apps have since been purged from the app stores, users who have installed the apps on their devices will have to manually remove them to prevent further exploitation.

Apple sues NSO group for spying on iPhone users

Apple has sued NSO Group and its parent company Q Cyber Technologies in a US federal court, holding it accountable for illegally targeting users with its Pegasus surveillance tool. In addition, the lawsuit seeks to permanently prevent the company from breaking into any Apple software, services or devices. The iPhone maker, separately, also revealed its plans to notify targets of state-sponsored spyware attacks and has committed $10 million, as well as any monetary damages won as part of the lawsuit, to cybersurveillance research groups and advocates.

To that end, the company intends to display a "Threat Notification" after the targeted users sign into appleid.apple[.]com, alongside sending an email and iMessage notification to the email addresses and phone numbers associated with the users' Apple IDs. Typically installed by leveraging zero-click exploits that infect targeted devices without any user interaction, Pegasus is engineered as an invasive military-grade spyware that's capable of exfiltrating sensitive personal and geolocation information and stealthily activating the phones' cameras and microphones. The lawsuit also mirrors a similar action taken by Meta (formerly Facebook) in October 2019, when it took the company to court for exploiting a bug in its WhatsApp messaging app.

Cisco firewall’s weakness discovered

A flaw – CVE-2021-34704 – was detected by Positive Technologies researcher Nikita Abramov in October in the firewalls of Cisco ASA (Adaptive Security Appliance) and Cisco FTD (Firepower Threat Defence). If the vulnerability is exploited, the organisation's firewall will be weakened, leaving it more vulnerable to attack, and employees who are working remotely would be blocked from accessing their organisation’s internal network. According to Abramov, an attacker does not require elevated privileges or special access to exploit the flaw. All it takes is the formation of a simple request, in which one of the parts is of a different size than that expected by the device. Further parsing of the request will trigger a buffer overflow/overrun as the amount of data in the buffer exceeds its storage capacity. The impacted system will then shut down abruptly and restart.

An assessment of the flaw determined it to be of high severity with a CVSSv3.0 score of 8.6. A fix for the flaw has been created and users are advised to follow the manufacturer’s recommendations outlined in its security advisory and install updates as soon as possible. 

Microsoft local privilege escalation zero day vulnerability

Security researcher Abdelhamid Naceri has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that can be exploited by threat actors to achieve admin privileges in Windows 10, Windows 11, and Windows Server and carry out multiple malicious activities. Naceri published a working proof-of-concept exploit for the new zero-day on GitHub. He discovered the zero-day flaw while analysing a security patch released by Microsoft as part of the Patch Tuesday in November for another Windows Installer elevation of privilege vulnerability, tracked as CVE-2021-41379, that the researcher reported to Microsoft. The expert was also able to bypass the patch issued by Microsoft. While working on the CVE-2021-41379 patch bypass, the expert has created 2 MSI packages to trigger a unique behaviour in Windows installer service, one of them is the CVE-2021-41379 bypass.