Cyber Security Weekly Briefing 25 September – 1 October

ElevenPaths    1 October, 2021
Cyber Security Weekly Briefing 25 September - 1 October

​​​Let’s Encrypt root certificate expires (DST Root CA X3)

A few days ago, Scott Helme, founder of Security Headers, highlighted the 30 September as the date when Let’s Encrypt’s root certificate, DST Root CA X3, would expire. As of 4:01 p.m. EDT yesterday 30 September, as the existing root certificate expired on multiple websites, all devices and browsers that had not been updated (and for which the certificate was therefore no longer supported) began to experience problems with connections being seen as untrusted. In his article, Helme provided a list of clients that only trusted the expiring certificate and would therefore experience problems after expiry: “OpenSSL <= 1.0.2, Windows < XP SP3, macOS < 10.12. 1, iOS < 10 (iPhone 5 is the lowest model that can get to iOS 10), Android < 7.1.1 (but >= 2.3.6 will work if served ISRG Root X1 cross-sign), Mozilla Firefox < 50, Ubuntu < 16.04, Debian < 8, Java 8 < 8u141, Java 7 < 7u151, NSS < 3.26 and Amazon FireOS (Silk Browser)”. To avoid this problem, Let’s Encrypt has a new root certificate, ISRG Root X1. On the other hand, it is also worth noting that, until yesterday, the firm used a cross identification system that made DST Root CA X3 compatible with the most recent and extended version of ISRG Root X1, however, with the expiration of the first one, this practice is put to an end. Following the expiry and despite warnings, Helme has reportedly confirmed problems, at least for firms such as Palo Alto, Bluecoat, Cisco Umbrella, Catchpoint, Guardian Firewall, Monday.com, PFsense, Google Cloud Monitoring, Azure Application Gateway, OVH, Auth0, Shopify, Xero, QuickBooks, Fortinet, Heroku, Rocket League, InstaPage, Ledger, Netlify and Cloudflare Pages.

All the details: https://www.zdnet.com/article/fortinet-shopify-others-report-issues-after-root-ca-certificate-from-lets-encrypt-expires/

​Chrome fixes new 0-days actively exploited

On 24th September Google released an urgent update for its Chrome browser for Windows, Mac and Linux that fixes a 0-day. According to Google, there are already reports of its active exploitation on the web by threat actors, although details on the alleged incidents have not been made public. The flaw, identified as CVE-2021-37973 (no CVSSv3 score for the moment), resides in Google’s new navigation system for Chrome called “Portals” and is a “use after free” flaw (use of previously freed memory) that, after successful exploitation in vulnerable Chrome versions, would allow the execution of arbitrary code. Google has already released a new version of Chrome 94.0.4606.61 that fixes the issue and, according to their own release, [it[ “will be deployed in the coming days/weeks”.

Only a few days later, on 30th September, Google released another urgent update to its Chrome browser for Windows, Mac and Linux, fixing two new 0-days for which no specific details have yet been released, and which remain reserved until mass deployment of the patch. These vulnerabilities, which according to Google are being actively exploited, have been identified as: CVE-2021-37975, a use-after-release memory usage flaw in the V8 JavaScript engine and WebAssembly (use-after-free), which would allow program crashing and arbitrary code execution and CVE-2021-37976, which causes an information leak in the browser’s kernel. Google has already released a new version of Chrome 94.0.4606.71 that fixes the problem, with plans for users to deploy it in the coming days. It should be noted that so far this year, Google has been forced to patch up to 14 0-day vulnerabilities, so it is recommended to keep the application updated in its latest versions.

More info: https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html

​​Good practice guidance for VPN selection and hardening

The National Security Agency (NSA) and the US Cybersecurity and Infrastructure Security Agency (CISA) have jointly created and published a document entitled Selecting and Hardening Remote Access VPN Solutions. The main purpose of the document is to assist organizations in choosing a VPN solution that follows current standards, as well as defining best practices for using strong authentication credentials, agility in patching vulnerabilities, and implementing processes to secure and monitor access to and from the VPN. The publication of this guide follows numerous attacks against government and defense institutions in several countries this year by threat actors, mainly backed by governments, and different ransomware groups that have exploited known vulnerabilities in widely used VPN services such as Fortinet, Pulse Secure or Cisco. The document is now publicly available at the following link and, as the NSA itself states in its press release, “The publication of the guidance is part of its mission to help protect the departments of defense and homeland security“.

Learn more: https://us-cert.cisa.gov/ncas/current-activity/2021/09/28/cisa-and-nsa-release-guidance-selecting-and-hardening-vpns

​​GriftHorse malware for Android devices subscribes to paid services

Security researchers at Zimperium have discovered a new trojan, distributed on a large scale since November 2020, that subscribes victims to premium SMS services. It has so far infected more than 10 million Android devices in more than 70 countries. The malware is distributed via legitimate-looking apps that look like tools, personalization or entertainment software, uploaded to the official Google Play Store and third-party shops. The malware is developed with the Apache Cordova framework, making it cross-platform and allowing it to deploy updates without the need for user interaction. Afterwards, the application repeatedly displays alerts with pretexted prizes to redirect the victim to a website in their language where, by entering their phone number, they are subscribed to a premium SMS service with a monthly cost of more than €30. It is worth noting that the malware uses several techniques to avoid detection: it avoids encoding URLs, does not reuse domains, filters content based on the geolocation of the IP address and avoids checking the dynamic analysis of the communication. Researchers estimate that the trojan’s authors make a monthly profit of between 1.2 and 3.5 million euros.

Info: https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/

Leave a Reply

Your email address will not be published.