Cyber security news January 2022

This posting is here to collect cyber security news in January 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

439 Comments

  1. Tomi Engdahl says:

    MoonBounce: the dark side of UEFI firmware
    https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
    At the end of 2021, we were made aware of a UEFI firmware-level compromise through logs from our Firmware Scanner, which has been integrated into Kaspersky products since the beginning of 2019.
    Further analysis has shown that a single component within the inspected firmware’s image was modified by attackers in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain. Lisäksi:
    https://www.bleepingcomputer.com/news/security/new-moonbounce-uefi-malware-used-by-apt41-in-targeted-attacks/

    Reply
  2. Tomi Engdahl says:

    FBI links Diavol ransomware to the TrickBot cybercrime group
    https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/
    The FBI has formally linked the Diavol ransomware operation to the TrickBot Group, the malware developers behind the notorious TrickBot banking trojan.

    Reply
  3. Tomi Engdahl says:

    US sanctions former Ukrainian official for helping Russian cyberspies https://www.bleepingcomputer.com/news/security/us-sanctions-former-ukrainian-official-for-helping-russian-cyberspies/
    The U.S. Treasury Department announced today sanctions against Volodymyr Oliynyk, a former Ukrainian official, for collecting and sharing info on critical Ukrainian infrastructure with Russia’s Federal Security Service (FSB).

    Reply
  4. Tomi Engdahl says:

    WordPress plugin flaw puts users of 20, 000 sites at phishing risk https://www.bleepingcomputer.com/news/security/wordpress-plugin-flaw-puts-users-of-20-000-sites-at-phishing-risk/
    The WordPress WP HTML Mail plugin, installed in over 20, 000 sites, is vulnerable to a high-severity flaw that can lead to code injection and the distribution of convincing phishing emails.

    Reply
  5. Tomi Engdahl says:

    Indonesia’s central bank confirms ransomware attack, Conti leaks data https://www.bleepingcomputer.com/news/security/indonesias-central-bank-confirms-ransomware-attack-conti-leaks-data/
    During the incident, the attackers stole “non-critical data” belonging to Bank Indonesia employees before deploying ransomware payloads on over a dozen systems on the bank’s network, as CNN Indonesia reported.

    Reply
  6. Tomi Engdahl says:

    Crypto.com confirms 483 accounts hacked, $34 million withdrawn https://www.bleepingcomputer.com/news/security/cryptocom-confirms-483-accounts-hacked-34-million-withdrawn/
    Crypto.com has confirmed that a multi-million dollar cyber attack led to the compromise of around 400 of its customer accounts. Although, the company’s CEO stresses that customer funds are not at risk.

    Reply
  7. Tomi Engdahl says:

    Microsoft: SolarWinds fixes Serv-U bug exploited for Log4j attacks https://www.bleepingcomputer.com/news/microsoft/microsoft-solarwinds-fixes-serv-u-bug-exploited-for-log4j-attacks/
    SolarWinds has patched a new Serv-U vulnerability discovered by Microsoft that threat actors attempted to use to propagate Log4j attacks to internal LDAP servers.

    Reply
  8. Tomi Engdahl says:

    Biden warns of US ‘cyber’ response after Ukraine says computers wiped during attack
    https://www.zdnet.com/article/biden-threatens-cyber-response-after-ukraine-says-computers-wiped-during-attack/#ftag=RSSbaffb68
    US President Joe Biden responded forcefully to reports of a wide-ranging cyberattack on Ukrainian government systems Wednesday afternoon, telling reporters that the US would respond with its own cyberattacks if Russia continues to target Ukraine’s digital infrastructure.

    Reply
  9. Tomi Engdahl says:

    Resurrected jQuery UI Library Haunts Websites, Enterprise Products
    https://www.securityweek.com/resurrected-jquery-ui-library-haunts-some-websites-enterprise-products

    Drupal developers this week informed users about several vulnerabilities discovered in a third-party library that was recently resurrected after it had apparently been discontinued.

