Windows HTTP protocol stack vulnerability also affects WinRM
Security researchers have discovered that the vulnerability affecting the Windows IIS web server (CVE-2021-31166, CVSS 9.8), which resides in the HTTP protocol stack – http.sys – responsible for processing requests, can also be exploited to attack systems that expose the WinRM (Windows Remote Management) service, allowing unauthenticated attackers to execute arbitrary code. This vulnerability only affects Windows 10 and Windows Server versions 2004 and 20H2. It is worth noting that while this service is disabled in Windows 10 versions, it is enabled by default in Windows Server versions. Although there is no publicly available proof of concept for executing arbitrary code using this vulnerability, researchers have published a proof of concept for performing denial of service attacks by sending a single packet.
0-day vulnerability at Apple
Apple has published a security bulletin in which it fixes several security flaws, including a 0-day vulnerability affecting its macOS desktop operating system. Among the vulnerabilities addressed, the 0-day vulnerability, discovered by the security firm Jamf and catalogued as CVE-2021-30713, refers to a bypass flaw in the macOS TCC framework and has been exploited for at least a year by the group that operates the XCSSET malware. To distribute the sample, the XCSSET operators would hide the malicious code in Xcode projects on Github, pretending to be legitimate Apple scripts in order to circumvent the macOS Transparency and Control Check (TCC). Another vulnerability, discovered by the ZecOps research team and identified as CVE-2021-30741, has also been fixed, affecting iOS systems and allowing malicious code to be processed. Apple recommends updating the affected systems to the latest versions to solve the security problems.
All the details: https://support.apple.com/en-us/HT201222
Update: new espionage campaign based on Pulse Secure vulnerabilities exploitation
On 20 April, FireEye researchers published the discovery and analysis of an espionage campaign exploiting vulnerabilities in Pulse Secure VPN devices by alleged Chinese threat actors. Now, a month later, the researchers have continued to gather information from their findings. Flare’s reverse engineering team has identified 4 new malware families related to UNC2630, specifically designed to manipulate Pulse Secure devices, called BLOODMINE, BLOODBANK, CLEANPULSE and RAPIDPULSE. In addition, CISA has updated its alert to include new threat actor’ s TTPs, IoCs and updated mitigation measures. Ivanti’s security incident response team has released a new tool to improve the integrity of Pulse Connect Secure software.
Malvertising campaign using AnyDesk software
CrowdStrike’s Falcon Complete team has published an analysis of a malvertising campaign using AnyDesk remote desktop software as a decoy. The operators of the campaign have reportedly made use of Google’s advertising platform to impersonate the legitimate AnyDesk website, appearing in searches before ads for the legitimate software itself. Through the fake website, users would download the AnyDesk installer, which has been previously compromised with malicious functionality. The researchers suggest that around 40% of the clicks on these malicious Google ads resulted in installations of the compromised AnyDesk binary, while in 20% of the installations the threat actors communicated directly with the victims’ computers to assign tasks or execute commands.