Apache vulnerabilities actively exploited
Earlier this week, Apache fixed a 0-day (CVE-2021-41773) affecting Apache HTTP servers which was actively being exploited. However, on Thursday we learned that the patch released on version 2.4.50 was not enough, leading to a new vulnerability, as a remote threat actor can still exploit the Path Traversal attack to map URLs to files outside the web server’s root directory via Alias-like directives. In addition, remote code execution would also be possible if CGI scripts are enabled in these aliased paths. This new vulnerability, identified as CVE-2021-42013, affects versions 2.4.49 and 2.4.50 and is also being actively exploited. Apache released a fix for the new vulnerability in version 2.4.51. CISA also issued a release urging organisations to apply the patches as soon as possible, as mass scans are being observed to exploit these flaws.
Vulnerability in Azure AD enables brute force attacks
Security researchers at Secureworks have published the discovery of a new vulnerability in Microsoft Azure. This flaw, which has not yet been fixed by Microsoft, could allow threat actors to perform brute force attacks against Azure Active Directory without being detected, as no login events would be generated on the victim company’s tenant. The flaw resides in Azure’s Seamless Single Sign-On (SSO) feature, which allows users to automatically log in without having to enter credentials. However, the exploitation of this flaw is not just limited to organisations using Seamless SSO. Microsoft has told researchers that Seamless SSO features are being enhanced to mitigate the vulnerability. Since the vulnerability became known, some proofs of concept for exploiting the flaw have already been published on GitHub.
Syniverse suffers years of unauthorised access to its systems
Last September, the company Syniverse reported to the US Securities and Exchange Commission that it had discovered in May this year that it had suffered a security incident that affected its EDT transfer environment through unauthorised access to internal databases on several occasions since 2016. The company itself indicated that the incident did not affect its operations and that there was no attempt at extortion. The media outlet Motherboard has published an article in which they try to evaluate the possible real scope of these events, highlighting that Syniverse offers services to more than 300 companies in the telecommunications sector, such as AT&T, Verizon and T-Mobile. In their article, they add that a former employee of the company reportedly reported that the affected systems contained access to metadata on call logs, person data, phone numbers, locations, as well as SMS text message content. According to security researcher Karsten Nohl, Syniverse has access to the communications of billions of people around the world, and this would be a serious breach of users’ privacy. However, the digital media reported that Syniverse has declined to comment on specific questions about the actual extent of the breach.
950GB of data extracted from an Agent Tesla C2
Resecurity researchers, working with ISPs in the European Union, the Middle East and North America, reportedly managed to exfiltrate 950GB of data from a Command & Control (C2) server of the Agent Tesla RAT, active since late 2014 and known for compromising sensitive information through malspam campaigns. After analysing the information, user credentials and confidential files were found, among other things, allowing researchers to establish patterns of use of the Agent Tesla RAT by threat actors. These patterns include the geographical distribution of the victims, locating the most affected regions such as the United States, Canada, Italy, Spain, Chile and Egypt, as well as the sectors most affected by this RAT, including the financial, retail and government sectors. According to various security researchers who have been monitoring this malware, Agent Tesla will continue to be a threat to Windows environments, especially after observing that the new version of the RAT is attacking Microsoft’s ASMI interface to avoid detection and lengthen infection times.
TangleBot – New Android Malware
Security researchers at Proofpoint have discovered a new malware for Android mobile devices, which they have named TangleBot and which is currently targeted at users in the United States and Canada. The malware is distributed via smishing campaigns simulating the sending of COVID-19 regulations or information related to possible power outages. In the SMSs, victims are prompted to click on a link requesting an Adobe Flash update and are invited to download the supposed update. What is actually installed is already TangleBot, a malware that gives attackers full control of the devices, allowing them to monitor and record user activities, activate a keylogger to intercept all typed passwords or also store audio and video using the device’s microphone and camera without the user’s knowledge. In addition to its spying and keylogging capabilities, the malware can block and make calls, leading to the possibility of other premium services being enabled.