Cyber Security Weekly Briefing 15–21 january

Telefónica Tech    21 January, 2022

Cyber-attack campaign against Ukrainian targets

The Microsoft Threat Intelligence Center team has been analysing the succession of cyberattacks against Ukrainian organisations since 13 January, which have affected at least 15 government institutions such as the Ministry of Foreign Affairs and Defence. According to investigators, this number could increase soon. As for the campaign itself, Microsoft warns that a new malware family called “WhisperGate” was used, malicious software aimed at destroying and deleting data on the victim’s device in the form of ransomware. “WhisperGate” is said to consist of two executables: “stage1.exe”, which overwrites the “Master Boot Record” on the hard disk to display a ransom note, whose characteristics indicate that it is a fake ransomware that does not provide a decryption key, and “stage2.exe”, which runs simultaneously and downloads malware that destroys data by overwriting files with static data. Journalist Kim Zetter has indicated that the entry vector used by the malicious actors would have been the exploitation of the vulnerability CVE-2021-32648 and CVSSv3 9.1 in octobercms. Consequently, according to Ukrainian cybersecurity agencies, the actors exploited the Log4Shell vulnerability and reported DDoS attacks against its infrastructure. In addition, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a statement, warning organizations about potential critical threats following recent cyberattacks targeting public and private entities in Ukraine. Microsoft has indicated that it has not been possible to attribute the attacks to any specific threat actor, which is why they have called these actions DEV-0586. It should be noted that, as indicated by the Ukrainian authorities, due to the escalation of tensions between the Ukrainian and Russian governments, this campaign of attacks is considered to be aimed at sowing chaos in Ukraine on the part of Russia.

More info:

Flaw in Safari could reveal user data

Security researchers at FingerprintJS have revealed a serious flaw in Safari 15’s implementation of the IndexedDB API that could allow any website to track user activity on the Internet, potentially revealing the user’s identity. IndexedDB is a browser API designed to host significant amounts of client-side data, which follows the “same-origin” policy; a security mechanism that restricts how documents or scripts loaded from one source can interact with other resources. Researchers have discovered that in Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. This would be causing that, every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs and windows within the same browser session, making other websites able to see this information. FingerprintJS has created a proof of concept that can be tested from a Safari 15 or higher browser on Mac, iPhone or iPad. FingerprintJS also notes that they reported the bug to Apple on 28 November, but it has not yet been resolved.

All the details:

Microsoft releases emergency updates for Windows

Following the discovery of a number of issues caused by the Windows updates issued during the last Security Bulletin in January, Microsoft released in an extraordinary way (OOB) new updates and emergency fixes for some versions of Windows 10 and Windows Server. Reports from system administrators indicate that, after deploying Microsoft’s latest patches, connection problems have been reported in L2TP VPN networks, domain controllers suffer from spontaneous reboots, Hyper-V no longer starts on Windows servers and there are problems accessing Windows Resilient File System (ReFS) volumes. The fixes affect a wide range of versions of Windows Server 2022, 2012 and 2008 as well as Windows 7, 10 and 11. According to Microsoft, all updates are available for download in the Microsoft Update Catalog and some of them can also be installed directly via Windows Update as optional updates. If it is not possible to deploy them, it is recommended to remove updates KB5009624, KB5009557, KB5009555, KB5009566 and KB5009543, although it should be noted that valid fixes for the latest vulnerabilities patched by Microsoft would also be removed.


Cisco security flaw allows attackers to gain root privileges

Cisco has released Cisco Redundancy Configuration (RCM) version 21.25.4 for StarOS software, which fixes several security flaws. The most prominent vulnerability is identified as CVE-2022-20649 CVSSv3 9.0, a critical flaw that allows unauthenticated attackers to execute remote code with root privileges on devices running vulnerable software. The source of the vulnerability is that debug mode has been improperly enabled for different specific services. To exploit the vulnerability, attackers do not need to be authenticated, but they do need to gain access to the devices, so they should first perform a detailed reconnaissance to discover which services are vulnerable. There is currently no evidence that the vulnerability is being exploited. In addition, Cisco has also patched another medium criticality vulnerability CVE-2022-20648 CVSSv3 5.3 information disclosure vulnerability.

Learn more:

Google fixes bugs in Chrome

Google has published a security advisory where it fixes 26 vulnerabilities that are affecting its Chrome browser. A critical vulnerability stands out among the flaws. It has been listed with the identifier CVE-2022-0289 and was discovered on January 5th by the researcher Sergei Glazunov. This vulnerability resides in Google’s Safe Browsing service, which is responsible for alerting users that they are accessing a website that could have an associated risk. If exploited, this vulnerability could allow remote code execution. The rest of the vulnerabilities fixed have been classified, for the most part, as high severity, with only five of medium risk. Google recommends updating to version 97.0.4692.99, where these flaws would be fixed.

All the details:

Leave a Reply

Your email address will not be published.