BluSapphire | Intelligent Cyber Defense

Blog

The Week That Was - 2021, Week 4

 
 
 
 

The Week That Was - Week 3, 2021

1. SolarWinds Hack Update

Quick Recap: Attackers gained access to SolarWind’s network and were able to insert vulnerable code into their Orion IT monitoring platform. About 18,000 SolarWinds customers received this vulnerable version of Orion which gave the attackers a backdoor to their systems.  This impacted customers globally. Those affected included U.S. included the Treasury, Commerce, and Homeland Security Departments. The investigation has pointed fingers at Cozy Bear campaign which is traced to Russian. State backed hackers.

What’s new:

  • Solarwinds attackers used 7-zip code to hide Cobalt strike loader. The attackers Raindrop to deliver CobaltStrike beacon to select victims that were already trojanized using SolarWinds Orion update.

  • Malwarebytes insists that the attackers only got access to their O365 environment and their tools are safe.

As of now there are four pieces of malware identified in the SolarWinds attack. They are:

  1. Sunspot

  2. Sunburst (solarigate)

  3. Teardrop post-exploitation tool

  4. Raindrop the newly uncovered malware that is similar to Teardrop

2. New Vulnerabilities that allow snooping have been found on Signal, Facebook, Google Chat apps

Google Project Zero found multiple logic bugs in Signal, Google Duo, Facebook Messenger, JioChat and Mocha messaging apps. All of these apps have been patched. So users of these apps should update ASAP.

"I investigated the signalling state machines of seven video conferencing applications and found five vulnerabilities that could allow a caller device to force a callee device to transmit audio or video data," Silvanovich, security researcher from Google Project Zero explained.

3. “FreakOut” Malware turning Linux devices into a botnet

FreakOut Malware is infecting Linux devices that haven’t received patches for

  • CVE-2020-28188 - unauthenticated Remote Command Execution (RCE) in TerraMaster TOS (whitelabel vendor for a lot of Network and Direct Attached Storage Solutions).

  • CVE-2021-3007 - deserialization bug in Zend Framework leading to Remote Code Execution (RCE). Zend framework is used by a lot of web applications.

  • CVE-2020-7961 - deserialization bug in Liferay Portal (versions < 7.2.1) leading to Remote Code Execution (RCE). Liferay is an open-source enterprise portal used by many web portals and HR sites.

Patches are available - Patch immediately.

The threat actor is using the compromised systems to attack Finance, Government and Healthcare industries in North America and Europe.

4.Oracle January CPU contains 329 Security Patches

Oracle’s January CPU contains over 329 security patches, some of which are actively being exploited in the wild viz.,

  • CVE-2020-14750 - vulnerability in WebLogic servers that allowed RCE.

  • 47 RCE without authentication in Fusion Middleware

  • 41 RCE without authentication in Financial Services applications

  • 20 RCE without authentication in Virtualization

Remote Code Execution without authentication is a Critical Vulnerability and should be patched immediately.

5.Windows RDP servers used for DDOS amplification

Cybercriminals have been abusing exposed widows RDP servers to perform Distributed Denial Of Service (DDoS) attacks against their targets. Attacks have ranged between 20-750Gbps of traffic. Windows RDP services were able to provide an 85:1 rate of amplification. In contrast, the abused IOT devices were only able to provide 10:1 amplification factor in the Mirai Botnet that took down a quarter of the internet couple of years ago.


6.Microsoft patches “ZeroLogon” enables Enforcement Mode by default.

ZeroLogon vulnerability allows unauthenticated attackers to log on to domain controllers and gain full admin privileges. Microsoft has warned IT security admins that starting with its Feb. 9, 2021, security update, it will enable Domain Controller (DC) enforcement mode by default as a means of addressing a Critical remote code execution vulnerability affecting the Netlogon protocol.

This move will break non-compliant devices and legacy devices that need this exception.

Pay particular attention when applying the patch and look for mitigation controls.

More details at MSRC blog post.

7. DNSpooq vulnerability in DNSmasq tool used by millions of devices, exposes them to DNS cache poisoning

Seven serious DNS related vulnerabilities, collectively known as DNSpooq have been discovered in DNSmasq tool. Dnsmasq is a widely used open source tool, used to provide DNS, DHCP and route advertisement to small and home routers - which are in millions worldwide. Though patches are available, it could take a very long time for the vendors and providers to update these devices. These devices could potentially remain vulnerable for a very long period.

Sophos has published an advisory informing customers that the vulnerabilities only appear to impact its Sophos Remote Ethernet Device (RED) appliance.

Cisco has released a long list of products impacted by the security flaws and says it’s working on developing patches. The networking giant noted that none of its products are affected by the memory corruption bugs that can lead to remote code execution and DoS attacks.

Siemens, on the other hand, says its SCALANCE and RUGGEDCOM industrial devices are impacted only by the three security holes that can be exploited for DNS cache poisoning. The German industrial giant is working on patches and, in the meantime, it has shared some workarounds and mitigations.

The OpenWrt Project, the developer of the popular Linux operating system for embedded devices, also issued an advisory, telling users that OpenWrt versions 19.07.0 through 19.07.5 are affected. Fixes will be included in the upcoming 19.07.6 release.

Red Hat says the vulnerabilities impact Red Hat Enterprise Linux 8 (non-default configuration), as well as Enterprise Linux 6, 7 and 8. Red Hat OpenStack Platform 10 and 13, and Red Hat Virtualization 4.3 and 4.4 may also be affected.

Ubuntu and SUSE have also released their own advisories urging customer to patch immediately.

8. Cisco patches critical unauthenticated RCE bugs

Releases of Cisco SD-WAN Software vulnerable to pre-auth RCE attacks designed to exploit CVE-2021-1300 include:

  • IOS XE SD-WAN Software

  • SD-WAN vBond Orchestrator Software

  • SD-WAN vEdge Cloud Routers

  • SD-WAN vEdge Routers

  • SD-WAN vManage Software

  • SD-WAN vSmart Controller Software

No active exploitation has been reported till date, but customers are advised to patch immediately.

 
Kiran Vangaveti
Get in Touch