    The library in question is jQuery UI, which provides a set of user interface interactions, effects, widgets, and themes built on top of the popular jQuery JavaScript library.

    jQuery is reportedly used by nearly three quarters of the 10 million most popular websites, and at its peak jQuery UI was also used by some of the world’s largest companies.

    A new version of jQuery UI was released in October 2021, but the project was previously believed to have reached end of life as this had been the first new release in five years. The latest release fixes three cross-site scripting (XSS) vulnerabilities that could be exploited for code execution.

    The flaws, classified as medium severity, are tracked as CVE-2021-41182, CVE-2021-41183 and CVE-2021-41184, and they have been patched with the release of jQuery UI 1.13.

    Reply
  10. Tomi Engdahl says:

    WordPress plugin flaw puts users of 20,000 sites at phishing risk
    https://www.bleepingcomputer.com/news/security/wordpress-plugin-flaw-puts-users-of-20-000-sites-at-phishing-risk/
    The WordPress WP HTML Mail plugin, installed in over 20,000 sites, is vulnerable to a high-severity flaw that can lead to code injection and the distribution of convincing phishing emails.
    ‘WP HTML Mail’ is a plugin used for designing custom emails, contact form notifications, and generally tailored messages that online platforms send to their audience.
    The plugin is compatible with WooCommerce, Ninja Forms, BuddyPress, and others. While the number of sites using it isn’t large, many have a large audience, allowing the flaw to affect a significant number of Internet users.

    Reply
  11. Tomi Engdahl says:

    2FA compromise led to $34M Crypto.com hack
    https://techcrunch.com/2022/01/20/2fa-compromise-led-to-34m-crypto-com-hack/?tpcc=tcplusfacebook

    Crypto.com shared new details about a recent hack on its platform last weekend in a statement on its website today, saying 483 of its users were affected and that unauthorized withdrawals of over $15 million worth of ETH, $19 million worth of BTC and $66,200 in “other currencies” occurred. The total losses, worth over $34 million at current cryptocurrency values, are even higher than what analysts had predicted before Crypto.com released its statement.

    The company’s post-mortem comes just one day after CEO Kris Marszalek acknowledged the breach in an interview with Bloomberg TV. His confirmation of the breach came after multiple Crypto.com users alleged their funds had been stolen — complaints that had until then been met with vague responses from the company, referring only to an “incident.” Marszalek did not share details on how the breach occurred during the interview, though he did confirm that Crypto.com had reimbursed all the impacted accounts.

    Today’s statement said Crypto.com detected the suspicious activity on Monday where “transactions were being approved without the 2FA authentication control being inputted by the user.” The site suspended all withdrawals for 14 hours to investigate the issue.

    Crypto.com did not say how the attacker was able to approve transactions without triggering 2FA, which is mandatory for all users.

    The company “revoked all customer 2FA tokens and added additional security hardening measures” before asking customers to log back into the platform and set up their 2FA tokens again, the company says.

    Reply
  12. Tomi Engdahl says:

    Crypto Hacking And Power Outages: Buyers Beware On AWS Cloud https://trib.al/hGed7Xv

    Soon another outage followed the high-profile disruption. And then a third outage rocked AWS users.

    AWS system failures pose more than an inconvenience to users. It can result in customers finding themselves unable to access their own private data and information—and a big and unsuspected bill.

    Insider recently published a report on the “supercharged” incentives for hackers to break into AWS customer accounts and use them to mine cryptocurrencies. The substantial amount of computing that goes into the mining results in unsuspecting customers being hit with bills that are hundreds of times higher than normal. Most of the examples that Insider reviewed were for AWS. They included bombshell $45,000 and $53,000 bills for customers used to paying $150 per month.  It noted Google’s report that 86 percent of cloud account breaches were for cryptocurrency mining. Microsoft Azure did not respond.

    This is not to suggest that all cryptocurrency mining on cloud platforms is suspect, however customers with no relation to cryptocurrency have been hacked by ruthless miners.

