Cyber Security Weekly Briefing 9-15 October

Telefónica Tech    15 October, 2021
Cyber Security Weekly Briefing 9-15 October

​​Microsoft Security Bulletin

Microsoft has published its security bulletin for the month of October in which it has fixed a total of 81 bugs in its software, including 4 0-day vulnerabilities. Out of the 81 bugs, 3 have been categorised as critical severity. The first 0-day, categorised as CVE-2021-40449 and with a CVSS of 7.8, is an elevation of privilege flaw that, according to Kaspersky researchers, has been exploited to carry out attacks in campaigns against IT companies, military and diplomatic entities. The second 0-day (CVE-2021-40469 and CVSS of 7.2) is a remote code execution vulnerability in Windows DNS Server. The third (CVE-2021-41335 and CVSS of 7.8) is an elevation of privilege bug in the Windows kernel. The last one, classified as CVE-2021-41338 and with CVSS of 5.5, is a security evasion vulnerability in Windows AppContainer Firewall. On the other hand, the 3 fixed critical severity bugs correspond to remote code execution vulnerabilities, two of them in Windows Hyper-V (CVE-2021-38672 and CVE-2021-40461) and the remaining one (CVE-2021-40486) in Microsoft Word. It is recommended to apply the security updates as soon as possible.

More info: https://msrc.microsoft.com/update-guide/releaseNote/2021-Oct

​​​​Vulnerability in OpenSea NFT platforms allows cryptocurrency wallets to be stolen

Check Point researchers have detected that malicious actors could empty cryptocurrency wallets through malicious NFT platforms on OpenSea, one of the largest digital marketplaces for buying and selling crypto assets. This platform, active since 2018, has a total of 24 million NFT (non-fungible tokens), reaching a volume of up to $3.4 billion in August 2021 alone. The attack method used consists of creating an NFT in which the threat actor includes a malicious payload and then distributes it to victims. Several users reported that their wallets were emptied after receiving supposed gifts on the OpenSea marketplace, a marketing tactic known as “airdropping” used to promote new virtual assets. CheckPoint identified that the platform allows the uploading of files with multiple extensions (JPG, PNG, GIF, SVG, MP4, WEBM, MP3, WAV, OGG, GLB, GLTF), so they ran a test to reproduce the attack scenario, uploading an SVG with a malicious payload used to get the wallets of potential victims emptied. The reported bugs have now been fixed.

All the details: https://research.checkpoint.com/2021/check-point-research-prevents-theft-of-crypto-wallets-on-opensea-the-worlds-largest-nft-marketplace/

​​Cyber-attacks against water treatment systems

The US Cybersecurity and Infrastructure Agency (CISA) has issued a new alert concerning cyber-attacks against drinking water and wastewater processing facilities. The activity observed includes attempts to compromise the integrity of systems through unauthorised access by both known and unknown threat actors. The advisory also points to known weaknesses in entities in this sector such as their susceptibility to spear-phishing attacks, the exploitation of outdated and unsupported software and control systems, as well as the exploitation of remote access systems. Over the course of 2021, there have been several relevant incidents that would fit into this scheme, such as the identification in August of ransomware samples belonging to the Ghost and ZuCaNo families in the SCADA systems of plants in California, Nevada and Maine. Similarly, it is worth recalling the incident that occurred in February at a water treatment plant in Florida where a threat actor managed to modify the volumes of chemicals poured into drinking water tanks.

Learn more: https://us-cert.cisa.gov/ncas/alerts/aa21-287a

​Google warnings for government-backed attacks increase by 33%

Google’s Threat Analysis Group (TAG) team has published information on the number of warnings generated by its “Security warnings for suspected state-sponsored attacks” alert system launched in 2012. In the course of 2021, the system sent more than 50,000 warnings to users, an increase of 33% compared to the same period in 2020. According to Google, this service monitors more than 270 attacker groups in 50 different countries, generating warnings when it detects phishing attempts, malware distribution or brute force attacks originating from the infrastructure of government-backed threat actors known as Privateers. During 2021, Google highlights two threat actors that stand out above the rest, based on the impact of their campaigns targeting activists, journalists, government officials or workers in national security structures, identified as APT28 o “Fancy Bear” with the support of Russia and APT35 or “Charming Kitten”, an Iranian threat actor active since at least 2014. In addition, the publication points out that receiving such an alert means that the account is considered a “target” and does not necessarily mean that it has been compromised, so users are encouraged to sign up for this service or otherwise enable two-factor authentication on their accounts.

All the info: https://blog.google/threat-analysis-group/countering-threats-iran/

​​​​TrickBot Gang duplicates and diversifies infection efforts

IBM researchers have tracked the activity of the ITG23 group, also known as the TrickBot Gang and Wizard Spider, after observing an increase in the expansion of distribution channels used to infect organisations and businesses with Trickbot and BazarLoader, samples used to orchestrate targeted ransomware and extortion attacks. IBM’s analysis suggests that this increase may have contributed to the spike in Conti ransomware activity reported by CISA last September.  Researchers have also associated ITG23 with two groups affiliated with malware distribution, Hive0106 (also known as TA551) and Hive0107. These are characterised by attacks aimed at infecting corporate networks with malware, using techniques such as email thread hijacking, the use of fake customer support response forms, as well as the use of undeground call centres employed in BazarCall campaigns. These TTPs are reportedly leading to an increase in infection attempts by these groups.

More: https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/

Leave a Reply

Your email address will not be published. Required fields are marked *