Weekly cyber-factsin review
14/03/21
Vulnerabilities In Review
This month, Microsoft has fixed 82 flaws and 2 zero days in its Patch Tuesday. 10 of them are classified as critical and the rest are classified as
important. Within those we can find updates for Microsoft Exchange servers, which are being target by at least 10 APT groups from all around the
world (and which we will regard to later on this report).
Microsoft March 2021 Patch Tuesday
SAP’s March 2021 Security Patch Day updates include 9 sew security notes. Two of those refer to two critical vulnerabilities affecting the company’s
NetWeaver Application Server and Manufacturing Integration and Intelligence products. Ethe exploitation of these vulnerabilities allow attackers to
access SAP databases and tamper with records, move laterally to other servers, inject malware, and modify network configuration to potentially
compromise internal networks.
SAP Security Patch Day – March 2021
Microsoft, as part of its March Patch cycle, has also released new cumulative updates for all supported version of Windows 10, tracked as
KB5000808 & KB5000802. As these updates were installed by administrator, an error was displayed; Windows 10 crashed when printing. To solve
this error, users must uninstall both updates.
Windows 10 Cumulative Updates
Multiple Cisco products are affected by a vulnerability in the Ethernet Frame Decoder of the Snort detection engine that could allow an
unauthenticated, adjacent attacker to cause a denial of service (DoS) condition. Exploitation of this vulnerability allows an attacker to exhaust disk
space on the affected device, which could result in administrators being unable to log in the device or the device being unable to boot up correctly.
Multiple Cisco Products Snort Ethernet Frame decoder are vulnerable to DoS
F5 Networks has alerted its costumers to patch as soon as possible four critical vulnerabilities affecting most BIG-IP and BIG-IQ software versions.
Exploitation of those could lead to full system compromise, including interception of controller application traffic and lateral movement to the internal
network.
F5 Networks has patched critical vulnerabilities affecting most BIG-IP and BIG-IQ software versions
QNAP has addressed a critical security vulnerability in the Surveillance Station app that allows attackers to execute malicious code remotely on
network-attached storage (NAS) devices running the vulnerable software. The critical vulnerability is already fixed versions 5.1.5.4.3 and 5.1.5.3.3.
QNAP patches critical vulnerability in Surveillance Station NAS app
On Tuesday, Adobe released patches for critical code execution vulnerabilities affecting its Connect, Creative Cloud, and Framemaker product.
Available patches for Adobe Connect, Adobe Creative Cloud and Adobe Framemaker
Issues to keep in mind
6 | Weekly cyber-facts in review
VMware releases fix for severe View Planner RCE vulnerability
Vmware has addresed a hugh severity unauthenticated RCE vulnerability affecting
Vmware View Planner, allowin attackers to abuse servers running unpatched
software for remote code execution.
It is known that multiple attackers are scanning for vulnerable Vmware servers and
that thousands of unpatched vCenter servers are reachable over the Internet. That
is why Vmware is warning its costumer to patch as soon as possible.
Unpatched flaws in Netgear
A total of 15 vulnerabilities have been identified in ProSAFE Plus JGS516PE and
GS116Ev2 bussines switches from Netgear. The most important of this bug is rated
as critical and allows an unanthoriced user to execute romote code.
These vulnerabilities could lead to attackers taking full control of systems.
Serious vulnerabilities in Schneider Electric Power Meters
Two critical vulnerabilities have been identified in PowerLogic ION and PM serires
samrt meters. These could be exploited remotly by an unatuhorized attacker allowing
him to cause the targeted meter to reboot and possibly even to execute arbitrary
code.
Users of the affected Schneider Electric products should apply the patches and
mitigations to prevent potencial attacks, particularly since information about the flaws
has been made public.
Phishing in Review (1/2)
Phishing campaign using fake compliance audit
alerts
The US Financial Industry Regulatory Authority (FINRA) has
issued a regulatory notice warning US brokerage firms and
brokers of an ongoing phishing campaign using fake
compliance audit alerts to harvest information. The messages
are being sent from finra-online[.]com, a recently registered
web domain spoofing a legitimate FINRA website
It has been discovered that the TA800 threat group is
distributing through spear-phishing the NimzaLoader
malware, which is written in the Nim language and is believed
to be a variant of BazaLoader, malware previously used by
the group
TA800 group is distributing malware via spear-
phishing
Google reCAPTCHA Phishing
Microsoft users are being targeted with thousands of phishing
emails with the aim of steal their Office 365 credentials. The
attackers add a fake Google reCAPTCHA system and top-
level domain landing pages that include the logos of victims’
companies to appear legitimate.
Domains used in phishing of covid-19 vaccine
The U.S. Department of Justice has seized several domains
that have been used by attackers in covid-19 vaccine-related
phishing attacks. The latest domain impersonates an official
site of a biotechnology company involved in the development
of the COVID-19 vaccine.
Phishing in Review (2/2)
Phishing campaign impersonating BBVA
A malicious campaign of emails that attempt to infect victims' devices with malware has been detected. Threat actors
impersonate the BBVA bank in order to simulate the payment of a transfer in favor of the victim, related to invoices.
Phishing campaign impersonating Ibercaja
In this campaign attackers send fraudulent emails with the subject "New PSD2 standard", where they indicate that to comply
with European security regulations PSD2, their next access to Ibercaja must be done by filling in their data. The aim of this
campaign is stealing clients' credentials.
