Reacharound: possible resurgence of the triple threat Trickbot-Emotet-Ransomware
Last January, an international action orchestrated by Europol and Eurojust led to the dismantling of the Emotet infrastructure, a malware widely used in the early stages of the ransomware infection chain. These events contributed, according to security researchers, to the shutdown of multiple high-level ransomware-as-a-service (RaaS) operations. However, since last week there have been reports of a resurgence of the threat from researchers such as GData and AdvIntel, who have indicated that operators of the Conti ransomware have allegedly convinced the former Emotet operator to rebuild its infrastructure. These actions were allegedly carried out through a campaign named “Reacharound“, which is characterised by the infection of devices with TrickBot, which included an Emotet payload. According to AdvIntel researchers, they estimate that the return of this threat will have a significant impact on ransomware operations due to three reasons: the high sophistication of Emotet’s capabilities, the promotion of crime-as-service in this area and the return of the classic TrickBot-Emotet-Ransomware triple threat.
PoC published for a vulnerability in Microsoft Exchange
Security researcher @testanull, has published a working proof of concept (PoC) for the vulnerability identified as CVE-2021-4231 and CVSS of 8.8, which would be affecting Microsoft Exchange, which was fixed by Microsoft in the last November Security Bulletin. The vulnerability is said to affect Exchange Server 2016 and 2019 on-premises services and could allow an authenticated attacker to execute arbitrary code remotely. Microsoft reports that they have detected activity related to the exploitation of this vulnerability occasionally in targeted attacks, so they recommend its correction. It should be noted that this would not be the first time in 2021 that vulnerabilities in the Microsoft Exchange service have been exploited to carry out attacks, as attempts to exploit ProxyLogon and ProxyShell are well known. It is recommended to make use of the Exchange diagnostic program to check the possible involvement of these vulnerabilities.
New Windows 0-day with public exploit
Security researcher Abdelhamid Naceri has made public an exploit for a new 0-day in Windows that would allow an attacker to gain administrator privileges and affects all versions of Windows, including Windows 10, Windows 11 and Windows Server 2022. Naceri managed to bypass the patch that Microsoft included in its November monthly bulletin for an escalation of privilege vulnerability in Windows Installer (CVE-2021-41379), a vulnerability that he reported to Microsoft. Following this new discovery, he was able to identify a new 0-day for which the researcher has now decided to publish the exploit (InstallerFileTakeOver) on his GitHub account. With the publication of this exploit, Naceri intends to join the feeling of discontent already shown by other researchers with Microsoft, for what they claim would be a continuous degradation of the bounties that are reported to the firm. Microsoft is expected to patch the new bug in its next bulletin. The researcher recommends waiting for the official fix given the complexity of the vulnerability. Cisco Talos security researchers have reportedly already detected malware samples that are trying to exploit the new 0-day. Researchers have indicated that the exploitation attempts observed are part of low-volume attacks, so they could be tests to make adjustments to the exploits and can therefore be understood as a possible preliminary step before larger-scale campaigns.
Security breach at GoDaddy
Domain registrar GoDaddy has made public a security incident detected on November 17th, in which an unauthorised third party allegedly gained access to the company’s Managed WordPress hosting environment via a compromised password. The investigation, which is still ongoing, determines that the attacker had access to customer information from the 6th of September of this year until the time of its detection, which was blocked and expelled from the system. Among the information exposed is email address and customer number of 1.2 million active and inactive Managed WordPress users, the WordPress administrator password set at the time of provisioning, sFTP and database usernames and passwords of active users, and the private key of SSL certificates for certain active users. The company is contacting customers affected by this security breach. It is worth noting that GoDaddy suffered a data breach in May last year.
Vulnerabilities in MediaTek allow spying on Android devices
Semiconductor company MediaTek has fixed several security flaws that could have allowed attackers to eavesdrop on phone calls from Android devices, execute commands or escalate privileges. MediaTek’s SoCs (System on a chip) are embedded in around 37% of the world’s smartphones and IoT devices, including devices from brands such as Xiaomi, Realme and Vivo, among others. Three of these vulnerabilities (CVE-2021-0661, CVE-2021-0662 and CVE-2021-0663) are due to incorrect boundary checking and were fixed in MediaTek’s security bulletin last October, all with CVSS of 6.7. The fourth vulnerability is assigned the identifier CVE-2021-0673 but has not yet been fixed. The company will publish more details about the flaw, as well as its fix, in the next security bulletin to be published in December.