    Reporting suggests that AWS customers were inconvenienced with high costs and lock in and that AWS hacking victims endured inconvenient and drawn-out response and support processes. AWS eventually agreed to waive one massive bill as a “one off exception,” and another customer is still awaiting a resolution after nearly two weeks after reporting the charges.

    Reply
  13. Tomi Engdahl says:

    Malware That Can Survive OS Reinstalls Strikes Again, Likely for Cyberespionage
    Antivirus provider Kaspersky discovered the malware, dubbed MoonBounce, on a computer’s UEFI firmware.
    https://uk.pcmag.com/security/138262/malware-that-can-survive-os-reinstalls-strikes-again-likely-for-cyberespionage

    Reply
  14. Tomi Engdahl says:

    Prometheus Hacker Group Uses Traffic Direction System to Deliver Malware Binaries to Targets
    https://gbhackers.com/prometheus-hacker-group/

    Reply
  15. Tomi Engdahl says:

    Red Cross breach could happen to any organization, security community warns
    https://www.scmagazine.com/news/breach/red-cross-breach-could-happen-to-any-organization-security-community-warns

    The security community on Thursday was aghast to learn of the attack by still unknown hackers on the servers of the International Committee of the Red Cross (ICRC).

    The Red Cross reported on Wednesday that hackers breached the data of about 515,000 people, many of whom were vulnerable victims of conflict, migration, and natural disasters. The humanitarian organization said the breach targeted an external contractor in Switzerland that stores data for it.

    According to the Associated Press, while the Red Cross cannot say for sure that its records were stolen, the agency said in a statement: “we feel it is likely — we know they have been inside our system and have had access to our data.”

    While some cybercriminal groups have rules to keep organizations like the Red Cross out of the line of fire, this isn’t a universally adopted position, said Tim Wade, technical director of the CTO Team at Vectra.

    “This attack seems to have little financial gain for the cybercriminals behind it, but we’re increasingly seeing attacks that are just as much about disruption, fear, and discrediting opposing ideologies instead of making money,” Wade said. “Regardless of whether this was targeted or merely opportunistic, it’s clear that every organization faces some level of material cyberthreat today.”

    “No organization, even those that have storied histories of doing good in the world, are safe from a cyberattack,”

    Reply
  16. Tomi Engdahl says:

    Kids won’t stop launching DDoS attacks against their schools
    By Joel Khalili published 1 day ago
    Children as young as nine are using DDoS attacks to take down their school networks
    https://www.techradar.com/news/kids-wont-stop-launching-ddos-attacks-against-their-schools

    The cybercrime unit of the UK National Crime Agency (NCA) is stepping up a program designed to educate children about the ramifications of DDoS attacks.

    According to the report, the volume of such attacks has risen sharply during the pandemic, presumably causing disruption to online learning activities.

    The hope is to divert youngsters away from cybercriminal activity by increasing awareness of the Computer Misuse Act and the consequences of cybercrime.

    “Education is a key pillar in preventing crime and these messages highlight the risks and consequences of committing cyber offences, which can result in a criminal record,” said John Denley, Deputy Director of the NCA’s cybercrime unit.

    Reply
  17. Tomi Engdahl says:

    MoonBounce Malware Hides In Your BIOS Chip, Persists After Drive Formats
    By Mark Tyson published 2 days ago
    It can be installed remotely, too.
    https://www.tomshardware.com/news/moonbounce-malware-hides-in-your-bios-chip-persists-after-drive-formats?utm_source=facebook.com&utm_content=tomsguide&utm_campaign=socialflow&utm_medium=social

    A new type of malware takes a decidedly more stealthy and hard-to-remove path into your OS — it hides in your BIOS chip and thus remains even after you reinstall your OS or format your hard drive.

