Privilege escalation vulnerability in Windows Defender
SentinelLabs researcher Kasif Dekel has discovered a new vulnerability in Windows Defender that could have been active for more than twelve years. The flaw, listed as CVE-2021-24092, with a CVSS of 7.8, would allow an unauthenticated attacker to perform privilege escalation on the vulnerable system, with the complexity of exploitation being low. The vulnerability, fixed in the security newsletter of 9 February, resides in the driver responsible for removing system resources, called BTR.sys, and is present in all versions of Windows Defender from 2009 onwards. Microsoft reports that no active exploit has been detected and that all users who have updated Windows Defender to the latest version will not be affected.
France links Russian group Sandworm to attacks on web hosting providers
The French National Cybersecurity Agency (ANSSI) has published a report linking the Russian group Sandworm to a series of attacks that occurred between 2017 and 2020 against several French technology entities, web hosting providers in particular. The campaign targeted the compromise of exposed online servers running Centreon, an IT monitoring software. It is not yet known whether access to them was achieved through a supply chain compromise or by exploiting specific vulnerabilities in the software. Once the initial compromise was successful, the threat actor deployed Exaramel and PAS Web Shell (also known as Fobusell) backdoors on the affected networks, using public and private VPN anonymisation services to communicate with the Command & Control server. ANSSI has published indicators of compromise for this threat in JSON MIST format, as well as YARA and SNORT rules for detection.
More details: https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-005/
QNAP fixes a vulnerability in Surveillance Station
QNAP has fixed a stack-based buffer overflow vulnerability that affects NAS devices running a vulnerable version of Surveillance Station software. The flaw, listed as CVE-2020-2501 and assigned a critical severity by the manufacturer. The flaw would allow attackers to execute arbitrary code and could also disrupt security services or anti-virus solutions running on the vulnerable device. QNAP has patched the vulnerability in Surveillance Station 184.108.40.206.3 for 64-bit operating systems as well as Surveillance Station 220.127.116.11.3 for 32-bit operating systems.
More details: https://www.qnap.com/en/security-advisory/qsa-21-07
RIPE NCC suffers credential stuffing attack
The Regional Internet Registry for Europe, Middle East and Central Asia, RIPE Network Coordination Centre (NCC), has issued a statement indicating that it has been the victim of a credential stuffing attack on its RIPE NCC Access single sign-on (SSO) service, which allows access to multiple applications or services with a single set of credentials. The company has reported that, despite some service disruption, the attack was successfully mitigated and that, after an initial investigation, no breached accounts have been detected. However, they indicate that the investigations are still ongoing and that they will inform the account holder individually in the event that they detect affected accounts. RIPE requests that users activate two-factor authentication to improve the security of their accounts.
All the information: https://www.ripe.net/publications/news/announcements/attack-on-ripe-ncc-access