Cyber Security Weekly Briefing 27 November – 3 December

Telefónica Tech    3 December, 2021
Cyber Security Weekly Briefing 20-26 November

Apple and Google fined 20 million for using user data

The Italian Competition and Market Authority (AGCM) has fined both Google and Apple 10 million euros for their method of collecting and processing user data for commercial purposes. The Authority found that both companies committed two consumer infringements. On the one hand, the Authority found that Google and Apple omit important information during the account/ID creation period, as well as when users use their services, as none of them clearly indicate how the data will be used. On the other hand, the institution highlights the companies’ approach to data collection practices as “aggressive”. During the account creation phase, Google predefines the user’s acceptance of the use of data for commercial purposes, avoiding the need for confirmation by the user. As for Apple, the Authority has ruled that the way of acquiring consent to the processing of data for commercial purposes is approached in a way that conditions the user in his choice, as he will be limited in the use of its services if he does not relinquish his control over the data provided. Both companies have reportedly expressed their disagreement on the charges, as well as their intention to appeal the sanction.


Attempted Exploits of Vulnerability CVE-2021-40438 Detected

Cisco has issued an advisory reporting the detection of attempts to exploit a recently patched vulnerability in Apache HTTP servers. The server-side request forgery (SSRF) vulnerability, identified as CVE-2021-40438 and with a CVSS 9.0, can be exploited against servers with the “mod_proxy” module enabled. The vulnerability was fixed in September with the release of version 2.4.49, but since then several PoCs have been published for exploitation. In addition to Cisco’s security alert, the German Federal Office for Information Security (BSI) has also issued a security advisory after detecting an attack in which the vulnerability was exploited to obtain the hash values of user credentials.

All the info:

Old vulnerabilities affect HP printer models

Researchers at F-Secure have discovered several vulnerabilities affecting at least 150 multifunction printers manufactured by Hewlett Packard. The vulnerabilities listed as CVE-2021-39237 and CVE-2021-39238 date back to at least 2013, so it is assumed that they could have affected a large number of users over a long period of time. The first of the vulnerabilities, with a CVSS of 7.1, refers to two exposed physical ports that grant full access to the device, the exploitation of which could lead to a potential information leak. The second vulnerability, on the other hand, has a CVSS score of 9.3, which if exploited would give malicious actors a means of remote code execution. Researchers have also reported several ways in which these vulnerabilities could be exploited, including printing from USB, social engineering the user to print a malicious document, printing from another device under the attacker’s control, or cross-site printing, among others. The company issued firmware updates for these two most critical vulnerabilities on 1 November, in addition to providing a hyperlink in each CVE to the products affected by each vulnerability and providing a security best practice guide for printers.

Learn more:

Emotet spread via malicious Adobe Windows App Installer packages

The reactivated Emotet malware has been detected running via malicious bundles of a built-in feature of Windows 10 and Windows 11, called App Installer. The malicious actors behind this malware aim to infect systems by installing Windows App Installer under the guise of Adobe PDF software. This new campaign, which starts with stolen email response chains that appear as a reply to an existing conversation, adds a URL that redirects to a malicious PDF apparently related to the current thread. The link spoofs a Google Drive page showing a PDF preview button, which is actually a URL that attempts to open an application installation file hosted in Microsoft Azure. This same method was also detected to distribute the BazarLoader malware, where it installed malicious packages hosted on Microsoft Azure. Actions like this have allowed Emotet to resurface and conduct large-scale phishing campaigns that subsequently install TrickBot and Qbot, as well as lead to ransomware attacks.

All the details:

ManageEngine ServiceDesk Plus flaw actively exploited

Researchers at Unit 42 in Palo Alto have published a paper exposing that an APT is exploiting a critical vulnerability in Zoho’s ManageEngine ServiceDesk Plus service listed as CVE-2021-44077 with a CVSS of 9.8. Last September, CISA warned that a malicious actor was exploiting the vulnerability CVE-2021-40539 and CVSS 9.8 in Zoho’s ManageEngine ADSelfService Plus. In November, Palo Alto warned of a second, more sophisticated campaign using the same flaw, which was called TitledTemple. Palo Alto had detected that the same APT that in previous months was exploiting the CVE-2021-40539 vulnerability had possibly extended its operations, now also exploiting the CVE-2021-44077 flaw. Exploiting this flaw could allow an unauthenticated remote user to load malicious executables, as well as webshells that could allow them to steal administrator credentials, perform lateral movements, among others.  Attribution for the moment remains unclear, with Palo Alto pointing to the Chinese group APT27 (TG-3390) in both cases, while Microsoft’s Threat Intelligence team indicates that the September attacks were carried out by DEV-0322.


Leave a Reply

Your email address will not be published.