Cybersecurity Weekly Briefing November 7-13

Links between Vatet, PyXie and Defray777

Researchers from Palo Alto Networks have investigated the families of malware and operational methodologies used by a threat agent that has managed to go unnoticed while compromising entities in the health, education, technology and institutional sectors. The group, active since 2018 and driven by financial motivations, would be responsible for the creation of Vatet, a loader that allows the execution of payloads such as PyXie RAT and Cobalt Strike. In some intrusions, a previous step can be observed through the use of typical banking Trojans such as IcedID or Trickbot as an entry point, to subsequently download Vatet and its payloads in order to carry out recognition and information exfiltration tasks before running ransomware Defray777 in memory. The researchers estimate that this group is responsible for the creation and maintenance of Vatet, PyXie and Defray777.

Microsoft Security Newsletter

Microsoft has published its monthly update newsletter, known as Patch Tuesday, in which the company has fixed 112 vulnerabilities in several of its products. 17 vulnerabilities have been classified as critical, 12 of which are related to CER flaws. Among the vulnerabilities published by the Redmond company, the CVE-2020-17087 (CVSS 7.8) stands out: local vulnerability of scalation of privileges in the Windows kernel, which was already discovered by Google Project Zero and actively exploited. Likewise, the critical vulnerabilityCVE-2020-17051 (CVSS 9.8) allows remote execution of code found in the Windows network file system (NFS). The Automox research team warns that, in the coming days, they expect an increase in the scanning of 2049 ports, as a result of this vulnerability. Finally, they highlight the vulnerabilities CVE-2020-17052 (CVSS 7.5) and CVE-2020-17053 (CVSS 7.5), which affect memory corruption that could lead to the remote execution of code found in Microsoft’s Scripting Engine and Internet Explorer.

Two new 0-day in Chrome

Yesterday, Google published the correction of two new 0-day vulnerabilities in its Chrome browser that would be actively exploited. The first of these (CVE-2020-16013) is due to an incorrect implementation of its JavaScript V8 engine. The second one (CVE-2020-16017) is a use-after-free memory corruption bug in the Site Isolation security component. Google indicates that they have evidence of the existence of exploits for these vulnerabilities. With the release of this new browser version (86.0.4240.198), Google has corrected five 0-day bugs in less than three weeks.

Distribution of malware through fake Microsoft Teams updates

According to Bleeping Computer, Microsoft is allegedly alerting its users through a private note about a campaign of fake Microsoft Teams updates carried out by ransomware operators. In this campaign, threat agents are reportedly exploiting malicious advertisements so that, when searching for the Teams application in search engines, the main results lead to a domain under the control of the attacker. By accessing the malicious link, the payload would be downloaded hidden under a legitimate Teams update. According to Microsoft, in most cases, the initial payload was the infostealer Predator the Thief, which allows the exfiltration of sensitive information from the victim. However, Bladabindi and ZLoader malware have also been detected, as well as Cobalt Strike to perform lateral movement on the infected network and subsequently launch the ransomware.

New malware against hostelry sector

ESET researchers have discovered a new modular backdoor, called ModPipe, which targets point-of-sale (POS) management software with the aim of stealing sensitive information stored on these devices. This backdoor affects the RES 3700 POS systems from Oracle MICROS, a software used in many restaurants, bars and other hospitality establishments worldwide. The malware consists of a dropper through which a loader is installed to gain persistence. The next step is to implement the main module in charge of establishing communications with other downloadable modules that would allow, among other actions, deciphering and stealing passwords from the databases, obtaining the running processes or scanning IP addresses.