New campaign distributing the Anubis banking trojan
Researchers at Lookout have reported a malicious campaign distributing a new version of the Anubis banking trojan obfuscated in an Android mobile app pretending to be from the French telecommunications company Orange. Malicious actors have reportedly targeted a total of 394 financial apps such as banks, cryptocurrency wallets and virtual payment platforms with the aim of exfiltrating credentials from these services. Anubis is a banking trojan that has been known since 2016 and whose development has never stopped. Once installed on the victim’s device, it works by displaying fraudulent login forms for the applications it targets in order to compromise the user’s credentials, as well as other functions such as screen and sound recording, sending and reading SMS or scanning the device for files of interest to exfiltrate. According to the investigation, the distribution of the fraudulent Orange app is reportedly carried out via malicious websites, direct messages on social networks, smishing and forum postings.
Last Friday December 10, a 0-day vulnerability in Apache Log4J was reported defined as CVE-2021-44228. The vulnerability, affects the Java Apache Log4J 2 registry library, used by diverse applications of companies around the world, when dealing with an open source library. The exploitation of this flaw would allow the execution of malicious code on servers or application clients. The risk related to this vulnerability came from different factors that were combined:
- On day 9, the day before publishing the corrected version, an exploit was already available for this vulnerability.
- The exploitation is simple.
- Log4J is used worldwide in many web applications.
This vulnerability was initially corrected in Log4J 2.15.0. However, a few days later a second vulnerability was known as CVE-2021-45046, derived from an incomplete correction of the Log4Shell vulnerability and the Log4J 2.16.0 version was launched to definitively correct the vulnerabilities. Initially, this second vulnerability was cataloged as a denial of service and given a 3.7 CVSSv3, although, in the last hours, the risk has been modified to 9 and its category to remote code execution.
After the publication of this vulnerability, it has been known the presence of various exploit attempts for the vulnerability, such as the infection attempt with botnets for the installation of cryptominers, as well as its use for distributing ransomware (Khensai) or the distribution of the Trojan Stealthloader. It is important to highlight, that there is evidence of its previous exploitation on December 9, even though the mass exploitation would have led to the publication of the exploit.
Regarding the affected products, the complete list has not been defined yet. During the week, the affected products were slowly known, being the most complete list published by the Nationaal Cyber Security Centrum (NCSC-NL).
More details: https://logging.apache.org/log4j/2.x/security.html
Emotet returns to using Cobalt Strike
Security researchers warned yesterday that, after a brief pause in Emotet’s operations last week, threat actors have once again begun installing Cobalt Strike beacons on Emotet-infected devices. As reported by security researcher Joseph Roosen from the Cryptolaemus threat group, Emotet is downloading the Cobalt Strike modules directly from its Command & Control server and then executing them on infected devices. In this way, the attackers gain immediate access to the compromised networks. To do so, the threat actors use a malicious jQuery file to communicate with the C2 and receive further instructions. Despite being a malicious file, most of the code is legitimate, making it easier to evade the victim’s security systems. Due to the increase of Cobalt Strike beacons distributed to already infected computers, companies are expected to experience an increase in security incidents in the coming months.
New exploits for vulnerabilities already fixed by Microsoft
In the last few hours, new exploits have been detected for several vulnerabilities that were fixed in previous Microsoft bulletins: CVE-2021-42287 and CVE-2021-42278. The first of the flaws, CVE-2021-42287 CVSSv3 of 8.8 is an escalation of privilege vulnerability in Active Directory domain services, fixed by Microsoft in its security bulletin last May. This flaw, according to Microsoft itself, affects the Kerberos Privilege Attribute Certificate (PAC) and allows an attacker to impersonate domain controllers. To exploit it, a compromised domain account could have the Key Distribution Centre (KDC) create a service ticket (ST) with a higher privilege level than the compromised account. The attacker would achieve this by preventing the KDC from identifying which account holds the higher-privileged ST. If this flaw is chained with another vulnerability fixed in the November bulletin, CVE-2021-42278 CVSSv3 in 8.8, it would allow attackers to achieve domain administrator rights in any Active Directory environment. The exploit chain is extremely easy to exploit, allowing adversaries to escalate privileges even without access to the underlying standard user account. An update is available for all supported operating systems. In any case, the mitigation is to patch the affected domain controllers by implementing Microsoft’s 11/14/2021 patch (KB5008602) which fixes the CAP confusion issue, as well as the S4U2self issue created by the previous patch (KB5008380). However, some sources mention that the KB5008602 patch is only effective on Windows Server 2019 so it is recommended to consult the following guide in order to mitigate the issue on other product versions. There is currently no known active exploitation of these flaws, but we do note that there is a post explaining how this problem could be exploited, as well as a tool on Github that scans and exploits these vulnerabilities. Additionally, comments are beginning to be made on social networks about the possible combination of these flaws with the critical Log4j vulnerability.
Vulnerabilities in Lenovo devices
Security researchers at NCC Group have discovered two new vulnerabilities in the IMController component found in multiple Lenovo devices, including Yoga and ThinkPad laptops, which would affect all versions of Lenovo System Interface Foundation prior to 184.108.40.206. Lenovo System Interface Foundation is a system that runs with SYSTEM privileges and helps Lenovo devices communicate with universal applications, providing the user with functions such as system optimisation and driver updates, among others. If disabled, Lenovo applications would no longer function properly. The newly identified vulnerabilities (CVE-2021-3922 / 3969 CVSSv3 7.1) could allow a malicious user to execute commands with administrator privileges. The first one is a race condition vulnerability that would allow interacting with the secondary process “Pipe” of IMController. The second is a TOCTOU (time-of-check to time-of-use) flaw that, if exploited, could allow privilege escalation on the vulnerable device. NCC Group alerted Lenovo to both bugs last October, and finally issued updates on 14 December that fixed both bugs, so it is recommended that IMController be updated to version 220.127.116.11.