    Reply
  18. Tomi Engdahl says:

    Log4J: Attackers continue targeting VMware Horizon servers
    VMware has urged customers to apply the latest guidance as a way to resolve vulnerabilities CVE-2021-44228 and CVE-2021-4504.
    https://www.zdnet.com/article/log4j-attackers-continue-targeting-vmware-horizon-servers/

    Reply
  19. Tomi Engdahl says:

    Critical Bugs in Control Web Panel Expose Linux Servers to RCE Attacks
    https://thehackernews.com/2022/01/critical-bugs-in-control-web-panel.html

    Reply
  20. Tomi Engdahl says:

    How a Russian cyberwar in Ukraine could ripple out globally
    Soldiers and tanks may care about national borders. Cyber doesn’t.
    https://www.technologyreview.com/2022/01/21/1043980/how-a-russian-cyberwar-in-ukraine-could-ripple-out-globally/

    Russia has sent more than 100,000 soldiers to the nation’s border with Ukraine, threatening a war unlike anything Europe has seen in decades. Though there hasn’t been any shooting yet, cyber operations are already underway.

    Last week, hackers defaced dozens of government websites in Ukraine, a technically simple but attention-grabbing act that generated global headlines. More quietly, they also placed destructive malware inside Ukrainian government agencies, an operation first discovered by researchers at Microsoft. It’s not clear yet who is responsible, but Russia is the leading suspect.

    But while Ukraine continues to feel the brunt of Russia’s attacks, government and cybersecurity experts are worried that these hacking offensives could spill out globally, threatening Europe, the United States, and beyond.

    The parallels are clear: NotPetya was a Russian cyberattack targeting Ukraine during a time of high tensions.

    “Aggressive cyber operations are tools that can be used before bullets and missiles fly,” says John Hultquist, head of intelligence for the cybersecurity firm Mandiant. “For that exact reason, it’s a tool that can be used against the United States and allies as the situation further deteriorates. Especially if the US and its allies take a more aggressive stance against Russia.”

    Reply
  21. Tomi Engdahl says:

    Log4j: Mirai botnet found targeting ZyXEL networking devices
    A report explained that the Log4j vulnerability is being used to “infect and assist in the proliferation of malware used by the Mirai botnet.”
    https://www.zdnet.com/article/log4j-mirai-ddos-botnet-targeting-zyxel-networking-devices/

    An Akamai researcher has discovered an attempt to use Log4j vulnerabilities in ZyXEL networking devices to “infect and assist in the proliferation of malware used by the Mirai botnet.”

    Reply
  22. Tomi Engdahl says:

    Emotet Now Using Unconventional IP Address Formats to Evade Detection
    https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html

    Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using “unconventional” IP address formats for the first time in a bid to sidestep detection by security solutions.

    This involves the use of hexadecimal and octal representations of the IP address that, when processed by the underlying operating systems, get automatically converted “to the dotted decimal quad representation to initiate the request from the remote servers,” Trend Micro’s Threat Analyst, Ian Kenefick, said in a report Friday.

    Reply
  23. Tomi Engdahl says:

    Linux Servers at Risk of RCE Due to Critical CWP Bugs
    https://threatpost.com/linux-servers-rce-critical-cwp-bugs/177906/

    The two flaws in Control Web Panel – a popular web hosting management software used by 200K+ servers – allow code execution as root on Linux servers.

    Researchers have discovered two critical bugs in Control Web Panel (CWP) – a popular web hosting management software used by 200K+ servers – that could allow for remote code execution (RCE) as root on vulnerable Linux servers.

    CWP, formerly known as CentOS Web Panel, is an open-source Linux control panel software used for creating and managing web hosting environments. The software supports the operating systems CentOS, Rocky Linux, Alma Linux and Oracle Linux.

