Microsoft’s monthly bulletin
Microsoft has released its June security bulletin, which fixes 50 vulnerabilities, including remote code execution (RCE) flaws, denial of service issues, privilege escalation and memory corruption issues. Five of the fixed vulnerabilities would allow remote code execution: CVE-2021-33742 (0-day that was in active exploitation), CVE-2021-31963, CVE-2021-31967, CVE-2021-31959, CVE-2021-31985.
Also noteworthy among the security updates are patches for seven 0-days, six of which were being actively exploited:
- CVE-2021-33742 (CVSS 7.5): remote code execution vulnerability in the Windows MSHTML platform.
- CVE-2021-33739 (CVSS 8.4): Microsoft DWM core library privilege escalation vulnerability.
- CVE-2021-31199 and CVE-2021-31201 (CVSS 5.2): Microsoft enhanced cryptographic provider privilege escalation vulnerabilities.
- CVE-2021-31955 (CVSS 5.5): Windows kernel information disclosure vulnerability.
- CVE-2021-31956 (CVSS 7.8): Windows NTFS privilege escalation vulnerability.
- CVE-2021-31968 (CVSS 7.5): Denial of Service vulnerability in Windows Remote Desktop Services. This is the only fixed 0-day for which there is no evidence of exploitation.
More info: https://msrc.microsoft.com/update-guide/en-us
New PuzzleMaker campaign uses 0-days string in Chrome and Windows 10
Researchers have discovered a new group called PuzzleMaker, which would be using a 0-days string in Google Chrome and Windows 10 in attacks that are highly targeted against companies around the world. The campaign has been active since mid-April, when the first victims’ systems were compromised. The 0-days exploit chain deployed in this activity exploits a remote code execution vulnerability in Google Chrome V8 Javascript to gain access to the system. The attackers then used a privilege escalation exploit to compromise the latest versions of Windows 10, exploiting a vulnerability in the Windows kernel (CVE-2021-31955) and another privilege escalation flaw in the Windows NTFS (CVE-2021-31956), both of which have already been patched. After using the Chrome and Windows exploits to gain an access point to the victim’s system, PuzzleMaker deploys and executes four additional malware modules from a remote server. First, a stager is deployed to notify that the exploit was successful, as well as to deploy and execute a more complex dropper, which in turn installs two executables, which pretend to be legitimate Windows operating system files; the second of these is a remote shell and can be considered the main payload of these attacks. No similarities have been identified between the malware used and any known malware.
Chrome Bulletin – New 0-day actively exploited
Google has published its monthly bulletin for the month of June in which several security flaws have been fixed in its Chrome browser for Windows, Mac and Linux. Among these flaws is a new high-severity 0-day, identified as CVE-2021-30551, which, according to the company itself, is being actively exploited. Meanwhile, Google employee Shane Huntley has published a tweet in which he confirms that this exploit is being used by the same group that has been linked to the exploitation of the 0-day CVE-2021-33742 in the Edge browser fixed by Microsoft this week. This new 0-day is derived from a type-confusion error in its V8 open-source engine and allows a remote attacker, via a specially designed website, to trick the user into accessing it and thus exploit this flaw and execute arbitrary code on the victim’s system. In addition, the new bulletin also highlights a critical use-after-free vulnerability in the BFCache optimisation system (CVE-2021-30544).
Learn more: https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html
New groups exploit old SonicWall VPN vulnerabilities
CrowdStrike’s incident response team has found out that ransomware operators are exploiting an old vulnerability in SonicWall VPN (CVE-2019-7481 CVSS 7.5) that affects Secure Remote Access SRA 4600 devices in a number of incidents. The ability to exploit this vulnerability against SRA devices has not been previously reported, and it would be affecting versions prior to 10.x, although it was officially published that only versions prior to 9.0.0.3 were affected, since the latest versions of the Secure Mobile Access (SMA) firmware no longer mitigate this CVE for SRA devices. Likewise, in February 2021, SonicWall’s PSIRT broke down a new 0-day (CVE-2021-20016 CVSS 9.8) affecting its SMA 100 appliances that required updates to versions later than 10.x. Regarding this vulnerability, SonicWall did not mention whether it affected older SRA VPN appliances that were still in production environments, as they are considered to be beyond their useful life. This CrowdStrike analysis has focused on the 2019 vulnerability as there are public proofs of concept for it and they claim that they do not want to provide information that could be used by attackers, as the 2021 vulnerability has no public PoCs at this time.
Full info: https://www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/
Siloscape: the first malware targeting Windows containers
PaloAlto researcher Daniel Prizmant has detailed the first malware campaign targeting Windows containers. In July 2020 a technique for escaping Windows containers in Kubernetes and accessing the container cluster was made public, although Microsoft did not initially recognise it as a vulnerability as they argued that containers should not be used as a security measure, they eventually had to acknowledge the flaw by allowing it to escape from a container to the host without administrator permissions (CVE-2021-24096). The new malware called “Siloscape” aims to exploit Kubernetes via Windows containers, implanting a backdoor into misconfigured Kubernetes clusters to run malicious containers with cryptocurrency mining functionality or exfiltrate information from applications running in the cluster. The initial attack vectors in the containers have been mainly web vulnerabilities such as CVE-2020-14882, vulnerable PHP applications, SQL injections, or vulnerable Redis services.
More details: https://unit42.paloaltonetworks.com/siloscape/
