//Week in review - 16 Apr 2021

AusCERT Week in Review for 16th April 2021


We hope everyone’s had a good week and were able to get through all of April 2021’s Patch Tuesday fixes. On that note, be sure to review our highlighted security bulletins below, in particular ASB-2021.0062 – these were newly announced this week and are not the previous ProxyLogon vulnerabilities.

Thank you to those who tuned in to the joint AusCERT (UQ) & Duo Security webinar which took place yesterday during which our Director, Dr. David Stockdale, discussed the focus on securing remote access as a key step in the zero-trust journey.

Members – a FINAL reminder that all nominated Primary and Organisation contact person(s) would have received details regarding your organisation’s member token(s), part of your AusCERT membership perks which allows you to attend our annual conference for free or as a partially subsidised delegate. Please make sure you utilise the token(s) by midnight on Sunday 18 April, this is your last chance to claim the token(s). Conference registrations can be completed via our website here.

Ramadan Kareem to folks of the Muslim faith; until next week, have a good weekend everyone!

GitLab Critical Security Release: 13.10.3, 13.9.6, and 13.8.8
Date: 2021-04-14
Author: GitLab

Today we are releasing versions 13.10.3, 13.9.6, and 13.8.8 for GitLab Community Edition and Enterprise Edition. These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.
We have requested a CVE ID and will update this blog post when it is assigned.

Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild
Date: 2021-04-13
Author: Securelist

While analyzing the CVE-2021-1732 exploit originally discovered by the DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we discovered another zero-day exploit we believe is linked to the same actor. We reported this new exploit to Microsoft in February and after confirmation that it is indeed a zero-day, it received the designation CVE-2021-28310. Microsoft released a patch to this vulnerability as a part of its April security updates.
We believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. Unfortunately, we weren’t able to capture a full chain, so we don’t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities.

CISA gives federal agencies until Friday to patch Exchange servers
Date: 2021-04-13
Author: Bleeping Computer

The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to install newly released Microsoft Exchange security updates by Friday.
Today, Microsoft released security updates for four Microsoft Exchange vulnerabilities discovered by the NSA.
These Exchange vulnerabilities are capable of remote code execution, with two vulnerabilities not requiring attackers to authenticate first.
While none of the vulnerabilities are known to be used in attacks, CISA believes that threat actors will reverse-engineer the patches to create working exploits due to their severity and public disclosure.

LinkedIn denies 500 million user data breach
Date: 2021-04-11
Author: The Record

LinkedIn has formally denied a rumor that it suffered a devastating security breach that exposed the account details of more than 500 million of its registered users.
Rumors of a breach appeared last week after a threat actor claimed to have been in possession of a large trove of LinkedIn user data and proceeded to leak a sample of two million user records as proof.
But in a message published last week, LinkedIn said it investigated the breach and concluded that the hacker’s data only included public information that was scraped off LinkedIn’s website and which users consciously made public on their profiles.

100,000 Google Sites Used to Install SolarMarket RAT
Date: 2021-04-14
Author: Threatpost

Hackers are using search-engine optimization tactics to lure business users to more than 100,000 malicious Google Sites that seem legitimate, but instead install a remote access trojan (RAT), used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware.
eSentire’s Threat Response Unit discovered legions of unique, malicious web pages that contain popular business terms/particular keywords, including business-form related keywords like template, invoice, receipt, questionnaire and resume, researchers observed, in a report published Wednesday.

ESB-2021.1219 – Adobe Bridge: Multiple vulnerabilities

Adobe has released a security update for Adobe Bridge addressing critical and important vulnerabilities that could lead to arbitrary code execution.

ASB-2021.0062 – ALERT Microsoft Exchange Server Products: Execute arbitrary code/commands – Remote/unauthenticated

Microsoft has released patches to fix four more security vulnerabilities for MS Exchange Server.

ASB-2021.0063 – Microsoft Office Products & Services and Web App Products:

Microsoft released updates to plug various security holes in its Windows Operating Systems and other products.

ESB-2021.1285 – ALERT GitLab Products: Multiple vulnerabilities

Gitlab released newer versions to address critical remote code execution vulnerability.

ESB-2021.1287 – Google Chrome: Multiple vulnerabilities

Google released Chrome 90.0.4430.72 which contains a number of security fixes and improvements.

Stay safe, stay patched and have a good weekend!

The AusCERT team