Cybersecurity Week in Review: 04/12/21
Posted by: GuidePoint Security
This week, we highlight recent Microsoft updates, including a significant patch rollout. We also cover newly announced DNS vulnerabilities and patches and recommendations that have been issued for Chrome, Adobe and Zoom. And finally, we take a look at a busy week in malware, including recently discovered threats on web pages, Google Play and Linux/Mac operation systems.
Microsoft Update
April update fixes 114 bugs; FBI removed compromised webshells at businesses in at least 8 states; cryptojackers found on Exchange servers, and more.
What You Need to Know
News about Microsoft security surged last week with a large patch roll-out on Patch Tuesday and an announcement that a federal court in Texas gave the FBI permission to copy and remove web shells found on on-premise Exchange servers in organizations in at least eight states. We also learned that in addition to ransomware, cryptojackers are also being hosted on infected Exchange servers. And at least 120 Microsoft Exchange-related exposures have been found among Fortune 500 companies.
Summary
The April 2021 Microsoft “Patch Tuesday” revealed a total of 114 vulnerabilities, one of the bigger Microsoft patch announcements. Nineteen of these bugs are classified as ‘critical’ and another 88 ranked as ‘important.’ One of the vulnerabilities (CVE-2021-28310) is already being actively exploited by a criminal gang dubbed “BITTER APT” and operates as an escalation of privilege (EoP) exploit to enhance system privileges or escape sandboxes when combined with other browser exploits.
In the announcement, Microsoft indicated that over half of these bugs had the potential for exploitation through remote code execution by threat actors. Four of the urgent fixes were reported to Microsoft via the National Security Agency (NSA). In addition to the patches being tied to Exchange vulnerabilities, Microsoft also released patches for its web browser, Microsoft Office, SharePoint Server, Hyper-V, Team Foundation Server and Visual Studio. Additional details on the April patches can be found in the Microsoft Security Update Guide.
The Cybersecurity & Infrastructure Security Agency (CISA) also released an announcement last week on two Exchange-related malware vulnerabilities. The Malware Analysis Report (MAR) information addresses MAR-1033146601.v1, dubbed “China Chopper Webshell,” which shows “malicious modifications for the ExternalURL parameter.” A second vulnerability—MAR-10330097-1.v1 relates to the DearCry ransomware, a variant attacking unpatched Exchange servers around the globe. In addition to China Chopper and DearCry, security researchers also announced that threat actors are installing cryptojacking ransomware on vulnerable Exchange servers.
In related Microsoft Exchange news, a federal court in Texas approved an FBI operation to remove web shells from infected US-based Exchange servers without first notifying the server’s owners. In a press release issued by the Department of Justice (DOJ), the FBI conducted the operation by “issuing a command through the web shells to the server, which was designed to cause the server to delete only the web shell.” The press release notes that while the web shells were removed, the FBI did not patch any Microsoft Exchange zero-day vulnerabilities or remove any other malware or threats on the victim’s networks.
And finally, cybersecurity researchers announced last week that as many as 62 Fortune 500 organizations had unpatched Exchange vulnerabilities, with 23 of the organizations having multiple independent systems affected. The industry verticals for the companies were extremely varied, ranging from commercial banks and apparel companies to medical products and utilities.
Next Steps
Security researchers are advising that businesses can locate and download the Microsoft cumulative patch update by searching for the term “2021-04” on the Microsoft Update Catalog site. In addition, the DOJ has told organizations that believe they may have a compromised Microsoft Exchange server to contact their local FBI field office for assistance. Information, tools, patches, and updates on the comprehensive “Hafnium” Exchange attack can be found in the Microsoft announcement.
Additional information on security in the cloud can be found in this related post on Evolution of Security in the Public Cloud. It’s also important to understand how privileged access management (PAM) can help prevent future threats and breaches.
Patch Management
Researchers announce Chrome exploits via Twitter; Critical bugs found in Adobe & Zoom software; DNS vulnerabilities discovered affecting 100 MILLION devices, and more.
What You Need to Know
Microsoft wasn’t the only organization dealing with fixes last week. Security researchers announced two Google Chrome and other browser vulnerabilities via Twitter. Adobe released patches for its Photoshop and Digital Editions software. Another security team announced a critical, zero-day vulnerability in Zoom messenger. And researchers disclosed nine vulnerabilities affecting the Domain Name System (DNS) protocol, which has the potential to affect 100 million devices.
Summary
Critical zero-day vulnerabilities were announced by researchers last week affecting Google Chrome and other Chromium-based browsers, such as Microsoft Edge, Opera, and Brave. The exploits enable remote code execution in the V8 JavaScript rendering engine, which powers the web browsers. Researchers believe it is the same flaw discovered during the 2021 Pwn2Own hacking contest. Google released patches for these bugs on Tuesday, April 13th.
Researchers also announced recently discovered vulnerabilities in Adobe and Zoom last week. By chaining three vulnerabilities together, the Zoom critical zero-day specifically affects Zoom Chat and enables threat actors to gain control of remote devices without user interaction. In this instance, users did not need to click anything for the Zoom attack to be successful. Notably, both PCs and Macs are affected by this Zoom bug. Adobe also released security patches to address vulnerabilities in Photoshop, Digital Editions, Bridge, and RoboHelp. Seven of the Adobe bugs were rated as critical, allowing arbitrary code execution or arbitrary file writes.
