Cyber Security Weekly Briefing 23-29 October

Telefónica Tech    29 October, 2021

Google fixes two 0-days in Chrome browser

Google has released a new Chrome update (95.0.4638.69) for Windows, Mac and Linux, which fixes 7 vulnerabilities, two of them being 0-days. Regarding the last two, on the one hand, there is CVE-2021-38000 with a high criticality level, described as insufficient validation of untrusted input in Intents; and, on the other hand, CVE-2021-38003, also with a high criticality level, described as an inappropriate implementation in V8. Google claims that both vulnerabilities are being actively exploited, although for the moment they have not offered any more information on the matter, although it is likely that the details of these vulnerabilities will be detailed in future Google TAG or Project Zero reports, as it has been researchers from these projects who have detected them.

More details:

​​​​​​New activity from Russian actor Nobelium

Microsoft’s Threat Intelligence team has detected new activity associated with the Nobelium group of actors, identified by the US government as part of the Russian Foreign Intelligence Service (FIS) and blamed for attacking the SolarWinds supply chain in 2020. In reference to the observed activity of this new campaign, it has been running since last May and is mainly focused on the United States and Europe, following a similar strategy to previous campaigns, but attacking a different part of the supply chain. This time, Nobelium has attempted to access customers of multiple Cloud Service Providers (CSPs), Managed Service Providers (MSPs), as well as other organisations that provide IT services to businesses. Significantly, the group of actors has been observed linking access from four different providers in order to compromise an end goal, demonstrating a wide range of techniques and complexity of actions used by this threat actor to exploit trust relationships between companies. It is estimated that a total of 140 cloud and managed service providers have been attacked, and at least 14 have been compromised since May 2021.

All details:

​​Squirrelwaffle: new malware distributed in malspam campaigns

Researchers at Cisco Talos Intelligence have warned of a new malware family first discovered in September 2021 called Squirrelwaffle. This threat spreads through malspam campaigns, where in the most recent ones, it is used to infect systems with Qakbot and Cobalt Strike. This malware provides malicious actors with an initial foothold in systems and their network environments in order to facilitate further compromise. The campaign, similar to what has been observed in threats such as Emotet, leverages stolen email threads, and directs the response messages to match the language used in the original thread, dynamically denoting a certain locale. Their malicious emails include hyperlinks to malicious ZIP files hosted on web servers, which include malicious .doc or .xls files that execute malware recovery code if opened. They also use the DocuSign platform as a lure to enable macros. Squirrelwaffle presents an IP blocklist of security firms in an attempt to evade detection and analysis. Finally, researchers report that this malware is considered to be a reboot of Emotet, and warn that campaigns may escalate over time as the size of its botnet increases.


​Vulnerabilities in Diebold Nixdorf ATMs

Researchers at Positive Technologies have discovered vulnerabilities in Wincor Cineo ATMs, owned by Diebold Nixdorf, which feature the RM3 and CMD-V5 2 dispensers. Two vulnerabilities with a CVSSv3.0 score of 6.8 have been discovered. Exploitation of these security flaws could allow cash withdrawals by accessing the USB port of the dispenser controller, where a malicious actor could install an outdated or modified firmware version to bypass encryption and allow the ATM to dispense cash. The first vulnerability, CVE-2018-9099, was detected in the CMD-V5 dispenser firmware in all versions. The second, CVE-2018-9100, was identified in the firmware of the RM3 / CRS dispenser, also in all versions. The attack scenario consists of three steps: connecting a device to an ATM, loading outdated and vulnerable firmware, and exploiting security flaws to gain access to the cassettes inside the safe. The researchers urge credit organisations to request the latest firmware version from ATM manufacturers to fix the vulnerabilities.

More information:

​​0-day vulnerability in Windows

Security researcher Abdelhamid Naceri has revealed details of a 0-day elevation of privilege vulnerability that affects all versions of Windows, including Windows 10, Windows 11 and Windows Server 2022. The researcher already alerted Microsoft to the flaw, which is listed as CVE-2021-34484, and which they reportedly fixed in August. However, after examining the fix, Naceri discovered that the patch was not sufficient and that he was able to exploit it with a new exploit that he has published on GitHub. However, the fact that the bug requires the attacker to know the user’s name and password is likely to reduce its use in widespread attacks compared to other elevation of privilege vulnerabilities.

All details:

Leave a Reply

Your email address will not be published. Required fields are marked *