Phishing campaign impersonating Santander Bank
It has been detected a phishing campaign in which Banco Santander has been impersonated in order to steal customers'
credentials. The message tells the victim that if he does not verify the personal data his account will be deleted, so when
accessing the link provided, they are redirected to a fake website of the bank where their credentials are stolen.
Ransomware in Review
The State Public Employment Service (SEPE) has suffered an attack with the Ryuk ransomware. This
attack has led to the delay in managing thousands of appointments throughout Spain. The measures
that have been implemented have been the communication of the incident to CCN-CERT and McAffe,
the shutdown of all communications interfaces in the routers of all centers in order to isolate the
network and isolation of all central service VLANs.
SEPE has suffered a ransomware attack
New extortion techniques used by REvil operators
The operators of the REvil ransomware contacted
professionals in February to include new extortion
techniques. Attackers now not only threaten their victims
with posting the files that steal from them, but they also
appear to be executing DDoS attacks and VOIP calls.
It has been discovered that the DearCry ransomware is
installed on Microsoft Exchange servers using the recent
ProxyLogon vulnerabilities that compromised the Microsoft
Exchange servers in early March 2021.
Threat actors install the DearCry ransomware on
Microsoft Exchange servers
Malware in Review
A new backdoor called Sunshuttle or GoldMax, which is associated with the SolarWinds attack, has been identified. It has
been attributed to threat group UNC2452, and was first identified on March 4, targeting entities in the EE.UU., although it
has global impact potential.
New backdoor identified
New variant of Gafgyt botnet
It has been identified a new variant of the Gafgyt botnet, called Gafgyt_tor, that targets vulnerable IoT devices and D-Link
devices using Tor communications. The botnet was first identified in 2014 and the threat group behind it is unknown. The
input vectors exploited by Gafgyt are weak Telnet passwords and vulnerabilities (especially the CVE-2019-16920 of D-
Link devices and the Citrix CVE-2019-19781)
Data Leaks in Review
Passenger and customer data from numerous airlines has
been affected by a data breach suffered by SITA, an
international telecommunications company. Airlines that have
confirmed that they have been affected are Lufthansa, Air
New Zealand, Singapore Airlines, SAS, Cathay Pacific, Jeju
Air, Malaysia Airlines and Finnair, although Japan Airlines is
believed to have also been affected.
SITA has suffered a data breach
Breach exposes Verkada security cameras
Hackers claim to gain unauthorized access to live feeds of 150.000 security cameras after a
breach in the Silicon Valley start up, Verkada. The group behind this attack was Advanced
Persistent Threat 69420, and they claim to have access to security cameras of Florida
hospital Halifax Health and Tesla factory in Shanghai, among others.
The US bank, Flagstar, has disclosed a data breach after Clop
ransomware gang hacked their Accellion file transfer server in
January. Accellion informed Flagstar of the impact the hacking
against flagstar had on the bank on January 22, 2021. On
March 8, after Flagstar confirmed the data breach, the threat
group behind Clop has released screenshots of the data
stolen from Flagstar.
Flagstar bank has confirmed a data breach
Other cases
After Microsoft report that the vulnerabilities were actively exploited by a Chinese APT group named Hafnium, they said
that several other threat actors are also exploiting the four critical Exchange flaws. This groups are APT27, Bronze Butler,
and Calypso among others.
More groups abusing the ProxyLogon flaws
Office 365 gets protection against malicious XML macros
Microsoft has added an extra protection to identify malicious activity even when hidden using heavy obfuscation and to
detect and block malware abusing Office VBA macros and the code regularly used to deploy malware payloads via Office
document macros. This is by expanding the runtime defense provided by Office 365's integration with Antimalware Scan
Interface (AMSI) to include Excel 4.0 (XLM) macro scanning.
Malicious activity against Microsoft Exchange Servers
On March the 2nd, Microsoft warned about the
exploitation of four vulnerabilities tracked as
CVE-2021-26855, CVE-2021-26857, CVE-
2021-26858 and CVE-2021-27065 affecting
MS Exchange Servers.
Those vulnerabilities, now dubbed as Proxy
Logon, allow threat actors to perform remote
code execution on publicly exposed MS
Exchange servers utilizing Outlook on the Web
(OWA).
Details about these worldwide abused vulnerabilities.
The malicious activity was firstly attributed to a highly sophisticated group of
hackers called Hafnium. This group appear to be of Chinese origin, and it is
believed to be sponsored by its Government.
Now, at least 10 different APT groups are targeting these MS Exchange
Servers vulnerabilities, which grant to them full access to the server, and
motivation seems to be espionage. It is believed that at least 250,000 MS
Exchange Servers have been impacted globally.
In response, Microsoft has released several advisories to mitigate these
vulnerabilities. Among them, we can find security updates, alternative
mitigations released only for occasions in which organizations are unable to
apply the updates, and two scripts to check if systems have been
compromised.
What to do?
Aiuken Cybersecurity has provided its clients with all the details and
advisories published by different organizations regarding this issue.
MICROSOFT EXCHANGE SERVERS
Calle Francisco Tomás y Valiente nº 2
Boadilla del Monte · 28660 Madrid (España)
Teléfono:+34 912 909 805
aiuken.com