Critical vulnerability in Zoho ADSelfService Plus
The company Zoho has issued a security advisory warning of a critical vulnerability in ADSelfService Plus, an enterprise password and login management software. The vulnerability involves an authentication bypass affecting REST API URLs in ADSelfService Plus, which would allow a threat actor to perform remote code execution (RCE). Although it has been identified as CVE-2021-40539, the vulnerability is currently unqualified according to CVSSv3. However, several sources define it as critical. In addition, both the Zoho organisation itself and the US Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that the vulnerability exists. CISA have confirmed that there is evidence of active exploitation of this flaw on the network, so it is recommended to apply as soon as possible the updates already released by Zoho that fix the problem in all versions of ADSelfService Plus prior to 6114.
New Windows 0-day actively exploited
Microsoft has published a security advisory revealing details of a new remote code execution vulnerability in Microsoft MSHTML, the functionality that handles the “rendering” or construction of web documents in the now obsolete Internet Explorer (IE) browser but also in Office products. This flaw, listed as CVE-2021-40444 with a criticality level of CVSSv3 8.8, is being exploited by threat actors in targeted attacks by sending a specially crafted document that requires user interaction.
For the time being, there are no patches to solve it, but there are mitigating measures by disabling new ActiveX controls in IE. It should also be noted that the attack according to Microsoft, is dismissed if the default Office configuration of “protected view” is maintained. Security researchers claim to have located malicious Word documents used in attacks, obtaining more information about its exploitation and confirming that its criticality is greater than initially thought. It has also been found that the default protected view that Office applies to files downloaded from the internet (MotW) is not enabled if, for example, the malicious document is contained in a zip or iso file or is an RTF document. At this point, it is unclear whether there will be an official patch from Microsoft on Tuesday 14 September to address this vulnerability, so it is strongly recommended to apply the described mitigation measures and not to open attachments that are not from a trusted source.
0-day in Ghostscript allows servers to be compromised
Vietnamese security researcher Nguyen The Duc published last Sunday a proof-of-concept (PoC) for an unpatched 0-day vulnerability in Ghostscript. This exploit, published on Github, and confirmed to work by several researchers, poses a risk to all servers using this component. Ghostscript is a small library that allows applications to process PDF documents and PostScript-based files. Although it is most commonly used in desktop software, it is also commonly used on servers, where it is bundled with image conversion and file upload processing tools such as ImageMagick. The published proof-of-concept would exploit this second scenario, allowing potential attackers to load an altered SVG file that bypasses image processing and executes malicious code on the system. It is worth noting that this 0-day was discovered last year by researcher Emil Lerner, however, it was not made public until last month, when it was presented at a security conference.
ProxyShell exploit to deploy Conti ransomware
New research by Sophos has revealed that the operators of the Conti ransomware have added to their arsenal the exploitation of recent vulnerabilities in Microsoft Exchange that form the exploit chain known as ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). While this technique was already used as an access vector by the LockFile ransomware just a few weeks ago, the Conti raids show an improvement in techniques that allow the network to be completely compromised in just five days. Within one minute of successfully exploiting ProxyShell, the attackers have a remote web shell, within four hours they have obtained domain administrator credentials and within 48 hours they have exfiltrated 1TB of sensitive data. In total, over the course of one raid, up to seven backdoors (web shells, Cobalt Strike and commercial tools such as Altera or Splashtop) were observed to maintain access to the compromised environment.