This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
435 Comments
Tomi Engdahl says:
Really stupid “smart contract” bug let hackers steal $31 million in digital coin https://arstechnica.com/information-technology/2021/12/hackers-drain-31-million-from-cryptocurrency-service-monox-finance/
Blockchain startup MonoX Finance said on Wednesday that a hacker stole
$31 million by exploiting a bug in software the service uses to draft smart contracts. The company uses a decentralized finance protocol known as MonoX that lets users trade digital currency tokens without some of the requirements of traditional exchanges.
Tomi Engdahl says:
Colorado energy company loses 25 years of data after cyberattack while still rebuilding network
https://www.zdnet.com/article/colorado-energy-company-loses-25-years-of-data-after-cyberattack-still-rebuilding-network/#ftag=RSSbaffb68
Colorado’s Delta-Montrose Electric Association (DMEA) is still struggling to recover from a devastating cyberattack last month that took down 90% of its internal systems and caused 25 years of historical data to be lost. The energy company hired cybersecurity experts to investigate the incident, but they are still having issues recovering nearly a month later.
Tomi Engdahl says:
Microsoft Exchange servers hacked to deploy BlackByte ransomware https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-blackbyte-ransomware/
The BlackByte ransomware gang is now breaching corporate networks by exploiting Microsoft Exchange servers using the ProxyShell vulnerabilities. Detailed report:
https://redcanary.com/blog/blackbyte-ransomware/
Tomi Engdahl says:
Malicious Excel XLL add-ins push RedLine password-stealing malware https://www.bleepingcomputer.com/news/security/malicious-excel-xll-add-ins-push-redline-password-stealing-malware/
Cybercriminals are spamming website contact forms and discussion forums to distribute Excel XLL files that download and install the RedLine password and information-stealing malware.RedLine is an information-stealing Trojan that steals cookies, user names and passwords, and credit cards stored in web browsers, as well as FTP credentials and files from an infected device. In addition to stealing data, RedLine can execute commands, download and run further malware, and create screenshots of the active Windows screen. All of this data is collected and sent back to the attackers to be sold on criminal marketplaces or used for other malicious and fraudulent activity.
Tomi Engdahl says:
Microsoft phishing uses fake Office 365 spam alerts https://www.bleepingcomputer.com/news/security/convincing-microsoft-phishing-uses-fake-office-365-spam-alerts/Convincing
A persuasive and ongoing series of phishing attacks are using fake Office 365 notifications asking the recipients to review blocked spam messages, with the end goal of stealing their Microsoft credentials.
What makes these phishing emails especially convincing is the use of quarantine[at]messaging.microsoft.com to send them to potential targets and the display name matching the recipients’ domains.
Tomi Engdahl says:
OnePlus Nord 2 has a vulnerability that grants root shell access within minutes on a locked bootloader, without a data wipe https://www.xda-developers.com/oneplus-nord-2-vulnerability-root-shell/
OnePlus might have cemented its name among the major Android OEMs, but its phones are no stranger to security flaws. This time, the company has left a rather interesting (read: worrying) vulnerability unpatched on the OnePlus Nord 2 since its release. Although exploiting the loophole requires physical access to the device, the attacker can effectively gain an unrestricted root shell before the user can even enter their credentials. Notably, the newly released Pac-Man edition of the Nord 2 is affected as well.
Tomi Engdahl says:
Apple AirTags being used by thieves to track high-end cars to steal
https://arstechnica.com/cars/2021/12/apple-airtags-being-used-by-thieves-to-track-high-end-cars-to-steal/
When Apple debuted its new AirTag tracker earlier this year, part of our review focused on the privacy implications of the device. We called the device “a rare privacy misstep from Apple.” This week, Canadian police announced that car thieves have been using AirTags to track vehicles they want to steal.
Setting app permissions in iOS 15
https://www.kaspersky.com/blog/ios-15-permissions-guide/43041/
With each version of iOS, we’ve seen developers try to protect user data better. However, the core principle remains unchanged: You, the user, gets to decide what information to share with which apps. With that in mind, we’ve put together an in-depth review of app permissions in iOS 15 to help you decide which requests to allow and which to deny.
Tomi Engdahl says:
France warns of Nobelium cyberspies attacking French orgs https://www.bleepingcomputer.com/news/security/france-warns-of-nobelium-cyberspies-attacking-french-orgs/
The French national cyber-security agency ANSSI said today that the Russian-backed Nobelium hacking group behind last year’s SolarWinds hack has been targeting French organizations since February 2021.