    Reply
  24. Tomi Engdahl says:

    Pervert software engineer, 32, is jailed for 26 months after hacking into schoolgirl’s webcam and secretly filming her showering and undressing in campaign of voyeurism that saw him spy on more than 30 victims
    https://www.dailymail.co.uk/news/article-10393883/Pervert-software-engineer-32-jailed-26-months-hacking-schoolgirls-webcam.html

    Reply
  25. Tomi Engdahl says:

    Minecraft DDoS Attack Leaves Small European Country Without Internet
    By Mark Tyson published 1 day ago
    You won’t get caught if you hide behind someone.
    https://www.tomshardware.com/news/minecraft-ddos-attack-leaves-small-european-country-without-internet?utm_content=tomsguide&utm_source=facebook.com&utm_medium=social&utm_campaign=socialflow

    Andorra Telecom, the only ISP in the principality of Andorra, suffered repeated distributed denial-of-service (DDoS) attacks during a multi-day Twitch gaming tournament. The DDoS attacks occurred during the scheduled SquidCraft Games tournament in Minecraft, one of the most successful Twitch Rivals tournaments ever broadcast. Eight or more Andorran streamers were eliminated from the Twitch tournament after the second day of attacks due to their repeated disconnects. There is some suspicion that perpetrators planned the DDoS attacks on Andorra Telecom to cheat the Andorran’s of their chance to win the $100,000 pot.

    Ordinary Andorran Internet Users Become Collateral Damage in the SquidCraft Games

    Reply
  26. Tomi Engdahl says:

    ”Kyberpartisaanit” iskivät Venäjän joukkojen­kuljetuksia vastaan https://www.is.fi/digitoday/tietoturva/art-2000008564395.html

    Hackers say they encrypted Belarusian Railway servers in protest
    https://www.bleepingcomputer.com/news/security/hackers-say-they-encrypted-belarusian-railway-servers-in-protest/

    A group of hackers (known as Belarusian Cyber-Partisans) claim they breached and encrypted servers belonging to the Belarusian Railway, Belarus’s national state-owned railway company.

    They say their attack was prompted by Russia using Belarusian Railway’s rail transport network to move military units and equipment into the country.

    “We encrypted some of BR’s servers, databases and workstations to disrupt its operations. Automation and security systems were NOT affected to avoid emergency situations.”

    The Belarusian Cyber-Partisans hacktivists say they have the encryption keys for the compromised Belarusian Railway servers. They added that they’re also ready to return the systems to normal mode under some conditions.

    They ask for the release of 50 political prisoners in need of medical assistance and want the Russian troops out of Belarus.

    On their Telegram channel, the group also shared screenshots from systems compromised in the incident, showing they had access to internal Belarusian Railway systems, Veeam backup servers, the Windows domain controller, and the backup server that contains tens of terabytes allegedly awaiting destruction.

    One of the snapshots also shows the Belarusian Railway’s online ticket service throwing an error when running an SQL query.

    While Belarusian Railway has not issued an official statement, the company published an ‘Attention passengers!’ alert on its website today warning of ongoing problems with issuing electronic travel documents.

    “For technical reasons, reference web-resources of the Belarusian Railways and services for issuing electronic travel documents are temporarily unavailable. To arrange travel and return electronic travel documents, please contact the ticket office.” the company says.

    The hackers say today’s attack is part of a more extensive campaign they dubbed “Inferno,” “the largest sabotage cyberattacks in the history of Belarus.”

    Reply
  27. Tomi Engdahl says:

    Hactivists say they hacked Belarus rail system to stop Russian military buildup
    If confirmed, the attack would be one of the first times ransomware has been used this way.
    https://arstechnica.com/information-technology/2022/01/hactivists-say-they-hacked-belarus-rail-system-to-stop-russian-military-buildup/

    Reply
  28. Tomi Engdahl says:

    Hactivists say they hacked Belarus rail system to stop Russian military buildup
    If confirmed, the attack would be one of the first times ransomware has been used this way.
    https://arstechnica.com/information-technology/2022/01/hactivists-say-they-hacked-belarus-rail-system-to-stop-russian-military-buildup/?utm_source=facebook&utm_medium=social&utm_social-type=owned&utm_brand=ars

    Reply
  29. Tomi Engdahl says:

    A bug lurking for 12 years gives attackers root on every major Linux distro
    It’s likely only a matter of time until PwnKit is exploited in the wild.
    https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/

    Linux users on Tuesday got a major dose of bad news—a 12-year-old vulnerability in a system tool called Polkit gives attackers unfettered root privileges on machines running any major distribution of the open source operating system.

