Cyber Security Weekly Briefing 30 January – 5 February

Chrome will reject Camerfirma’s certificates

Google plans to ban and remove Chrome’s support for digital certificates issued by the certification authority (CA) Camerfirma, a Spanish company that is widely deployed in different public administrations of all kinds, including the Tax Agency. The restriction will come into force with the launch of Chrome 90, scheduled for mid-April this year. With the new version of the browser, all websites that use TLS certificates issued by Camerfirma to secure their HTTPS traffic will display an error and will not load in Chrome. The decision to ban Camerfirma’s certificates was announced after the company took more than six weeks to explain a series of 26 incidents related to its certificate issuing process. So far, the other major browser suppliers (Apple, Microsoft and Mozilla) have not indicated taking similar action but are expected to do so in the coming weeks.

More details: https://www.zdnet.com/article/google-bans-another-misbehaving-ca-from-chrome/

Google and Qualcomm patch critical Android vulnerabilities

The February security newsletter issued by Google fixes, among others, two vulnerabilities considered to be of critical severity. Both bugs, CVE-2021-0325 and CVE-2021-0326, allow remote execution of arbitrary code (RCE) within the context of a privileged process by sending a specially crafted packet or broadcast. The same newsletter also includes references to several vulnerabilities in Qualcomm components, reported by Qualcomm in its own security newsletter. Three of them are of critical severity: CVE-2020-11272, affecting the WLAN component with a CVSS score of 9.8 out of 10; CVE-2020-11163 and CVE-2020-11170 affecting proprietary software components present in the operating system. All of them have been fixed and no evidence of active exploitation is available.

More information: https://source.android.com/security/bulletin/2021-02-01

Google fixes a 0-day in Chrome

Yesterday, 4 February, Google released the 88.0.4324.150 version of Chrome for Windows, Mac and Linux, which will be progressively implemented in the user base over the next few days. This new update follows the recent release of version 88.0.4324.146, which fixed six other vulnerabilities in the same browser (CVE-2021-21142/21147). This time the new version is released to fix a 0-day, identified as CVE-2021-21148, reported on 24 January by researcher Mattias Buelens. The bug involves a stack overflow in the v8 JavaScript engine, and can be exploited by attackers to execute arbitrary code on systems running previous versions of Chrome. In its publication, Google confirms the existence of functional exploits for this vulnerability. Zdnet points out the coincidence between the report of the vulnerability on 24 January and the publication, days after the findings by Google on 25 January and by Microsoft on 28 January of a campaign of attacks against security researchers. Within the two articles, the firms mention the exploitation of 0-day vulnerabilities in browsers to execute malware on the researchers’ systems. Google has not confirmed this speculation, as it has not confirmed that the vulnerability fixed in this new version (CVE-2021-21148) is the one used in the attacks.

All the information: https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html

SonicWall fixes an actively exploited 0-day vulnerability

SonicWall has released an update that fixes a 0-day vulnerability in the SMA 100 series firmware. On 22 January, the company reported that it was the victim of a coordinated attack against its internal systems through the possible exploitation of 0-day vulnerabilities. The internal investigation identified the flaw in the Secure Mobile Access (SMA) product, version 10x, and recommended that clients should enable multi-factor authentication on affected devices as a mitigation measure. On 31 January, NCC Group informed SonicWall of details of the identified vulnerability, listed as CVE-2021-20016, which could allow an unauthenticated attacker to remotely exploit the vulnerability via an SQL query that would provide the username password and other session-related data. At this time, no detail about the actor behind the attacks against SonicWall has yet been identified.

More details: https://www.sonicwall.com/support/product-notification/urgent-patch-available-for-sma-100-series-10-x-firmware-zero-day-vulnerability-updated-feb-3-2-p-m-cst/210122173415410/

CacheFlow – Malicious Chrome and Edge extensions steal and manipulate user data

Security researchers at Avast have published a new blog post with more details on the threat known as CacheFlow, which was unveiled last December 2020 by researchers at CZ.NIC and which has been active since at least October 2017. In the new article, Avast describes a campaign involving a wide network of malicious extensions for Chrome and Edge browsers, with more than three million installations in total. The CacheFlow attack is carried out in several steps, starting when a user downloads one of the extensions. A few days after installation, a new payload is downloaded from a covert channel, which eventually downloads the CacheFlow payload. At this point, every time the browser is launched, CacheFlow tries to steal information from the user’s Google account, injects malicious code into all new tabs opened and hijacks users’ clicks to modify search results. According to Avast’s research, the  most affected countries by the attack are Brazil, Ukraine and France, although downloads of these extensions from Spain have also been detected.

More information: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/