While ANSSI (short for Agence Nationale de la Sécurité des Systèmes
d’Information) has not determined how Nobelium compromised email accounts belonging to French orgs, it added that the hackers used them to deliver malicious emails targeting foreign institutions. The ANSSI
report: https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/
Tomi Engdahl says:
Russian hacking group uses new stealthy Ceeloader malware https://www.bleepingcomputer.com/news/security/russian-hacking-group-uses-new-stealthy-ceeloader-malware/
The Nobelium hacking group continues to breach government and enterprise networks worldwide by targeting their cloud and managed service providers and using a new custom “Ceeloader” malware. Nobelium is Microsoft’s name for the threat actor behind last year’s SolarWinds supply-chain attack that led to the compromise of several US federal agencies. This group is believed to be the hacking division of the Russian Foreign Intelligence Service (SVR), commonly known as APT29, The Dukes, or Cozy Bear. The Mandiant report:
https://www.mandiant.com/resources/russian-targeting-gov-business
Tomi Engdahl says:
NICKEL targeting government organizations across Latin America and Europe https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/
The Microsoft Threat Intelligence Center (MSTIC) has observed NICKEL, a China-based threat actor, targeting governments, diplomatic entities, and non-governmental organizations (NGOs) across Central and South America, the Caribbean, Europe, and North America. MSTIC has been tracking NICKEL since 2016 and observed some common activity with other actors known in the security community as APT15, APT25, and KeChang. Today, the Microsoft Digital Crimes Unit (DCU) announced the successful seizure of a set of NICKEL-operated websites and disruption of their ongoing attacks targeting organizations in 29 countries, following a court order from the U.S. District Court for the Eastern District of Virginia granting Microsoft the authority to seize these sites.
Tomi Engdahl says:
Hundreds of SPAR stores shut down, switch to cash after cyberattack https://www.bleepingcomputer.com/news/security/hundreds-of-spar-stores-shut-down-switch-to-cash-after-cyberattack/
Approximately 330 SPAR shops in North East England face severe operational problems following a weekend cyberattack, forcing many stores to close or switch to cash-only payments. SPAR is an international supermarket franchise that operates 13, 320 stores in 48 countries, but the recent security incident only affected stores in the northern part of England.
Tomi Engdahl says:
Magecart Groups Abuse Google Tag Manager https://geminiadvisory.io/magecart-google-tag-manager/
Gemini analysts continue to identify Magecart campaigns that target numerous e-commerce sites worldwide. Since February 4, 2021, analysts have observed 316 e-commerce sites infected with trojanized Google Tag Manager (GTM) containers. This technique capitalizes on the ability to place JavaScript within the GTM container. Gemini has observed two variants that abuse GTM containers: one that embeds the malicious e-skimmer script in the container and another that uses the container to download the actual e-skimmer script from a separate dual-use domain. The abuse of this legitimate Google service is concerning because it provides threat actors free infrastructure upon which they can host their scripts, while also granting enhanced capability to avoid detection. The Magecart actors behind these attacks have posted at least 88, 000 payment card records from these attacks to the dark web markets.
Tomi Engdahl says:
Misconfigured Kafdrop Puts Companies’ Apache Kafka Completely Exposed https://spectralops.io/blog/misconfigured-kafdrop-puts-companies-apache-kafka-completely-exposed/
This research refers to exposed data of organizations or individuals as a result of misconfigured infrastructure, not caused by the Kafdrop project itself. Highly committed to the open-source movement and sworn contributors ourselves, we appreciate the importance of open source.
This article aims to shed light on a misconfiguration that puts companies at risk and offers an immediate mitigation.
Tomi Engdahl says:
Mirai-based Botnet – Moobot Targets Hikvision Vulnerability https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability
Last September 18th, a threat researcher released a write-up about a remote code execution vulnerability that affects various products from Hikvision, one of the largest video surveillance brands in the world.
Hikvision is a CVE CNA and quickly assigned the CVE number,
CVE-2021-36260 and released a patch for the vulnerability on the same day as the threat researcher’s disclosure. During our analysis, we observed numerous payloads attempting to leverage this vulnerability to probing the status of devices or extracting sensitive data from victims. One payload in particular caught our attention. It tries to drop a downloader that exhibits infection behavior and that also executes Moobot, which is a DDoS botnet based on Mirai. In this blog we explain how an attacker delivers this payload through the Hikvision vulnerability, along with details of the botnet.
Tomi Engdahl says:
uBlock, I exfiltrate: exploiting ad blockers with CSS https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css
Ad blockers like uBlock Origin are extremely popular, and typically have access to every page a user visits. Behind the scenes, they’re powered by community-provided filter lists – CSS selectors that dictate which elements to block. These lists are not entirely trusted, so they’re constrained to prevent malicious rules from stealing user data. In this post, we’ll show you how we were able to bypass these restrictions in uBlock Origin, use a novel CSS-based exploitation technique to extract data from scripts and attributes, and even steal passwords from Microsoft Edge. All vulnerabilities discussed in this post have been reported to uBlock Origin and patched.
Tomi Engdahl says:
Are You Guilty of These 8 Network-Security Bad Practices?
https://threatpost.com/bad-practices-network-security/176798/
The ongoing explosion of ransomware events and breaches (many of which the public never hears about) is elevating network security to a top corporate priority. Employees are constantly reminded to change their passwords frequently, watch out for phishing attacks and comply with strict security policies. But companies are also failing to address the everyday practices and mindsets that undermine traditional safeguards and increase the risk of a breach.
Tomi Engdahl says:
Zoho Confirms New Zero-Day, Ships Exploit Detector
https://www.securityweek.com/zoho-confirms-new-zero-day-ships-exploit-detector
The security problems at enterprise software provider Zoho continue to multiply with confirmation of a new critical authentication bypass vulnerability — the third in four months — being exploited in the wild by advanced threat actors.