    Previously called PolicyKit, Polkit manages system-wide privileges in Unix-like OSes. It provides a mechanism for nonprivileged processes to safely interact with privileged processes. It also allows users to execute commands with high privileges by using a component called pkexec, followed by the command.

    Trivial to exploit and 100 percent reliable

    Since 2009, pkexec has contained a memory-corruption vulnerability that people with limited control of a vulnerable machine can exploit to escalate privileges all the way to root. Exploiting the flaw is trivial and, by some accounts, 100 percent reliable. Attackers who already have a toehold on a vulnerable machine can abuse the vulnerability to ensure a malicious payload or command runs with the highest system rights available. PwnKit, as researchers are calling the vulnerability, is also exploitable even if the Polkit daemon itself isn’t running.

    PwnKit was discovered by researchers from security firm Qualys in November and was disclosed on Tuesday after being patched in most Linux distributions.

    Reply
  30. Tomi Engdahl says:

    Let’s Encrypt is revoking lots of SSL certificates in two days
    https://www.bleepingcomputer.com/news/security/lets-encrypt-is-revoking-lots-of-ssl-certificates-in-two-days/

    Let’s Encrypt will begin revoking certain SSL/TLS certificates issued within the last 90 days starting January 28, 2022. The move could impact millions of active Let’s Encrypt certificates.

    As a non-profit certificate authority run by Internet Security Research Group (ISRG), Let’s Encrypt provides X.509 certificates for Transport Layer Security encryption at no cost.

    the certificate authority had to make two changes to how its TLS-ALPN-01 challenge validation works

    “All active certificates that were issued and validated with the TLS-ALPN-01 challenge before 00:48 UTC on 26 January 2022 when our fix was deployed are considered mis-issued,” explains Let’s Encrypt Site Reliability Engineer (SRE), Jillian.

    To comply with Let’s Encrypt Certificate Policy, which requires the certificate authority to invalidate a Certificate within 5 days under certain conditions, the non-profit will begin revoking certificates at 16:00 UTC on January 28th, 2022.

    “We estimate [less than] 1% of active certificates are affected. Subscribers affected by revocations will receive e-mail notifications if their ACME account contains a valid e-mail address. If you are affected by this revocation and need help renewing your certificate please ask questions in this thread,” further explains the engineer.

    Reply
  31. Tomi Engdahl says:

    Hackers Trying to Prevent War by Disrupting Railway Used by Russian Military
    https://lm.facebook.com/l.php?u=https%3A%2F%2Ffuturism.com%2Fthe-byte%2Fhackers-railway-russian-military&h=AT0DXdYiFGMF29p5T-LbU2sWANo4unxaDyCNRLAFb5fVGLELt8OsC012NIgP4MP8rQlJ1KTdMFVTbAWRdBHiCQWlf-4OAnE1fGNzz5haHilE6wo0ON9yxUjNAEEAhzvgcQ

    Tensions are high between Ukraine and Russia right now — and hacktivists are trying to tip the scales. 

    As the Russian military gathers forces near the Ukrainian border, a hacktivist group known as Cyber Partisans are claiming they’ve hacked a Belarusian railway system to disrupt weaponry buildup, Ars Technica reports. 

    The railway is allegedly used by the Russian military to funnel weapons into a region of Belarus, a key strategic area for Moscow if they want to invade Ukraine. The hacktivist group called on Belarus President Alexander Lukashenko to stop aiding the Russian military. 

    Cyber Partisans appears to have used ransomware to shut down the railway. While the Belarusian government has yet to publicly acknowledge the attack, the railway itself did release a statement to travelers announcing “technical reasons” for delayed travel.

    It’s yet to be confirmed conclusively whether ransomware was used, but one cybersecurity expert told Ars that the images the group used to establish their hack show that ransomware could be used as a “tool for the underdog in what amounts to a revolutionary struggle.”

