Vulnerabilities in DNS-as-a-Service
Researchers Shir Tamari and Ami Luttwak, from the security firm Wiz, revealed at the Black Hat security conference multiple vulnerabilities that could affect DNS-as-a-Service (DNSaaS) services. They claimed that one of them had been successfully tested and exploited in at least three cloud suppliers such as AWS, Route53 and Google Cloud Platform. They also pointed out that all DNSaaS providers could be vulnerable. This flaw is due to the fact that most DNS suppliers do not blacklist their own DNS servers within their backends. The researchers confirmed that, if exploited, a threat actor could exfiltrate sensitive information from corporate networks such as internal and external IP addresses, NTLM or Kerberos tickets, and could even map the company. Wiz says they were able to collect information from more than 15,000 organizations in 14 hours, suggesting that the risk is high. For their part, Amazon and Google have issued updates that would solve this flaw, with Google telling The Record Media that they have found no related malicious activity.
Malicious campaigns using Prometheus TDS for malware distribution
Researchers from GROUP IB have published the analysis of two malicious campaigns that use the clandestine Prometheus Traffic Direction System (TDS) service for the distribution of different malware families such as BazarLoader, IcedID, QBot, SocGholish, Hancitor and Buer Loader. The Cyber Kill Chain used in an infection where the Prometheus TDS service has been used is multi-phase. First, the victim receives a malicious email where three different elements could be attached; an HTML file, a link to a webshell or a Google Docs document, all of which would end up redirecting the victim to malicious websites controlled by Prometheus. After accessing the malicious URL, the second phase begins, which aims to download the Prometheus Backdoor, a tool responsible for collecting user data such as IP, User Agent or referer, among others. Once the data is collected, it is sent to the panel managed by Prometheus TDS, and, after being analysed, the victim is either redirected to a new URL or sent a malicious Word, Excel, ZIP or RAR file that will download one of the malware families mentioned above. According to the researchers, they have identified two different active campaigns, one targeting the Belgian population and the other targeting companies, universities and governmental organisations in the United States.
More information: https://blog.group-ib.com/prometheus-tds
StealthWorker botnet brute-force attacks against Synology devices
Synology’s incident response team has detected an increase in the volume of brute force attacks against its devices. Researchers believe the attacks originate from the botnet known as StealthWorker, which was identified by Malwarebytes in a brute-force campaign in February 2019. These attacks use a variety of already-infected devices to launch brute-force attacks in which the most common administration credentials on other devices are tested. If successful, the threat actor would gain access to the system to install malware that could include encryption capabilities (ransomware). According to the data collected, the affected systems could in turn be used in attacks on other Linux-based devices, including Synology NAS (Network-Attached-Storage) devices. The firm strongly recommends that customers review their systems to modify weak credentials, enable automatic locking and account protection, and have MFA (Multi-Factor Authentication) authentication in place if possible.
Microsoft’s monthly bulletin
Microsoft has published its August security bulletin which includes fixes for 44 vulnerabilities, seven of them critical. Within the set of vulnerabilities, the firm has fixed three new 0-days, one of which is already being actively exploited:
- CVE-2021-36948: Privilege escalation vulnerability in the Windows Update Medic system, for which active exploitation has been detected.
- CVE-2021-36942: Spoofing vulnerability in Windows LSA.
- CVE-2021-36936: Remote code execution vulnerability in Windows Print Spooler.
It is also important to mention that Microsoft has patched important vulnerabilities that have appeared over the last few weeks, including the following:
- PrintNightmare CVE-2021-34527: While the remote code execution part was patched, the local escalation of privilege component CVE-2021-34481 was not. This component could be exploited via the Point and Print function to install malicious print drivers.
- PetitPotam CVE-2021-36942: The vector that made it possible to exploit the security flaw by not being able to force a domain controller to authenticate against another server has been corrected.
Finally, it is also worth noting the update of a vulnerability CVE-2020-0765 in Remote Desktop Connection Manager (RDCMan), an application that Microsoft advised against its use in March 2020 but which was brought back to life this June with the release of the 2.8 version. In the August bulletin, Microsoft announces a new vulnerability in the application and recommends upgrading to version 2.82.
More information: https://msrc.microsoft.com/update-guide/releaseNote/2021-Aug
LockBit announces Accenture data breach
Ransomware-as-a-Service group, Lockbit, announced yesterday on its dark web portal the publication of a series of data related to the company Accenture, which may have been stolen during a ransomware attack on the group. According to a report by Cyberscoop, the multinational company managed to detect the incident on July 30th and as a result, the breached servers were isolated, the threat was mitigated, and the affected systems were restored by means of backups. This would mean that, currently, the level of risk of possible infection is practically non-existent for systems that communicate directly with Accenture’s networks. The firm also acknowledges that the attackers would have had access to documents that would refer to a small number of clients and work materials that the firm would have prepared for its clients, but that in no case are these documents highly confidential. As to the leaks from LockBit operators, the group published on Wednesday a first leak that was deleted shortly afterwards to immediately postpone the date and time of publication of new information. A day later they provided evidence of the breach of Accenture’s systems and again restarted the countdown on their portal, announcing a third date for August 13 at 10:43 p.m. (Spanish time).
More information: https://www.cyberscoop.com/accenture-ransomware-lockbit/