The Indian multinational firm, which sells a wide range of productivity and collaboration apps to businesses, confirmed the new zero-day exploitation over the weekend and released an exploit detection tool to help defenders spot signs of compromise.
The new security vulnerability — CVE-2021-44515 — was identified in Zoho’s ManageEngine Desktop Central, an IT and network management tool that Zoho says is used by more than 40,000 global companies.
“As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible,” according to Zoho’s latest red-alarm warning.
Zoho said the newest CVE-2021-44515 flaw affects customers of the Professional and Enterprise editions of ServiceDesk Plus who use the Desktop Central agent for asset discovery, and warned of the risk of remote code execution attacks.
Tomi Engdahl says:
FBI Warns of Cuba Ransomware Attacks on Critical Infrastructure
https://www.securityweek.com/fbi-warns-cuba-ransomware-attacks-critical-infrastructure
The Federal Bureau of Investigation (FBI) has issued a warning over Cuba ransomware attacks targeting critical infrastructure.
As of November 2021, the gang behind Cuba ransomware managed to compromise at least 49 entities in the government, healthcare, financial, information technology, and manufacturing sectors.
To help organizations better defend against this threat, the FBI has released indicators of compromise (IoCs) associated with Cuba ransomware, along with details on the tactics, techniques and procedures (TTPs) employed by the gang, and a series of recommended mitigations.
Distributed through Hancitor, the Cuba file-encrypting ransomware first emerged in late 2019 and is known for appending the “.cuba” extension to the encrypted files.
To date, the cybercriminals behind this operation have demanded at least $74 million in ransom, and might have received over $43.9 million in payments from their victims, the FBI says.
Tomi Engdahl says:
Hackers Steal $150 Million Worth of Cryptocurrency From BitMart
https://www.securityweek.com/hackers-steal-150-million-worth-cryptocurrency-bitmart
Cryptocurrency trading platform BitMart on Sunday announced that it has suspended withdrawals after discovering a cybersecurity incident that resulted in the theft of roughly $150 million worth of assets.
The platform claims that only the Ethereum (ETH) and Binance Smart Chain (BSC) hot wallets were impacted, and notes that the two wallets were compromised using stolen private keys.
“In response to this incident, BitMart has completed initial security checks and identified affected assets. This security breach was mainly caused by a stolen private key that had two of our hot wallets compromised,” BitMart founder and CEO Sheldon Xia said.
Tomi Engdahl says:
Cyberattack Causes Significant Disruption at Colorado Electric Utility
https://www.securityweek.com/cyberattack-causes-significant-disruption-colorado-electric-utility
An electric utility in Colorado has disclosed an apparent ransomware attack that resulted in significant disruption and damage.
The Delta-Montrose Electric Association (DMEA) is a member-owned and locally controlled rural electric cooperative that serves more than 34,000 customers in Colorado’s Montrose, Delta, and Gunnison counties. It is part of Touchstone Energy Cooperatives, a cooperative federation that has over 750 members across the United States.
DMEA last week revealed that it had discovered a breach of its internal network on November 7. The hacker attack resulted in disruption to phone, email, billing, and customer account systems, as well as documents, spreadsheets, and forms getting “corrupted.”
DMEA’s CEO told local news outlets that the cyberattack led to 90% of internal controls and systems becoming corrupted, broken or disabled, and claimed that a majority of historical data dating back more than 20 years was lost.
DMEA said its power grid and fiber network — the company also provides internet services — were not affected by the incident.
The utility is still working on restoring affected services so it has told customers that all penalty fees and disconnections for non-payment will be suspended until the end of January 2022.
https://www.dmea.com/network-updates
On November 7, 2021, DMEA was the victim of a malicious cyber-attack. As a result, our internal network services are not fully functional. This is impacting our ability to provide support services such as payment processing, billing, SmartHub access, and account changes. Please note, we have suspended our disconnect process and all penalty fees through January 31, 2022. This page is here to support you, answer questions, and keep you updated about the incident.
Tomi Engdahl says:
Update on the Delta-Montrose Electric Association cyber attack
https://www.nbc11news.com/2021/12/02/update-delta-montrose-electric-association-cyber-attack/
Tomi Engdahl says:
Web Browsers Vulnerable to 14 New Types of XS-Leak Attacks
https://www.securityweek.com/web-browsers-vulnerable-14-new-types-xs-leak-attacks
Researchers from two universities in Germany have developed a tool that can be used to check web browsers for cross-site leaks, and they claim to have identified 14 new attack classes.
Cross-site leaks, also known as XS-Leaks, are a type of browser side-channel attack that can allow a malicious website to infer and collect potentially sensitive user information from other sites by bypassing security mechanisms such as same-origin policy.