    Let’s be clear: this is very unlikely to deter Russian forces for long. However, it’s still a very scrappy, cyberpunk way to try and thwart a military takeover of Ukraine — and at least slow down the potential onslaught of World War III. 

    Reply
  32. Tomi Engdahl says:

    Android malware BRATA wipes your device after stealing data
    https://www.bleepingcomputer.com/news/security/android-malware-brata-wipes-your-device-after-stealing-data/

    The Android malware known as BRATA has added new and dangerous features to its latest version, including GPS tracking, the capacity to use multiple communication channels, and a function that performs a factory reset on the device to wipe all traces of malicious activity.

    BRATA was first spotted by Kaspersky back in 2019 as an Android RAT (remote access tool) that mainly targeted Brazilian users.

    In December 2021, a report by Cleafy underscored the emergence of the malware in Europe, where it was seen targeting e-banking users

    Reply
  33. Tomi Engdahl says:

    12-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access
    https://thehackernews.com/2022/01/12-year-old-polkit-flaw-lets.html

    A 12-year-old security vulnerability has been disclosed in a system utility called Polkit that grants attackers root privileges on Linux systems, even as a proof-of-concept (PoC) exploit has emerged in the wild merely hours after technical details of the bug became public.

    Dubbed “PwnKit” by cybersecurity firm Qualys, the weakness impacts a component in polkit called pkexec, a program that’s installed by default on every major Linux distribution such as Ubunti, Debian, Fedora, and CentOS.

    Polkit (formerly called PolicyKit) is a toolkit for controlling system-wide privileges in Unix-like operating systems, and provides a mechanism for non-privileged processes to communicate with privileged processes.

    “This vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration,” Bharat Jogi, director of vulnerability and threat research at Qualys, said, adding it “has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009.”

    The flaw, which concerns a case of memory corruption and has been assigned the identifier CVE-2021-4034, was reported to Linux vendors on November 18, 2021, following which patches have been issued by Debian, Red Hat, and Ubuntu.

    pkexec, analogous to the sudo command, allows an authorized user to execute commands as another user, doubling as an alternative to sudo. If no username is specified, the command to be executed will be run as the administrative super user, root.

    PwnKit stems from an out-of-bounds write that enables the reintroduction of “unsecure” environment variables into pkexec’s environment. While this vulnerability is not remotely exploitable, an attacker that has already established a foothold on a system via another means can weaponize the flaw to achieve full root privileges.

    Complicating matters is the emergence of a PoC in the wild, which CERT/CC vulnerability analyst Will Dormann called “simple and universal,” making it absolutely vital that the patches are applied as soon as possible to contain potential threats.

    The development marks the second security flaw uncovered in Polkit in as many years. In June 2021, GitHub security researcher Kevin Backhouse revealed details of a seven-year-old privilege escalation vulnerability (CVE-2021-3560) that could be abused to escalate permissions to the root user.

    On top of that, the disclosure also arrives close on the heels of a security flaw affecting the Linux kernel (CVE-2022-0185) that could be exploited by an attacker with access to a system as an unprivileged user to escalate those rights to root and break out of containers in Kubernetes setups.

    RHSB-2022-001 Polkit Privilege Escalation – (CVE-2021-4034)
    https://access.redhat.com/security/vulnerabilities/RHSB-2022-001

    Red Hat is aware of a vulnerability found in pkexec that allows an authenticated user to perform a privilege escalation attack.

    The polkit package is designed to define and handle policies that allow unprivileged processes to communicate with privileged processes on a Linux system. Pkexec, part of polkit, is a tool that allows the user to execute commands as another user according to the polkit policy definitions using the setuid feature. The vulnerability found in pkexec allows an unprivileged local attacker to escalate privileges, bypassing any authentication and policies due to incorrect handling of the process’s argument vector.

    This issue is assigned CVE-2021-4034 rated with a severity impact of Important.

    The following Red Hat product versions are affected. “Affected” means that the vulnerability is present in the product’s code, irrespective of the usage or mitigations, which may address if the product is vulnerable.

