//Week in review - 20 Aug 2021

AusCERT Week in Review for 20th August 2021


Yesterday the ACSC issued an alert about cybercriminals targeting the Microsoft Exchange ProxyShell exploit chain. Patches were issued for these vulnerabilities in April and May 2021 so a timely reminder to stay on top of patch updates.

Our Operations Team conducted a Shodan search of the involved CVEs which produced 136 records affecting 42 of our member organisations who had servers exposed to the internet reporting software versions that were potentially vulnerable. These members have all been contacted today to ensure they are protected.

Our latest blog post on Using threat intelligence to produce a cyber defence strategy was published today by our Senior Manager, Mike Holm.

Have a great weekend everyone.

One big ransomware threat just disappeared. Now another one has jumped up to fill the gap
Date: 2021-08-13
Author: ZDNet

The sudden disappearance of one of the most prolific ransomware services has forced crooks to switch to other forms of ransomware, and one in particular has seen a big growth in popularity.
The REvil – also known as Sodinokibi – ransomware gang went dark in July, shortly after finding themselves drawing the attention of the White House following the massive ransomware attack, which affected 1,500 organisations around the world.
It’s still uncertain if REvil has quit for good or if they will return under different branding – but affiliates of the ransomware scheme aren’t waiting to find out; they’re switching to using other brands of ransomware and, according to analysis by cybersecurity researchers at Symantec, LockBit ransomware has become the weapon of choice.

Secret terrorist watchlist with 2 million records exposed online
Date: 2021-08-16
Author: Bleeping Computer

A secret terrorist watchlist with 1.9 million records, including classified “no-fly” records was exposed on the internet.
The list was left accessible on an Elasticsearch cluster that had no password on it.
The 1.9 million-strong recordset contained sensitive information on people, including their names, country citizenship, gender, date of birth, passport details, and no-fly status.

Linux glibc security fix created a nastier Linux bug
Date: 2021-08-16
Author: ZDNet

The GNU C Library (glibc) is essential to Linux. So, when something goes wrong with it, it’s a big deal. When a fix was made in early June for a relatively minor problem, CVE-2021-33574, which could result in application crashes, this was a good thing. Unfortunately, it turned out the fix introduced a new and nastier problem, CVE-2021-38604. It’s always something!
The first problem wasn’t that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, “In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug.” Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug.

Fortinet slams Rapid7 for disclosing vulnerability before end of 90-day window
Date: 2021-08-17
Author: ZDNet

A dispute broke out on Tuesday after cybersecurity company Rapid7 released a report about a vulnerability in a Fortinet product before the company had time to release a patch addressing the issue.
Rapid7 said one of its researchers, William Vu, discovered an OS command injection vulnerability in version 6.3.11 and prior of FortiWeb’s management interface. The vulnerability allows remote, authenticated attackers to execute arbitrary commands on the system through the SAML server configuration page.
Rapid7 said the vulnerability was related to CVE-2021-22123, which was addressed in FG-IR-20-120. The company added that in the absence of a patch, users should “disable the FortiWeb device’s management interface from untrusted networks, which would include the internet.”

Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices
Date: 2021-08-17
Author: Mandiant

Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices.

Reducing the threat of day one exploits
Date: 2021-08-10
Author: APNIC Blog

Cyber hygiene and patching are key measures towards protecting data and systems. However, it’s not always possible or practical to patch when vulnerabilities and associated patches are announced. This problem gives rise to day one exploits.
Day one exploits are responsible for attacks such as the recent Microsoft Exchange attack that compromised hundreds of thousands of organizations. That attack began as a zero-day exploit and was followed by numerous day one exploits once the vulnerabilities were announced. Day one exploits were also used by Iranian threat actors about a year ago to gain access to financial sector networks via published VPN vulnerabilities.

Malicious Ads Target Cryptocurrency Users With Cinobi Banking Trojan
Date: 2021-08-17
Author: The Hacker News

A new social engineering-based malvertising campaign targeting Japan has been found to deliver a malicious application that deploys a banking trojan on compromised Windows machines to steal credentials associated with cryptocurrency accounts.
The application masquerades as an animated porn game, a reward points application, or a video streaming application, Trend Micro researchers Jaromir Horejsi and Joseph C Chen said in an analysis published last week, attributing the operation to a threat actor it tracks as Water Kappa, which was previously found targeting Japanese online banking users with the Cinobi trojan by leveraging exploits in Internet Explorer browser.

ASB-2021.0136.2 – UPDATE ALERT Microsoft Print Spooler: Increased privileges – Existing account

Microsoft’s out-of-band critical update addresses a Windows Print Spooler Elevation of Privilege Vulnerability

ESB-2021.2739 – MozillaFirefox: Multiple vulnerabilities

Mozilla releases an update that fixes 6 vulnerabilities in Firefox

ESB-2021.1489.2 – UPDATED ALERT Real-time Operating Systems (RTOS) products: Multiple vulnerabilities

Initial advisory released on 30 April 2021 updated to include newly disclosed details about vulnerable Blackberry QNX-based products

ESB-2021.2808 – ALERT Small Business RV series routers: Multiple vulnerabilities

A vulnerability in Cisco’s Small Business RV series routers allows Remote Command Execution and Denial of Service

ESB-2021.2777 – Adobe Photoshop: Execute arbitrary code/commands – Existing account

Adobe’s updates for Photoshop for Windows and macOS resolve multiple critical vulnerabilities

ASB-2021.0174 – Microsoft Print Spooler: Execute arbitrary code/commands – Existing account

Microsoft has released an out-of-band update to address a Windows Print Spooler Remote Code Execution Vulnerability

Stay safe, stay patched and have a good weekend!

The AusCERT team