Same-origin policy is designed to restrict how a document, script or media file loaded by one origin can interact with a resource from another origin. However, over the years, researchers have identified many methods that can be used to bypass this security mechanism.
https://xsleaks.dev/
Tomi Engdahl says:
A Major Outage At AWS Has Caused Chaos At Amazon’s Own Operations, Highlighting Cloud Computing Risks
https://www.forbes.com/sites/martingiles/2021/12/07/aws-outage-caused-chaos-at-amazon-underlining-cloud-computing-risks/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Valerie&sh=255584616834
A lengthy outage at Amazon Web Services (AWS), the cloud computing arm of Amazon, caused chaos on Tuesday for millions of users and companies along the U.S. East Coast. The mega glitch affected access to a wide range of services, including shows on Netflix and Disney+, web services from airlines such as Delta and Southwest, and payments businesses such as Venmo.
Many of Amazon’s own offerings, including the Ring smart doorbell service, its Alexa virtual assistant and its Amazon Music Service, were also affected by the outage. It also interrupted Amazon’s delivery operations, with drivers reportedly unable to access information via apps.
The company blamed the issues on “the impairment of several network devices.” While AWS said it had “executed a mitigation” that was producing “a significant recovery in the region,”
Cloud concentration
The episode underscores just how dependent businesses have become on the tech giants that deliver third-party cloud computing services. The pandemic has accelerated the move to the public cloud as companies sought to rapidly and efficiently digitize operations and to tap into a wide range of services, from AI algorithms to quantum computers. Earlier this year, Gartner forecast a 21% jump in worldwide end-user spending on public cloud services to more than $330 billion. That has juiced revenues for brands such as AWS, Microsoft’s Azure and Google Cloud that already dominate in the U.S. and many other markets worldwide.
The question is whether they can maintain quality while ramping up to meet demand. In a bid to win more business, AWS and its rivals are racing one another to create more offerings, which in turn is making the management of the infrastructure to support them more complex.
“As feature functionality explodes, they are having to manage it all and you can’t do it manually,” says Doug Madory of Kentik, a company that provides data and analytics on IT networks to businesses. “You have to automate it and it’s very hard to anticipate every possible failure.”
One challenge the cloud giants face is to stay on top of interdependencies that could trigger systems to fail simultaneously.
In October, Facebook and its other major services, including Messenger and WhatsApp, went down for over six hours
At the time, Facebook noted that part of the reason tackling the outage took so long was that some of the software tools it needed to treat the problem were unavailable because of the outage, which also shutdown automated access to some of its data centers. Engineers were forced to drive to some locations to get them back online.
In its statement this morning, AWS noted that the incident had affected some of its “monitoring and incident tooling”, which it said had affected its ability to provide updates. Cloud experts say that cloud companies face a conundrum here. Running such tools on separate networks run by other companies could avoid this headache, but this would also increase the risk that hackers could penetrate those networks and use the tools to compromise core cloud operations.
Amazon’s outage also raises another issue. Cloud providers run data centers in multiple regions around the world. Companies can pay to run workloads in different regions, so if one goes down another can act as a backup. But AWS’s U.S.-East-1-region is especially popular given the concentration of businesses on the U.S. East Coast, so any glitches affecting it have substantial impact.
CIOs may need to think about paying up for rollover plans, if they aren’t doing so already. They may also want to spread risk across multiple clouds and consider other contingency plans.
Tomi Engdahl says:
Amazon Web Services went down and took a bunch of the internet with it
https://techcrunch.com/2021/12/07/amazon-web-services-went-down-and-took-a-bunch-of-the-internet-with-it/?tpcc=tcplusfacebook
Users are reporting a widespread outage at Amazon Web Services, bringing down websites and backend services for organizations including the Associated Press, Disney+ and Vice. Details about the outage are scarce.
The AWS status page reported increased error rates for its Management Console on Tuesday morning.
“We are experiencing API and console issues in the US-EAST-1 Region,” the page said. “We have identified root cause and we are actively working towards recovery. This issue is affecting the global console landing page, which is also hosted in US-EAST-1.”
Tomi Engdahl says:
Richard Lawler / The Verge:
Amazon resolves the underlying issues that caused an AWS outage that started around 10:45am ET and is “working towards recovery of any impaired services” — Amazon says “many services have already recovered” — Problems with some Amazon Web Services cloud servers …
An Amazon server outage caused problems for Alexa, Ring, Disney Plus, and deliveries
Amazon says “many services have already recovered”
https://www.theverge.com/2021/12/7/22822332/amazon-server-aws-down-disney-plus-ring-outage?scrolla=5eb6d68b7fedc32c19ef33b4
Lauren Kaori Gurley / VICE:
The AWS outage took down Amazon’s Flex and Dolphin apps for logistics and time tracking, halting some deliveries — There’s a mix of frustration and joy from workers as AWS outages cause chaos with Amazon’s delivery infrastructure during its busy season. — Websites and online services …
AWS Outage Grinds Amazon Warehouses and Deliveries to a Halt
https://www.vice.com/en/article/qjbkbm/aws-outage-throws-amazon-into-chaos
There’s a mix of frustration and joy from workers as AWS outages cause chaos with Amazon’s delivery infrastructure during its busy season.
