HAFNIUM attacks Microsoft Exchange servers with 0-day exploits
Microsoft has detected the use of multiple 0-day exploits to carry out targeted attacks against on-premise versions of Microsoft Exchange Server (2013, 2016 and 2019); Exchange Online is not affected by these vulnerabilities. In particular, the exploited vulnerabilities were the following: CVE-2021-26855 CVSS v3 9.1, CVE-2021-26857 / 26858 / 27065 CVSS v3 7.8. The flaws were fixed yesterday by Microsoft in an emergency security update. In the attacks observed by Microsoft and the security firm Volexity, the HAFNIUM group, believed to be supported by the Chinese state, exploited these vulnerabilities to gain access to Exchange servers, gaining access to mail accounts and allowing the installation of malware for persistence. After exploiting these vulnerabilities, HAFNIUM operators would have proceeded to deploy web shells on the compromised servers to steal data, upload or download files and execute commands.
Google fixes second 0-day in Chrome this year
Yesterday, 2nd March, Google released Chrome version 89.0.4389.72 for Windows, Mac and Linux, which will be progressively implemented to the user base over the next few days. This update includes fixes for 47 security flaws in total, one of which is a high-risk 0-day that affects the lifecycle of objects in an audio. The vulnerability was reported in mid-February by Microsoft team and has been designated with the CVE-2021-21166 identifier. Although the existence of an exploit for this vulnerability has been indicated, for the time being, and as it is usual for Google, no further details have been provided on its exploitation in order to ensure the security of the user base. The patching of this new vulnerability in Chrome comes after Google fixed another 0-day vulnerability in February that could be exploited by attackers to execute arbitrary code on systems running previous versions of Chrome. Such vulnerabilities have been exploited in a number of attacks, including the campaign against cybersecurity researchers in late January.
Supply chain compromise update: new artefacts
Microsoft has discovered new malware families on the systems of victims of the Solarwinds compromise and has named the sophisticated group behind the attack as Nobelium. GoldMax, Sibot and GoldFinder are the three new variants detected, which were used by Nobelium in the second phase of deployment after using Teardrop to move laterally. Despite being observed between August and September, they are believed to have been deployed on compromised Solarwinds customers’ systems as early as June 2020. Microsoft claims that these new variants were used to maintain persistence and perform very specific and targeted actions after the initial compromise, even evading detection during incident response. Additionally, FireEye has also published information about a new backdoor deployed in the second phase of an organisation compromised by the Solarwinds attackers. This new malware has been named Sunshuttle and is also reportedly associated with the UNC2452 group (Nobelium, SolarStorm, StellarPaarticle or Dark Halo). Although Microsoft and FireEye have not linked these families, it seems to be the same malware as they share functionalities and C2.
Supermicro and Pulse Secure release TrickBoot updates
Supermicro and Pulse Secure have issued warnings about a vulnerability in their base plates against the UEFI firmware infection module of the TrickBot malware, known as “TrickBoot”. This firmware vulnerability was discovered last year by Advanced Intelligence and Eclypsium. A device is vulnerable when the UEFI firmware has write protection disabled or misconfigured, which gives the malware the ability to read, modify and even erase the firmware itself. This would expose the computer to malicious activities such as device locking, circumvention of operating system security controls or system reboots, even after a complete reinstallation. This malicious code implanted in the firmware (bootkits) is invisible to any security solution operating on the operating system as it is loaded early in the boot sequence of the device. Supermicro has announced that its X10 UP base plates are vulnerable to this attack, and has released the critical BIOS 3.4 update to enable write protection. Pulse Secure has also released a BIOS update for devices running Pulse Connect Secure or Pulse Policy Secure, for the same reason.