Cyber Security Weekly Briefing 31 October – 6 November

Apple fixes 3 0-day vulnerabilities

Apple, with the launch of the new iOS 14.2 version, has corrected three 0-day vulnerabilities that would be actively exploited and that would affect iPhone, iPad and iPod devices. These bugs were notified to Apple by Google Project Zero’s team of security analysts, who are also credited with the discovery of the recently reported 0-day vulnerabilities in Chrome and Windows.

• CVE-2020-27930: This is a remote code execution (RCE) bug and is due to a memory corruption flaw when the FontParser library processes a malicious source.
• CVE-2020-27932: This is a 0-day kernel privilege escalation vulnerability that would allow malicious applications to execute arbitrary code with those privileges.
• CVE-2020-27950: would allow malicious applications to access kernel memory due to a flaw initializing the kernel.

It is recommended to upgrade to iOS 14.2 as soon as possible.

Cyberattacks on the industrial sector through remote management systems

In 2018, Kaspersky reported on a phishing campaign aimed at industrial sector entities, especially in manufacturing, which was intended to spread malware. Recently, since summer of 2019 until this autumn, they have been able to detect a new wave of this campaign which includes improved attack techniques. The threat agents use as a pretext in the phishing emails documents that detail the configuration of equipment, industrial processes, etc. all of which have been stolen from the victim company itself or from one of its collaborators. The distributed malware allows attackers to use remote administration tools, hiding their usage from the user, and even applying them as C2, as is the case with the web interface of the RMS platform in the cloud. The use of apyware and Mimikatz for the theft of credentials and lateral movement to other systems on the network has also been seen. The ultimate goal it’s still the achievement of economic benefits.

Active exploitation of the 0-day vulnerability in Windows not yet corrected

Google discloses Windows 0-day vulnerability (CVE-2020-17087), which is not yet patched, used as part of an exploit chain that also includes a Google Chrome 0-day (CVE-2020-15999) already patched in the 86.0.4240.111 version. The Chrome 0-day was used to allow attackers to run malicious code inside Chrome, while the Windows 0-day allows sandbox escape where threat actors could escape Chrome’s secure container and run code on the underlying operating system. The Google Project Zero team notified Microsoft and gave the company seven days to patch the bug before to disclose the vulnerability details and a proof of concept exploit. According to Google’s report, the 0-day is a bug in the Windows kernel that can be exploited to elevate an attacker’s code with additional permissions and the vulnerability impacts all Windows versions between Windows 7 and the most recent Windows 10 release. The vulnerability is expected to be patched on November 10, which is the date of Microsoft’s next Patch Tuesday.

Windows virtual machines new RegretLocker ransomware target

The new ransomware called RegretLocker, which was discovered in October by MalwareHunterTeam researchers, has the peculiarity of not using a ransom note and uses an email for communications instead of a web page in Tor. When encrypting the files, RegretLocker adds the extension .mouse to the names of the encrypted files. Although apparently simple, this ransomware has advanced features that are not common in its family of malware infections, it is able to encrypt Windows virtual machines and close open files for encryption. When ransomware encrypts files on a computer, it does not usually encrypt very large files such as virtual machines as it slows down the entire encryption process. However, RegretLocker uses the Windows Virtual Storage API, OpenVirtualDisk, AttachVirtualDisk and GetVirtualDiskPhysicalPath to encrypt virtual machines. It also uses the Windows Restart Manager API to terminate Windows processes or services that keep a file open during encryption.

Data on 34 million stolen users from 17 companies for sale

According to the specialist technology media BleepingComputer, a malicious player has released 34 million user records, claiming that they come from information leaks from 17 different companies. The vendor created a thread in a hacker forum on October 28th, detailing the type of information exposed in each of the databases. This information includes e-mails, passwords in different formats, user names, phone numbers, dates of birth, addresses and other sensitive data. The companies affected belong to a wide range of professional sectors and geographical locations. None of them had reported recent data leaks, and only two of them have done so after being contacted by the authors of the article: Singapore’s online supermarket RedMart and Thailand’s review page Wongai.