Tomi Engdahl says:
Windows 10 Drive-By RCE Triggered by Default URI Handler https://threatpost.com/windows-10-rce-url-handler/176830/
According to a report posted Tuesday by Positive Security, the vulnerability is triggered by an argument injection, which is a type of attack that involves tampering with a page’s input parameters. It can enable attackers to see or to modify data via the user interface that they normally can’t get at. The researchers have been going back and forth with Microsoft about this for months, having initially disclosed the weakness to Microsoft in March. Microsoft closed Positive Security’s initial report the very next day, based on what Positive Security called Microsoft’s “erroneous” belief that the exploit relies on social engineering. Positive Security’s report:
https://positive.security/blog/ms-officecmd-rce
Tomi Engdahl says:
An Amazon server outage is causing problems for Alexa, Ring, Disney Plus, and deliveries https://www.theverge.com/2021/12/7/22822332/amazon-server-aws-down-disney-plus-ring-outage
Problems with some Amazon Web Services cloud servers are causing slow loading or failures for significant chunks of the internet. Amazon’s widespread network of data centers powers many of the things you interact with online, including this website, so as we’ve seen in previous AWS outage incidents, any problem has massive rippling effects. While some affected services that rely on AWS have been restored, the internet is still a bit slower and more unsteady than usual. The most important app impacted by the outage might be the ones that Amazon employees use.
Tomi Engdahl says:
Nordic Choice Hotels hit by Conti ransomware, no ransom demand yet https://www.bleepingcomputer.com/news/security/nordic-choice-hotels-hit-by-conti-ransomware-no-ransom-demand-yet/
Nordic Choice Hotels has now confirmed a cyber attack on its systems from the Conti ransomware group. The incident primarily impacts the hotel’s guest reservation and room key card systems. Although there is no indication of passwords or payment information being affected, information pertaining to guest bookings was potentially leaked. The Scandinavian hotel chain, with its brandsComfort, Quality, and Clarion, employs over 16, 000 staff members and has 200 properties across Scandinavia, Finland, and the Baltics.
Tomi Engdahl says:
QNAP warns of new crypto-miner targeting its NAS devices
https://therecord.media/qnap-warns-of-new-crypto-miner-targeting-its-nas-devices/
Taiwanese hardware vendor QNAP has released a new security advisory today warning users that a new strain of crypto-mining malware is targeting its network-attached storage (NAS) devices. The company did not share any information on how the devices were being compromised but said that once the malware got a foothold on infected systems, it would create a process named [oom_reaper] that would take up around 50% of the CPU’s total usage.
Tomi Engdahl says:
New Cerber ransomware targets Confluence and GitLab servers
https://www.bleepingcomputer.com/news/security/new-cerber-ransomware-targets-confluence-and-gitlab-servers/
Cerber ransomware is back, as a new ransomware family adopts the old name and targets Atlassian Confluence and GitLab servers using remote code execution vulnerabilities. Starting last month, a ransomware called Cerber once again reared its ugly head, as it began infecting victims worldwide with both a Windows and Linux encryptor.
Tomi Engdahl says:
Google disrupts Glupteba botnet, files lawsuit against two Russians
https://therecord.media/google-disrupts-glupteba-malware-botnet-files-lawsuit-against-two-russians/
Google has announced today that it has disrupted the operations of the Glupteba botnet and has filed a lawsuit against two Russian nationals it believes have created and helped run the malware for the past few years. The company said it removed around 63 million Google Docs files used by the Glupteba gang to distribute its malware to unsuspecting victims, along with 1, 183 Google accounts, 908 cloud projects, and
870 Google Ads accounts used by the gang to create and host parts of their botnet.
Tomi Engdahl says:
Israeli govt pledges greater oversight of cyber-exports after NSO tools hacked US officials
https://www.zdnet.com/article/israeli-govt-pledges-greater-oversight-of-cyber-exports-after-nso-tools-used-to-spy-on-us-officials/
The Israeli government’s Defense Exports Control Agency sent out a notice late on Monday indicating it would be enforcing stricter rules governing the export of offensive cyber tools. The Jerusalem Post reported on Monday that the agency published a revised version of its “Final Customer Declaration”, which countries will have to sign before they can get access to powerful spyware technology like the NSO Group’s Pegasus. The declaration says countries will not use the tools to attack government critics or “political speech” and will only use it to prevent terrorism and “serious crimes.” Any country that ignores the declaration will lose access to cyber-tools, according to the document.
Tomi Engdahl says:
Flaws in Tonga’s top-level domain left Google, Amazon, Tether web services vulnerable to takeover
https://portswigger.net/daily-swig/flaws-in-tongas-top-level-domain-left-google-amazon-tether-web-services-vulnerable-to-takeover
Attackers could have modified the nameservers of any domain under Tonga’s country code top-level domain (ccTLD) due to a vulnerability in the TLD registrar’s website, security researchers have revealed.
Fortunately, malicious exploitation was averted because the Tonga Network Information Center (Tonic) was “very responsive” in fixing the bug in under 24 hours after web security firm Palisade alerted them on October 8, 2021, a Palisade blog post reveals.
Tomi Engdahl says:
Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/
In a July 2019 blog post about DoppelPaymer, Crowdstrike Intelligence reported that ProcessHacker was being hijacked to kill a list of targeted processes and gain access, delivering a “critical hit.”
