Cyber Security Weekly Briefing April 10-16

ElevenPaths    16 April, 2021
Cyber Security Weekly Briefing April 10-16

​0-days in Chrome and Edge

Security researcher Rajvardhan Agarwal has discovered a 0-day vulnerability in the current versions of Google Chrome and Microsoft Edge, which he has made public via his Twitter and GitHub profile. According to The Record, the exploit code comes from a vulnerability that was used during last week’s Pwn2Own hacking event. While the details of the vulnerability were never published, Agarwal reportedly discovered that it was in Chromium’s V8 JavaScript engine by reviewing the source code for patches. Chromium developers have presumably already fixed the flaw, but the fix is not yet part of the official updates for browsers such as Google Chrome and Microsoft Edge, which remain vulnerable.

​​A few days later, security researcher known in Twitter as @frust93717815 announced a new 0-day vulnerability in Chromium-based browsers, publishing a PoC in his Github profile. This new vulnerability would be affecting both Chrome and Edge and, like the one published earlier this week, could allow remote code execution, allowing the Windows Notepad application to be opened. While this vulnerability is not able to escape the Chromium sandbox, and is therefore not harmful as such, a threat actor that manages to disable Chrome’s sandboxing argument (either by chaining it with other vulnerabilities or confusing the user) could exploit it.  Bleeping Computer has verified that the exploit is functional in the latest versions of Google Chrome (89.0.4389.128, released just a few days ago) and Microsoft Edge (89.0.774.76).

Both vulnerabilities have been patched in Google Chrome 90.0.4430.72 and Microsoft Edge 89.0.774.77.

More info:

Microsoft security newsletter

​​Microsoft has published its monthly security newsletter for April in which it has fixed more than 100 vulnerabilities. Among the updates there are patches for new flaws in the 2013-2019 versions of Exchange Server (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483), all of them with a high criticality and two of which would allow a potential attacker to execute remote code without the need for authentication. Regarding these vulnerabilities, the US Cybersecurity and Infrastructure Security Agency (CISA) has urged all federal agencies to install the updates by Friday. On the other hand, a vulnerability in Desktop Window Manager has also been fixed, with CVE-2021-28310 and medium criticality, which is being actively exploited by several threat actors to escalate privileges on vulnerable systems.  Finally, it is also worth mentioning several RCE vulnerabilities affecting Microsoft Office: CVE-2021-28454, CVE-2021-28451 (Excel), CVE-2021-28453 (Word) and CVE-2021-28449. Other patched systems include Edge, Azure, ShrePoint, Hyper-V, Team Foundation and Visual Studio.

All the details: https://msrc-blog.microsoft.com/2021/04/13/april-2021-update-tuesday-packages-now-available/

​​​​Adobe fixes multiple critical vulnerabilities

Adobe has patched several vulnerabilities affecting four of its products: Adobe Photoshop, Adobe Digital Editions, Adobe Bridge and RoboHelp. There are a total of ten vulnerabilities, including two critical flaws listed as CVE-2021-28548 and CVE-2021-28549 affecting Adobe Photoshop, one critical flaw (CVE-2021-21100) in Adobe Digital Editions, six vulnerabilities, including four critical (CVE-2021-21093, CVE-2021-21092, CVE-2021-21094, CVE-2021-21095) that impact Adobe Bridge and, finally, a high-risk flaw reportedly affecting RoboHelp. Adobe warns its clients to update vulnerable versions as soon as possible.

Learn more: https://helpx.adobe.com/security.html

IcedID distribution campaigns

​​Microsoft researchers have recently detected a campaign to distribute the IcedID malware via legitimate contact forms on web pages. Attackers are allegedly filling out automated contact forms that are received by victims in the form of an email that looks trustworthy at first glance. The message sent uses social engineering techniques to force the victim to access an embedded link, using urgency language and legal threats for false copyright claims for images or other material supposedly used on their website.  The link redirects to a Google login where the victim enters their credentials, automatically initiating the download of the malicious file containing IcedID. Meanwhile, Uptycs researchers and analyst Ali Aqeel have also detected the distribution of IcedID via malicious Microsoft documents, mainly Excel and Word. It is worth remembering that IcedID is a banking trojan that steals victims’ financial information and is also capable of acting as a gateway to infected systems for other malware; it is thought that it may be one of the access vectors for the RansomEXX ransomware, which recently included the Castelló City Council among its victims.

More details: https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/

Leave a Reply

Your email address will not be published. Required fields are marked *