Significant DNS vulnerabilities affecting at least 100 million devices were disclosed last week by researchers. This group of bugs (referred to collectively as “NAME: WRECK”) could result in denial-of-service (DoS) or remote code-execution (RCE) attacks. The types of affected devices include smartphones, aircraft navigation, and industrial IoT devices. The vulnerabilities impact TCP/IP stacks FreeBSD (version 12.1), IPnet (version VXWorks 6.6), NetX (version 6.0.1) and Nucleas Net (version 4.3). Security researchers highlight potential WRECK threats to include government, healthcare, retailers, and manufacturers.
Last, but not least, researchers also announced last week the discovery of multiple “one-click” vulnerabilities located across several popular software applications, including Telegram, Nextcloud, VLC, LibreOffice, OpenOffice, Wireshark, Mumble, and Bitcoin/Dogecoin Wallets. The one-click bugs involve insufficient validation of URL input, which could lead to execution of a malicious file.
Next Steps
GuidePoint Security advises businesses to consider vulnerability management as a service (VMaaS) to help manage the constant onslaught of vulnerabilities and zero-days. Another way to understand and identify vulnerabilities in an enterprise system is through penetration testing. In addition, the following mitigations are recommended for the various vulnerabilities discussed above:
- Because the Zoom zero-day needs to originate from an accepted external contact or be part of the target’s organizational account, Zoom advises to only accept contact requests from known and trusted individuals. Zoom has also released a server-side update to defend against this attack.
- To address the Adobe vulnerabilities, users are advised to check for updates to their Adobe software applications and to enable automatic updates to Adobe products.
- Patches for the DNS bugs are currently available for FreeBSD, Nucleus Net, and NetX.
This Week in Malware
100K web pages flooded with malicious PDFs; Website “Contact Us” forms deliver malware; Android malware in Google Play; and Linux/Mac malware discovered.
What You Need to Know
Threat actors were busy last week on the malware front. Cybercriminals are installing remote access trojans (RATs) via user searches for specific types of PDF business templates in an attempt to target everyday business users. Criminals are also getting creative with the “Contact Us” forms that virtually every business maintains on their websites. Two banking trojans—IcedID and QBot—are ramping up activity. A type of malware called BRATA is posing as an Android security scanner tool on the Google Play store. In addition, new Linux/Mac malware dubbed “web-browserify” is threatening operating systems.
Summary
There are few business professionals who, at some point, haven’t searched for an invoice, resume, or questionnaire template. Last week security researchers announced that threat actors embedded malicious business templates on at least 100,000 unique web pages that contain popular search terms on such things as template, invoice, receipt, resume, etc. Because the pages contain common search terms, they tend to rank higher on search engines. Once a file is downloaded, a .NET-based RAT is installed. The RAT results in a multistage, obfuscated backdoor capable of stealing passwords, cookies, and form auto-completion data, as well as decrypting the user’s data.
In another malicious web page campaign, cybercriminals are using legitimate website contact forms to deliver the IceID banking trojan. Microsoft researchers discovered the threat and warned organizations that threat actors are infiltrating websites to gain access to and manipulate the corporate contact form. When an interested party submits the contact form, they receive a malicious email that encourages them to download an attachment immediately. In addition, a legitimate Google URL is included which requires the user to enter their Google credentials. Once signed in, a ZIP file is automatically downloaded which contains the IcedID payload.
And, on the topic of IcedID, this banking trojan continues to further plague businesses via distribution using Microsoft Excel attachments and Excel macros to deliver its malicious payloads. Researchers believe the increasing circulation of IcedID is an attempt to fill the void left by Emotet. And not to be outdone by IceID, the QBot banking trojan was also discovered last week to be part of an effort to rotate malicious payloads by switching between different trojans—in this case QBot and IcedID.
Another fake app carrying the BRATA malware posing as an Android Security Scanner has been discovered in the Google Play store. The malware distributes a backdoor capable of gathering sensitive user information.
Researchers also discovered a new malicious package last week that targets NodeJS developers using the Linux and Mac operating systems. The malicious component—dubbed web-browserify—was found on the npm registry and appeared to legitimize itself through the use of the name ‘browserify’. The real Browserify component is legitimate and used by over 300,000 GitHub repositories. The malicious web-browserify component was discovered only two days after publishing and pulled from npm.
Next Steps
Malware can be addressed through a variety of tools and services including cloud security, endpoint security and email security. As workloads increase among already stretched security staff, organizations can also improve cybersecurity and malware protection by using managed security services.
Final Words
Each year, thousands of new vulnerabilities are discovered—and they pose a significant danger to organizations. A 2020 study from Forrester Research suggests that software vulnerabilities and web applications account for 42% and 35% of the most common attack vectors. Other recent studies have found that almost half of all breaches result from a software vulnerability and at least three-quarters of all applications tested have at least one security flaw, with many applications having multiple flaws.
To add to the dangers, nation-states are increasingly leveraging cyber vulnerabilities to breach and infiltrate government, political, and corporate systems, as we’ve seen in the recent Solar Winds and Microsoft Exchange/Hafnium attacks. A recent study from the University of Surrey found that nation-state cyberattacks are becoming more widespread, with a 100% increase in “significant” nation-state incidents between 2017 and 2020. The report also found evidence that nation-states are ‘stock-piling’ zero-day vulnerabilities for future use. In addition, nation states are leveraging vulnerabilities found in the supply chain in order to further infiltrate and expand the attack surface.
Staying on top of the patches and protecting an organization from attack can be a challenge for any organization, which is why vulnerability management can significantly benefit an organization’s overall security posture.
By identifying, prioritizing, and remediating vulnerabilities in enterprise assets (including applications, operating systems, devices, and browsers), organizations can protect themselves from threats like ransomware attacks generated by criminal gangs, as well as defend themselves from nation-state attacks designed to harm both the organization and any business connected to it.
GuidePoint Security