Cyber Security Weekly Briefing 1–7 january

Telefónica Tech    7 January, 2022
Cyber Security Weekly Briefing 4 – 7 january

Mail delivery failure on Microsoft Exchange on-premises servers

2 January, Microsoft released a workaround to fix a bug that interrupted email delivery on Microsoft Exchange on-premises servers. The bug is a “year 2022” flaw in the FIP-FS anti-malware scanning engine, a tool that was enabled in 2013 on Exchange servers to protect users from malicious mail. Security researcher Joseph Roosen said the cause was that Microsoft used a signed int32 variable to store the value of the date, a variable that had a maximum of 2,147,483,647. The 2022 dates have a minimum value of 2,201,010,001, so they exceed the maximum number that can be stored, causing the scanning engine to fail and the mail cannot be sent. The emergency patch requires user intervention (it is a script that must be executed following certain instructions) and Microsoft warns that the process may take some time. The firm is also working on an update that will automatically solve the problem.

More info: https://techcommunity.microsoft.com/t5/exchange-team-blog/email-stuck-in-exchange-on-premises-transport-queues/ba-p/3049447

Uber security flaw allows emails to be sent from its servers

Security researcher Seif Elsallamy has discovered a vulnerability in Uber’s email system that could allow a threat actor to send emails impersonating the company’s identity. The vulnerability is in one of Uber’s email endpoints, which has been publicly exposed and would allow a third party to inject HTML code and send emails pretending to be Uber. The researcher sent the digital media Bleeping Computer an email from the email address noreply@uber.com, which contained a form asking the user to confirm their credit card details, information that would later be sent to the server controlled by Seif Elsallamy. This email did not enter the spam folder because it came from Uber’s servers. The researcher reported the vulnerability to Uber through HackerOne’s bounty programme, but this was rejected as it required social engineering to be exploited. It is not the first time this problem has been detected, as researchers Soufiane el Habti and Shiva Maharaj reported it some time ago.  Likewise, the researcher states that, due to the information leak that Uber had in 2016, there are 57 million users at risk who could receive emails pretending to come from Uber. Bleeping Computer has also contacted Uber but has not received a response yet. 

Full details: https://www.bleepingcomputer.com/news/security/uber-ignores-vulnerability-that-lets-you-send-any-email-from-ubercom/

Out-of-band update for Windows Server bugs

Microsoft released an out-of-band update yesterday that sought to resolve some bugs reported by Windows Server users. Some users of Windows Server 2019 and 2012 R2 were reportedly encountering problems of excessive slowness or terminals going black. In some cases, there could also be failures when accessing servers via remote desktop. The patch for these versions is not available in Windows Update and will not be installed automatically. Instead, affected users should follow the instructions provided by Microsoft in its release. All other versions of Windows Server are expected to receive similar patches in the coming days.

Learn more: https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#2772

Evasive techniques of Zloader malware

Researchers at Check Point Research have analysed the new evasive techniques of the Zloader banking malware. In the new campaign analysed, which they attribute to the MalSmoke group and which they indicate to have been running since November 2021. The infection begins with the installation of Altera Software, a legitimate IT remote monitoring and management tool, and is used to gain initial access in a stealthy manner. Besides the use of a legitimate tool, the actors make use of malicious DLLs with a valid Microsoft signature to evade detection. To do so, actors exploit the CVE-2013-3900 flaw, a vulnerability known to Microsoft since 2013, whose patch is disabled by default and which allows an attacker to modify signed executables by adding malicious code without invalidating the digital signature.

Full information: https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/

Elephant Beetle: a group with financial motivations

Sygnia’s incident response team has published an article in which they present the analysis of Elephant Beetle, a financially motivated group that is attacking multiple companies in the Latin American sector, and which they have been tracking for two years. Also classified as TG2003, this group spends long periods of time analysing its victim, as well as its transfer system, going unnoticed by security systems by imitating legitimate packages and using an arsenal of more than 80 tools of its own. Elephant Beetle’s preferred entry vector is leveraging legitimate Java applications deployed on Linux systems. Sygnia highlights the exploitation of old, unpatched vulnerabilities such as: CVE-2017-1000486 (Primetek Primeface), CVE-2015-7450 (WebSphere), CVE-2010-5326 or EDB-ID-24963 (SAP NetWeaver). Once the victim has been studied, it creates fraudulent transactions of small amounts that mimic the company’s legitimate movements.  Although the attribution is not yet clear, Sygnia explains that, after multiple analyses carried out on incidents involving Elephant Beetle where they have located patterns such as the word “ELEPHANTE” or multiple C2s that were located in Mexico, it could have a connection with Spanish-speaking countries, more specifically with Latin America, and Mexico could be the area of origin. 

More: https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia- Elephant Beetle_Jan2022.pdf

Leave a Reply

Your email address will not be published.