Attack against SonicWall by exploiting a possible 0-day in its VPN appliances
Firewall manufacturer SonicWall has issued a security alert warning that it has detected a sophisticated attack against its systems that could have been carried out through the exploitation of a 0-day in some of its remote access products. The products affected are versions 10.x of its VPN client NetExtender and versions 10.x of its Secure Mobile Access (SMA) devices. The firm recommends enabling multi-factor authentication (MFA) on potentially affected devices and restricting SSL-VPN connections to SMA devices to known IP addresses only via whitelist. The manufacturer has not provided details on the vulnerabilities, but according to Bleeping Computer, they appear to be preauthentication vulnerabilities that could be exploited remotely on publicly accessible devices. They also claim that on Wednesday 20 January, they were contacted by a threat actor claiming to have information about a 0-day vulnerability in a well-known firewall manufacturer.
More information: https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability-updated-jan-23-2021/210122173415410/
Campaign against security researchers
Google’s Threat Analysis Group has identified a campaign, initiated a few months ago, targeting security and vulnerability researchers, and possibly carried out by a malicious group supported by the North Korean government. This group created a network of interactions to build credibility, creating a vulnerability research blog and several Twitter profiles that allowed them to share their own posts and communicate with victims. After initial communications via social networks (Twitter, Telegram, LinkedIn, email, Keybase and Discord), industry experts were asked if they wanted to collaborate with them on vulnerability research, providing them with a Visual Studio project that supposedly contained the source code to exploit the vulnerability and an additional DLL, this last one being a personalized malware that, when executed, communicates with the Command & Control domains that the cybercriminal group controls. The compromise of systems with backdoors has also been detected after accessing a link posted on Twitter that would lead to an alleged article that would be in the research blog.
Just a few days after the announcement made by Google, Microsoft published a new update, reporting that the campaign continues to be active. Microsoft, which has named the malicious actor ZINC, associated with North Korea, has also added new technical details. Targets include pentesters, offensive security researchers, and security and technology employees. ZINC uses a number of techniques including gaining credibility on social networks by sharing specialised content, the use of malicious websites to launch watering hole attacks that exploit browser vulnerabilities, and the submission of malicious Visual Studio projects. In this last case, the submitted projects include pre-built binaries, including “Browse.vc.db” which includes a malicious DLL detected by Microsoft as the Comebacker malware.
More details: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
Extraordinary Apple newsletter fixes several actively exploited 0-days
Apple has published an extraordinary security newsletter in which it fixes three 0-day vulnerabilities, one in Kernel (CVE-2021-1782) and two in WebKit (CVE-2021-1871 and CVE-2021-1870), which are being exploited on a massive scale. At this stage, the company has not disclosed whether the exploits are indiscriminate or targeted, but they require user interaction in order to be exploited. The exploitation chain is complete, as the exploit is first deployed in the victim’s browser (WebKit), and then the kernel is exploited. These vulnerabilities are affecting both iOS and iPadOS, so it is recommended to update devices to version 14.4.
All the information: https://support.apple.com/en-us/HT212146
Vulnerability in sudo allows root permissions
Security researchers at Qualys have discovered and published details of a heap overflow vulnerability in Sudo, which would allow local users to gain root permissions on a vulnerable system. According to the researchers, this flaw (CVE-2021-3156) has existed since 2011. Likewise, Qualys has developed exploits to test this vulnerability, managing to obtain root permissions on Linux distributions: Ubuntu 20.04, Debian 10 and Fedora 33, although they believe that still other operating systems and distributions could also be vulnerable. The vulnerability has been fixed in Sudo version 1.9.5p2.
More information: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Emotet: dismantled after global police operation
A joint operation between authorities in the United States, United Kingdom, France, Lithuania, Canada, the Netherlands, Germany and Ukraine, coordinated by Europol and Eurojust, has resulted in the dismantling of the Emotet malware. Since its appearance as a banking Trojan in 2014, this malware has evolved into one of the most important botnets, being used by cybercriminals as a gateway into affected systems to spread other infections. In fact, as we reported in this newsletter, its activity has intensified in several campaigns in the last month, with the latest campaign reported just a week ago. According to the information provided, this week law enforcement and judicial authorities gained access to control the infrastructure and dismantled it from the inside; it is known that this infrastructure involved hundreds of servers around the world. In addition, information available for mitigation has been distributed to all CERTs to notify and clean up affected systems.
So far it is known that the German police forces (BKA) have replaced the C2 servers with their own servers in order to distribute a mitigation file to the affected systems, which will prevent Emotet administrators from communicating with the affected systems again, and will distribute a module created for its uninstallation, which seems to be scheduled for 25 April. It has also been reported that two operators of the malware have been arrested in Ukraine and that police in the Netherlands have recovered data stolen from Emotet victims. Despite all these actions, there is still a high risk that Emotet will be back in operation (not in a short term, but after several months), since not all the perpetrators have been arrested, as stated by Cofense researchers.
More details: https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action