Cyber Security Weekly Briefing June 12-18

ElevenPaths    18 June, 2021

0-day vulnerability in Chrome, the seventh so far this year

Yesterday, June 17, Google released version 91.0.4472.114 of Chrome for Windows, Mac and Linux, resolving a 0-day vulnerability classified as CVE-2021-30554. The exploitation of this flaw could lead to arbitrary code execution on systems running unsecured versions of Chrome. For its part, Google has not disclosed any further information about the security issue awaiting most users to update their browsers. According to Kaspersky researchers, this type of 0-day vulnerability has recently been exploited by the PuzzleMaker threat actor in order to exceed the browser’s framework and install malware on Windows systems.  Additionally, the update has addressed three other serious browser vulnerabilities, affecting the Chrome Sharing, WebAudio and TabGroups components, which have been identified as CVE-2021-30555, CVE-2021-30556 and CVE-2021-30557.

https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html

0-day vulnerabilities in Apple

Apple has issued security updates to address two 0-day vulnerabilities affecting its iOS 12 mobile operating system. The fixed flaws, listed as CVE-2021-30761 and CVE-2021-30762, are due to issues in the WebKit browser engine and could allow an attacker to execute arbitrary code when processing specially crafted malicious web content. The firm warns that these vulnerabilities are being actively exploited. The security update also addresses a memory corruption issue in the ASN.1 decoder, listed as CVE-2021-30737, which would allow remote code execution. The devices affected by these flaws are iPhone 5s, iPhone 6s, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3 and iPod touch (6th generation), all of which are patched with iOS version 12.5.4

https://support.apple.com/en-us/HT212548

Microsoft stops a high-impact BEC operation

The Microsoft 365 Defender research team together with the Microsoft Threat Intelligence Centre (MSTIC) have discovered and disrupted the infrastructure of a large-scale BEC operation. In their analysis, they expose that threat actors were exploiting various cloud-hosted web services to compromise email inboxes and add forwarding rules using different IPs, and adding time latency between actions in order to go undetected by security systems. To gain initial access to the victim’s host they would have exfiltrated credentials obtained through social engineering techniques, sending phishing emails where they would attach an HTML containing a JavaScript, to pretend to be a Microsoft login. Once the user’s credentials were compromised, they would access their mailbox and add forwarding rules with parameters such as “invoice”, “payment” or “statement”, which allowed them to access financial information, as well as having a persistent information exfiltration channel. They also allegedly created rules to delete mails that were forwarded to their infrastructure, adding complexity to the detection of their operations.

https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/

New malware evasion technique

Security researchers at Elastic have made public a new executable image manipulation technique, called “Process Ghosting”, which could be used by attackers to evade protections and stealthily execute malicious code on Windows. With this new technique, a threat actor could insert a malware component on the victim computer’s disk in a way that makes it difficult to detect. Such evasion takes advantage of the time lag from the creation of a process until the device’s security systems are notified of its creation, giving attackers a window to evade detection. The flow of the Process Ghosting attack would start by creating a file, changing its status to “delete-pending”, thus preventing access and reading, then assigning an image for the file on disk after inserting the malicious code and finally deleting it. The next step would be to create a process with the relevant environment variables, which would call a thread for execution. It is important to note that the success of this attack is due to the fact that calls from security systems, such as antivirus, are made when the thread is created, which will try to read an already deleted file, therefore bypassing security.

https://www.elastic.co/es/blog/process-ghosting-a-new-executable-image-tampering-attack

​Ataque a la cadena de suministro de un proveedor de CCTV

El equipo de Mandiant de FireEye ha publicado una investigación acerca de un nuevo ataque a la cadena de suministro. Los atacantes de este incidente, que han sido identificados como UNC2465, un grupo afiliado al ransomware DarkSide, habrían vulnerado un sitio web legítimo de un proveedor de cámaras de circuito cerrado de televisión (CCTV), y habrían implantado un troyano dentro de un instalador PVR de cámara de seguridad que los usuarios descargaban para configurar y controlar sus dispositivos de seguridad. Con la instalación del software malicioso también se iniciaba la descarga del troyano Smokedham o Beacon, entre otros. Los investigadores no detectaron la presencia del ransomware Darkside en las redes de las víctimas debido, principalmente, a que esta intrusión tuvo lugar entre el 18 de mayo y principios del mes de junio, y para ese momento, Darkside ya había anunciado el cierre de su actividad tras el ataque a Colonial Pipeline.

Attack on CCTV provider’s supply chain

FireEye’s Mandiant team has published an investigation into a new supply chain attack. The attackers in this incident, who have been identified as UNC2465, a group affiliated with the DarkSide ransomware. The attackers breached a legitimate website of a closed-circuit television (CCTV) camera vendor, and deployed a trojan inside a security camera PVR installer that users downloaded to configure and control their security devices. The installation of the malware also initiated the download of the Smokedham or Beacon trojan, among others. The researchers did not detect the presence of Darkside ransomware on the victims’ networks mainly because this intrusion took place between 18 May and early June, and by this time Darkside had already announced it was ceasing its activity after the Colonial Pipeline attack.

https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html

Critical vulnerability in ThroughTek supply chain

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical software supply chain flaw affecting ThroughTek’s software development kit (SDK). Successful exploitation of this vulnerability could allow unauthorised access to sensitive information, such as audio/video streams from security cameras. The flaw, listed as CVE-2021-32934 and with a CVSS score of 9.1, affects ThroughTek P2P products with versions 3.1.5 and earlier, as well as versions with the nossl tag and various firmware configurations.

https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01

Leave a Reply

Your email address will not be published. Required fields are marked *