Cyber Security Weekly Briefing 29 January – 4 February

Telefónica Tech    4 February, 2022

Exploits that allow privilege elevation in Windows published

Security researchers have made public several exploits that leverage a known elevation of privilege vulnerability that affects all versions of Windows 10. The exploits specifically rely on vulnerability CVE-2022-21882 – 7.0 CVSSv3 which, in combination with a bypass of CVE-2021-1732 – 7.8 CVSSv3 (both already patched by Microsoft), could allow a threat actor to easily elevate its privileges to spread laterally within the network, create new users or execute high privilege commands. According to Microsoft, the vulnerability was discovered by a private researcher who shared a technical analysis of the vulnerability shortly after the official Windows updates were released. In addition, several investigations have already confirmed the full functionality of the published exploits. It is worth noting that Microsoft’s last fixes, in January, resulted in multiple severe bugs in key system services that were subsequently fixed with extraordinary released patches (OOBs), which may have led system administrators to wait for the next fixes in February, so it is estimated that as of today, there may be many devices vulnerable to these new exploits.

More info: https://www.bleepingcomputer.com/news/microsoft/windows-vulnerability-with-new-public-exploits-lets-you-become-admin/

Critical vulnerability in Samba

Samba has released security updates to address three vulnerabilities that, if successfully exploited, could allow remote attackers to execute arbitrary code with the highest privileges on affected installations. Among the security flaws is the following one listed as CVE-2021-44142 with a CVSSv3 9.0, which was reported by Orange Tsai of DEVCORE and affects all versions of Samba prior to 4.13.17. It is specifically an out-of-bounds read/write vulnerability in the “vfs_fruit” VFS module that provides support for Apple’s SMB clients. It should be noted that to exploit this vulnerability it is required write access to a file’s extended attributes in a Samba network folder. According to the CERT Coordination Centre (CERT/CC), the list of platforms affected by this vulnerability includes Red Hat, SUSE Linux and Ubuntu. Administrators can fix the flaw by installing versions 4.13.17, 4.14.12 and 4.15.5 or by applying the security patches released by the vendor. Samba has also provided mitigation measures for administrators who cannot immediately install the latest versions by removing the “fruit” lines from “vfs objects” in the Samba configuration files. Finally, there are two other bugs of lower criticality (CVE-2021-44141 CVSSv3 4.2 and CVE-2022-0336 CVSSv3 3.1).

All the details:https://www.samba.org/samba/history/security.html

Campaign targeting senior executives via malicious OAuth applications

Researchers at Proofpoint have analysed a new campaign, active since January, which they have named OiVaVoii due to the use of malicious OAuth applications. This campaign uses compromised Office 365 tenants and a sophisticated combination of lures such as malicious OAuth applications and spear phishing. Malicious actors can take control of corporate accounts through these techniques, increasing the risk of these activities leading to data leaks, lateral moves, brand abuse, ongoing phishing campaigns or malware distribution. The targets of this campaign would be high-level executives, including CEOs, Managing Directors and Board members. Microsoft has blocked four of the fraudulent applications used, although new ones have been created, and Proofpoint notes that these activities are still ongoing. Potentially impacted companies should revoke permissions, remove the applications, delete any malicious mailbox rules added by the malicious actors and review any downloaded files.

All info: https://www.proofpoint.com/us/blog/cloud-security/oivavoii-active-malicious-hybrid-cloud-threats-campaign

​”UPnProxy”: thousands of routers vulnerable to UPnP attacks

Researchers at Akamai have detected a malicious campaign called “Eternal Silence” that abuses the Universal Plug and Play (UPnP) protocol in order to use thousands of routers as proxies, thus hiding the real location of the malicious actors. UPnP is present in almost all current routers allowing automatic port forwarding for access to different services and/or software, which makes it easy for a potential attacker to add UPnP port forwarding entries through a device’s exposed WAN connection. In particular, analysts point out that the attacks attempt to expose TCP ports 139 and 445 on devices connected to the targeted router to subsequently exploit already known vulnerabilities such as EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, respectively. This attack technique has been referred to by Akamai as “UPnProxy” and, according to its research, of the more than 3 million UPnP routers scanned online, 277,000 would be vulnerable to UPnProxy and more than 45,000 have already been infected. Additionally, Akamai highlights that these techniques are almost unnoticeable to victims, so it recommends auditing NAT table entries and, if a compromise is detected, rebooting or updating the device’s firmware.

Discover more: https://www.akamai.com/content/dam/site/en/documents/research-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf

0-day vulnerability in Zimbra

Researchers at Volexity have discovered a 0-day vulnerability in the Zimbra collaborative email platform that is being actively exploited online against government organisations and media outlets in Europe. According to the published report, the exploitation campaign started last December with the sending of phishing emails with malicious links under the lure of interview requests or invitations to charity auctions. When clicking on the malicious link, the attackers’ infrastructure redirects the victim to a page hosted on the target organisation’s Zimbra webmail host with a specific URI format that, if the user is logged in, exploits an XSS (cross-site scripting) vulnerability allowing the execution of arbitrary JavaScript code in the context of the logged-in Zimbra session, as well as leaking cookies to gain persistent mailbox access, forward phishing to other users or downloading malware from trusted websites. Volexity attributes this exploit campaign to a threat actor called “TEMP_Heretic”, unknown to date and whose origin could be Chinese. Additionally, the research confirms that the most recent versions of Zimbra (8.8.15 P29 and P30) are vulnerable, although tests conducted on version 9.0.0 indicate that it is likely to be unaffected, so it is recommended to upgrade if possible.

All the details: https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/

Leave a Reply

Your email address will not be published.