Although the blog is now a couple of years old, the hijacking technique is interesting enough to dig into its implementation.
Tomi Engdahl says:
USB Over Ethernet | Multiple Vulnerabilities in AWS and Other Major Cloud Services
https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/
SentinelLabs has discovered a number of high severity flaws in driver software affecting numerous cloud services. These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded.
Tomi Engdahl says:
Microsoft Seizes Domains Used by China-Linked APT ‘Nickel’
https://www.securityweek.com/microsoft-seizes-domains-used-china-linked-apt-nickel
Microsoft says it has seized control of domains that China-linked threat actor Nickel has been employing in malicious attacks targeting organizations in the United States and worldwide.
Tomi Engdahl says:
Firefox 95 Rolls Out With New ‘RLBox’ Isolation Feature
https://www.securityweek.com/firefox-95-rolls-out-new-isolation-feature-rlbox
Mozilla on Monday released Firefox 95 to the stable channel with a new isolation feature in tow, designed to keep untrusted code at bay and better protect users from web attacks that attempt to escape the sandbox.
Dubbed RLBox, the new sandboxing technology has been developed in collaboration with academics at the University of California San Diego and the University of Texas and is meant to complement existing protections by isolating subcomponents.
To keep users protected from web attacks, browsers run sites in sandboxed processes, but adversaries attempt to chain flaws to escape the sandbox and compromise the victim device.
With RLBox, third-party libraries prone to attacks are also isolated from the rest of the browser, in a fine-grained software sandbox. Thus, in addition to isolating websites in their own processes, the browser attempts to protect from potentially buggy subcomponents.
RLBox, which is a standalone project that relies on WebAssembly for isolating potentially problematic code, is now rolling out to all Firefox users with support for isolating the Graphite, Hunspell, Ogg, Expat and Woff2 modules.
https://plsyssec.github.io/rlbox_sandboxing_api/sphinx/
Tomi Engdahl says:
Google Patches Serious Use-After-Free Vulnerabilities in Chrome
https://www.securityweek.com/google-patches-serious-use-after-free-vulnerabilities-chrome
Google on Monday announced the rollout of a new security update for Chrome, to address 20 vulnerabilities in the browser, including 16 reported by external researchers.
Of these 16 security errors, 15 are rated high severity. Nearly half of them are use-after-free bugs affecting various components of the browser.
The most severe of these issues affects the web apps component. Tracked as CVE-2021-4052, it was reported by Wei Yuan of MoyunSec VLab, who received a $15,000 bug bounty payout for the finding.
Next in line is CVE-2021-4053, a security hole in Chrome’s UI component, which earned the reporting researcher $10,000.
The latest Chrome update also addresses an incorrect security UI in autofill (CVE-2021-4054) and a heap buffer overflow in extensions (CVE-2021-4055), for which Google awarded the reporting researchers $5,000 and $1,000 bug bounty rewards, respectively.
Tomi Engdahl says:
Three Hundred Spar Convenience Stores in UK Affected by Cyber Incident
https://www.securityweek.com/three-hundred-spar-convenience-stores-uk-affected-cyber-incident
Three hundred Spar convenience stores in the north of England have been affected by a cyberattack against wholesaler James Hall and Co. James Hall supplies produce to the stores, but also operates the IT and till systems.
The primary effect on the stores has been to prevent any payment card processing. Although some stores are remaining open for cash trade only, the majority have been forced to close.
Spar is one of the world’s largest retailers. It was founded in The Netherlands in 1932 and operates more than 13,000 franchise stores in nearly 50 countries. It has more than 2,500 stores in the UK, employing some 40,000 people.
At this stage, little is known about the cyberattack. The effect became known on Sunday, December 5, 2021, when one of the franchises tweeted, “Unfortunately due to a total IT outage affecting all our stores we have had to remain closed all day Sunday with no time set to be back online – our apologies for the massive inconvenience to all our customers and store teams.”
Spar referred SecurityWeek to James Hall for further information on the attack. At the time of writing, James Hall has not responded to any of our telephone calls, and its website is either down or has been taken offline.
Although no information about the attack has yet been disclosed, a ransomware attack is possible – retail in the run-up to Christmas is a tempting target. “With the demand supermarkets experience over the holiday season, if they are hit by a ransomware attack, they are naturally desperate to recover as quickly as possible. It is, therefore, a big red target for many threat-actors who know that any ransom demand could be paid almost immediately,” comments Brooks Wallace, VP EMEA at Deep Instinct.
Tomi Engdahl says:
SolarWinds Hackers Use New Malware in Recent Attacks
https://www.securityweek.com/solarwinds-hackers-use-new-malware-attacks-serve-russian-interests
The threat group believed to be responsible for the attack on IT management company SolarWinds has developed new malware as it continues to target organizations that possess data relevant to Russian interests.
One year has passed since the discovery of the breach at SolarWinds and — despite their activities being analyzed and exposed by cybersecurity companies and researchers — the threat actor that launched the attack continues to target governments and private businesses, with their main goal apparently being the theft of data that could be useful to the Russian government.
