//Week in review - 17 Sep 2021

AusCERT Week in Review for 17th September 2021


Apple issued a series of security updates earlier in the week to patch two critical vulnerabilities that the company says were “actively exploited” in the wild.

Further information is available in this CISA article.

ZDNet reported that Microsoft issued over 60 security fixes of their own with the latest round of patches to resolve issues that impacted a range of products including Azure Sphere, Microsoft Windows DNS, among other software.

Following on from the release of AusCERT’s most recent podcast last week, it has been highlighted in VMware’s latest Global incident Response Threat Report that an increasing number of cyber security professionals experienced “extreme stress or burnout” due to the surging attacks of cyber criminals during the COVID19 pandemic.

Links to the report, along with tools to help identify and assist with such occurrences can be found in the report from ACS Information Age.

Lastly, ARS Technica reported on what has been dubbed an “embarrassing ‘security bulletin’” from Travis CI along with the handling of the vulnerability disclosure process following the potential exposure of the information of over 600,000 users.

Windows MSHTML exploits shared on hacking forums
Date: 2021-09-12
Author: Bleeping Computer

Even though there are no security updates available for the CVE-2021-40444 vulnerability, as it was discovered used in active attacks by EXPMON and Mandiant, Microsoft decided to disclose the vulnerability and provide mitigations to help prevent its exploitation.
These mitigations work by blocking ActiveX controls and Word/RTF document previews in Windows Explorer.
However, researchers have been able to modify the exploit not to use ActiveX, effectively bypassing Microsoft’s mitigations.

Google patches 10th Chrome zero-day exploited in the wild this year
Date: 2021-09-13
Author: Bleeping Computer

Google has released Chrome 93.0.4577.82 for Windows, Mac, and Linux to fix eleven security vulnerabilities, two of them being zero-days exploited in the wild.
“Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild,” the company revealed in the release notes for the new Chrome version.
The update is currently rolling out worldwide in the Stable desktop channel, and Google states it will become available to everyone over the next few days.

Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide
Date: 2021-09-13
Author: The Hacker News

Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that’s actively set its sights on government, telecommunications, information technology, and financial institutions in the wild.
The as-yet undetected version of the penetration testing tool — codenamed “Vermilion Strike” — marks one of the rare Linux ports, which has been traditionally a Windows-based red team tool heavily repurposed by adversaries to mount an array of targeted attacks. Cobalt Strike bills itself as a “threat emulation software,” with Beacon being the payload engineered to model an advanced actor and duplicate their post-exploitation actions.

Microsoft September 2021 Patch Tuesday: Remote code execution flaws in MSHTML, OMI fixed
Date: 2021-09-14
Author: ZDNet

Microsoft has released over 60 security fixes and updates resolving issues including a remote code execution flaw in MSHTML and other critical bugs.
The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, landed on September 14.
Products impacted by September’s security update include Azure Open Management Infrastructure, Azure Sphere, Office Excel, PowerPoint, Word, and Access; the kernel, Visual Studio, Microsoft Windows DNS, and BitLocker, among other software.

Ransomware crims saying ‘We’ll burn your data if you get a negotiator’ can’t be legally paid off anyway
Date: 2021-09-15
Author: The Register

A couple of ransomware gangs have threatened to start deleting files if targeted companies call in professional negotiators to help lower prices for decryption tools.
Grief Corp is the latest criminal crew to warn its victims with instant data destruction if it suspects a mark has engaged a mediator.

You Can Now Ditch the Password on Your Microsoft Account
Date: 2021-09-15
Author: WIRED

Though a completely passwordless future is still a ways off, you’ll soon be able to take a big step in that direction by nuking the password on your Microsoft account. The company announced today that the password-free features it already offers to corporate customers will now be available to everyone.

Securing Netflix Studios At Scale
Date: 2021-09-14
Author: Netflix TechBlog

In 2017, Netflix Studios was hitting an inflection point from a period of merely rapid growth to the sort of explosive growth that throws “how do we scale?” into every conversation. The vision was to create a “Studio in the Cloud”, with applications supporting every part of the business from pitch to play. The security team was working diligently to support this effort, faced with two apparently contradictory priorities:
1) streamline any security processes so that we could get applications built and deployed to the public internet faster
2) raise the overall security bar so that the accumulated risk of this giant and growing portfolio of newly internet-facing, high-sensitivity assets didn’t exceed its value

ASB-2021.0177.2 – UPDATE ALERT MSHTML: Execute arbitrary code/commands – Remote with user interaction

Microsoft’s Patch Tuesday includes fixes for a remote code execution vulnerability in Windows that is being exploited in the wild

ESB-2021.3099 – ALERT iOS and iPadOS: Execute arbitrary code/commands – Remote with user interaction

Apple releases iOS 14.8 and iPadOS 14.8 to address remote code execution vulnerability in iOS and iPadOS

ESB-2021.3102 – ALERT macOS Catalina: Execute arbitrary code/commands – Remote with user interaction

Apple is aware of a remote code execution vulnerability in macOS Catalina that may have been actively exploited

ESB-2021.3103 – ALERT macOS Catalina and macOS Mojave: Execute arbitrary code/commands – Remote with user interaction

Apple’s most recent security patch for Safari fixes remote code execution vulnerability

ESB-2021.3107 – ALERT Siemens APOGEE and TALON: Multiple vulnerabilities

Unauthenticated root access available thanks to what MITRE calls a ‘classic buffer overflow’. Affects certain building automation systems from Siemens

ASB-2021.0185 – ALERT Microsoft Extended Security Update: Multiple vulnerabilities

Microsoft releases its monthly security patch update to resolve 25 vulnerabilities across Windows and Windows Server

Stay safe, stay patched and have a good weekend!

The AusCERT team