Tomi Engdahl says:
AWS Outage Grinds Amazon Warehouses and Deliveries to a Halt
There’s a mix of frustration and joy from workers as AWS outages cause chaos with Amazon’s delivery infrastructure during its busy season.
https://www.vice.com/en/article/qjbkbm/aws-outage-throws-amazon-into-chaos
Tomi Engdahl says:
Jamie Tarabay / Bloomberg:
Google sues two Russians it claims help run a botnet that has infected 1M+ devices and uses command-and-control server addresses stored on Bitcoin’s blockchain — – Complaint says the two created a sophisticated ‘botnet’ — Glupteba sells stolen logins, credit cards, Google says
https://www.bloomberg.com/news/articles/2021-12-07/google-sues-two-russians-for-alleged-organized-crime-scheme
Tomi Engdahl says:
Bill Toulas / BleepingComputer:
Researchers discover 27 vulnerabilities in the Eltima SDK, a library used by numerous cloud providers including AWS to remotely mount a local USB device — Researchers have discovered 27 vulnerabilities in Eltima SDK, a library used by numerous cloud providers to remotely mount a local USB device.
27 flaws in USB-over-network SDK affect millions of cloud users
https://www.bleepingcomputer.com/news/security/27-flaws-in-usb-over-network-sdk-affect-millions-of-cloud-users/
Researchers have discovered 27 vulnerabilities in Eltima SDK, a library used by numerous cloud providers to remotely mount a local USB device.
Due to the pandemic and the rising trend of working from home, organizations have begun to rely heavily on cloud-based services. This necessity also increased cloud providers utilizing Eltima’s SDK that allow employees to mount local USB mass storage devices for use on their cloud-based virtual desktops.
Source: Eltima
However, as cloud desktop providers, including Amazon Workspaces, rely on tools like Eltima, SentinelOne warned that millions of users worldwide have become exposed to the discovered vulnerabilities.
The implications of exploiting the flaws are significant as they could allow remote threat actors to gain elevated access on a cloud desktop to run code in kernel mode.
“These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded,” explained a new report by Sentinel Labs.
USB Over Ethernet | Multiple Vulnerabilities in AWS and Other Major Cloud Services
https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/
Tomi Engdahl says:
Google Issues Warning For 2 Billion Chrome Users
https://www.forbes.com/sites/gordonkelly/2021/12/08/google-chrome-warning-new-hacks-security-attacks-upgrade-chrome-now/?sh=2d08bff94e60&utm_source=ForbesMainFacebook&utm_medium=social&utm_campaign=socialflowForbesMainFB
Chrome has been under attack from all sides this year and now multiple new hacks have been discovered in Google’s popular browser.
Google confirmed the news in a new blog post, where it revealed 20 new vulnerabilities have been found, 15 of which it classifies as ‘High’ level threats. Linux, macOS and Windows users are all affected and need to take immediate action. Google’s report brings the total number of successful Chrome hacks to 45 in the last three weeks.
Sticking to protocol, Google is restricting information about these new threats in order to buy time for Chrome users to upgrade. Consequently, the only information we have about the 15 new High level threats is as follows:
High – CVE-2021-4052: Use after free in web apps. Reported by Wei Yuan of MoyunSec VLab on 2021-11-07
High – CVE-2021-4053: Use after free in UI. Reported by Rox on 2021-11-08
[$5000][1239760] High CVE-2021-4054: Incorrect security UI in autofill. Reported by Alesandro Ortiz on 2021-08-13
High – CVE-2021-4055: Heap buffer overflow in extensions. Reported by Chen Rong on 2021-11-03
High – CVE-2021-4056: Type Confusion in loader. Reported by @__R0ng of 360 Alpha Lab on 2021-10-18
High – CVE-2021-4057: Use after free in file API. Reported by Sergei Glazunov of Google Project Zero on 2021-10-21
High – CVE-2021-4058: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-11-06
High – CVE-2021-4059: Insufficient data validation in loader. Reported by Luan Herrera (@lbherrera_) on 2021-11-17
High – CVE-2021-4061: Type Confusion in V8. Reported by Paolo Severini on 2021-11-18
High – CVE-2021-4062: Heap buffer overflow in BFCache. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-11-22
High – CVE-2021-4063: Use after free in developer tools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-11-23
High – CVE-2021-4064: Use after free in screen capture. Reported by @ginggilBesel on 2021-11-23
High – CVE-2021-4065: Use after free in autofill. Reported by 5n1p3r0010 on 2021-11-25
High – CVE-2021-4066: Integer underflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-11-29
High – CVE-2021-4067: Use after free in window manager. Reported by @ginggilBesel on 2021-11-29
These hacks continue to follow a familiar pattern with ‘Use-After-Free’ (UAF) exploits comprising the majority of attacks. Chrome was compromised approximately 30x by UAF attacks from September to November and now another seven can already be added to December. UAF vulnerabilities are memory exploits created when a program fails to clear the pointer to the memory after it is freed.
Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
The Stable channel has been updated to 96.0.4664.93 for Windows, Mac and Linux which will roll out over the coming days/weeks. Extended stable channel has also been updated to 96.0.4664.93 for Windows and Mac which will roll out over the coming days/weeks
Tomi Engdahl says:
Huijauspuhelut tulevat yhä useammin väärennetystä numerosta Näin Elisa ja Traficom kitkevät huijauksia
https://www.tivi.fi/uutiset/tv/31f2dc55-c825-4b0a-bee3-c17fd2899325
Liikenne- ja viestintävirasto Traficom valmistelee keinoja estää huijauspuheluissa yleistynyt soittajan numeron väärentäminen. Keinoja etsitään yhdessä Suomessa toimivien teleoperaattoreiden kanssa.
Tavoite on kansainvälisten rikollisten toiminnan vaikeuttaminen ja estäminen.
Tomi Engdahl says:
Tor’s main site blocked in Russia as censorship widens https://www.bleepingcomputer.com/news/security/tor-s-main-site-blocked-in-russia-as-censorship-widens/
The Tor Project’s main website, torproject.org, is actively blocked by Russia’s largest internet service providers, and sources from the country claim that the government is getting ready to conduct an extensive block of the project. Russia’s censorship of Tor’s site started on December 1, 2021, but many initially disregarded it by suggesting it was merely a side effect of experimentation with the Runet, Russia’s sovereign internet project. However, as it now seems to be the case, Russia is undergoing a coordinated action against Tor, orchestrated by Roskomnadzor, the Federal Service for Supervision of Communications, Information Technology and Mass Media.
Tomi Engdahl says:
SSRF vulnerability patched in Jamf Pro mobile security platform https://portswigger.net/daily-swig/ssrf-vulnerability-patched-in-jamf-pro-mobile-security-platform
A vulnerability in Jamf Pro, a popular mobile device management (MDM) platform for Apple devices, allowed attackers to stage server-side request forgery (SSRF) attacks on the application’s servers, security researchers at Assetnote have found.
Tomi Engdahl says:
‘USB Over Ethernet’ Driver Vulnerabilities Affected Major Cloud Services
https://www.securityweek.com/usb-over-ethernet-driver-vulnerabilities-affected-major-cloud-services
Tomi Engdahl says:
Canadian Man Faces Charges in Canada, U.S. for Ransomware Attacks
https://www.securityweek.com/canadian-man-faces-charges-canada-us-ransomware-attacks
Tomi Engdahl says:
Windows URI Handling Flaw Leads to Drive-by Code Execution
https://www.securityweek.com/windows-uri-handling-flaw-leads-drive-code-execution
A pair of German security researchers have publicly documented the discovery of a drive-by code execution vulnerability in Windows 10 and criticized Microsoft for botching its response to the still-unfixed security problem.
The security defect is an argument injection in the Windows 10/11 default handler for ‘ms-officecmd:’ URIs and was successfully chained with mitigation bypasses to launch single-click browser-based exploits on Microsoft’s flagship operating system.
According to a technical paper published this week, Microsoft silently patched the issue after five months of receiving the vulnerability data (the company has not issued a CVE identifier) but Redmond’s patch “ failed to properly address the underlying argument injection.”
The researchers claim the underlying argument injection weakness is currently still present on Windows 11, the newest version of the operating system.
From the research paper:
“Code execution is triggered by a malicious website which performs a Javascript redirect to a crafted ms-officecmd: URI (a scheme used by the Microsoft Office UWP app to launch other Office desktop applications). We exploit an argument injection vulnerability in the URI handler and bypass a security measure in Electron to inject an arbitrary OS command via the –gpu-launcher parameter of the Microsoft Teams Electron app.”
In addition to exploitation via booby-trapped websites, the researchers warn that hackers could launch these code execution attacks via desktop applications that perform unsafe URL handling.
Windows 10 RCE: The exploit is in the link
https://positive.security/blog/ms-officecmd-rce
L;DR
We discovered a drive-by code execution vulnerability on Windows 10 via IE11/Edge Legacy and MS Teams, triggered by an argument injection in the Windows 10/11 default handler for ms-officecmd: URIs
Exploitation through other browsers requires the victim to accept an inconspicuous confirmation dialog. Alternatively, a malicious URI could be delivered via a desktop application performing unsafe URL handling
Microsoft Bug Bounty Program’s (MSRC) response was poor: Initially, they misjudged and dismissed the issue entirely. After our appeal, the issue was classified as “Critical, RCE”, but only 10% of the bounty advertised for its classification was awarded ($5k vs $50k). The patch they came up with after 5 months failed to properly address the underlying argument injection (which is currently also still present on Windows 11)
Our research journey was straightforward: We decided to find a code execution vulnerability in a default Windows 10 URI handler, and succeeded within two weeks. Considering the amount of URI handlers Windows ships with, it seems very likely that others are vulnerable too
Exploitation/Demo
Code execution is triggered by a malicious website which performs a Javascript redirect to a crafted ms-officecmd: URI (a scheme used by the Microsoft Office UWP app to launch other Office desktop applications). We exploit an argument injection vulnerability in the URI handler and bypass a security measure in Electron to inject an arbitrary OS command via the –gpu-launcher parameter of the Microsoft Teams Electron app.