    Red Hat Enterprise Linux 6

    Red Hat Enterprise Linux 7

    Red Hat Enterprise Linux 8

    Red Hat Virtualization 4

    Technical summary

    The pkexec program does not properly validate the amount of arguments passed to it. This issue eventually leads to attempts to execute environment variables as commands. When properly exploited, this issue leads pkexec to execute arbitrary code as a privileged user, granting the attacker a local privilege escalation. Refer to CVE-2021-4034 for more details.

    Red Hat Product Security strongly recommends affected customers update the polkit package once it is available. For customers who cannot update immediately, the issue can be mitigated by executing the following steps:

    Mitigation

    Red Hat Product Security strongly recommends affected customers update the polkit package once it is available. For customers who cannot update immediately, the issue can be mitigated by executing the following steps:

    1. Install the following required systemtap packages and dependencies: https://access.redhat.com/solutions/5441.

    2. Install polkit debug info:

    debuginfo-install polkit

    3. Create the following systemtap script, and name it pkexec-block.stp:

    probe process(“/usr/bin/pkexec”).function(“main”) {

    if (cmdline_arg(1) == “”)

    raise(9);

    }

    4. Load the systemtap module into the running kernel:

    stap -g -F -m stap_pkexec_block pkexec-block.stp

    5. Ensure the module is loaded:

    lsmod | grep -i stap_pkexec_block

    stap_pkexec_block 434176 0

    6. Once the polkit package is updated to the version containing the fix, remove the systemtap generated kernel module by running:

    rmmod stap_pkexec_block

    After using the rmmod command, a system reboot isn’t required.

    Note: If the system is rebooted, the module generated by the systemtap needs to be reloaded into the kernel. To do that, navigate to the directory where the mitigation script was created and follow steps 4 and 5.

    Once the mitigation above is performed, pkexec will continue to work as expected for legitimate use cases.

    Note: This mitigation doesn’t work for Secure Boot enabled systems as SystemTap would require an external compiling server to have the ability to sign the generated kernel module with a key enrolled into the Kernel’s keyring.

    https://access.redhat.com/security/cve/CVE-2021-4034

    Reply
  34. Tomi Engdahl says:

    Linux distros haunted by Polkit-geist for 12+ years: Bug grants root access to any user
    What happens when argc is zero and a SUID program doesn’t care? Let’s find out!
    https://www.theregister.com/2022/01/26/pwnkit_vulnerability_linuix/

    Linux vendors on Tuesday issued patches for a memory corruption vulnerability in a component called polkit that allows an unprivileged logged-in user to gain full root access on a system in its default configuration.

    Security vendor Qualys found the flaw and published details in a coordinated disclosure.

    Polkit, previously known as PolicyKit, is a tool for setting up policies governing how unprivileged processes interact with privileged ones. The vulnerability resides within polkit’s pkexec, a SUID-root program that’s installed by default on all major Linux distributions. Designated CVE-2021-4034, the vulnerability has been given a CVSS score of 7.8.

    Reply
  35. Tomi Engdahl says:

    Polkit Vulnerability Provides Root Privileges on Linux Systems
    https://www.securityweek.com/polkit-vulnerability-provides-root-privileges-linux-systems

    Qualys security researchers warn of an easily exploitable privilege escalation vulnerability in polkit’s pkexec, a SUID-root program found in all Linux distributions.

    Formerly PolicyKit, Polkit is a component in Unix-like operating systems used to control system-wide privileges, allowing non-privileged processes to communicate with privileged ones. Polkit’s pkexec command can be used to execute commands with root privileges.

    The security flaw – which is identified as CVE-2021-4034 and named PwnKit – has been around for more than 12 years, being introduced in pkexec in May 2009. Qualys has verified that default installations of CentOS, Debian, Fedora, and Ubuntu are vulnerable and warns that other Linux distributions might be vulnerable as well.

    “Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host,” Qualys notes.

    The root cause of the issue is an out-of-bounds write that is created when pkexec’s main function processes command-line arguments and attempts to locate the program to be executed.

    Reply
  36. Tomi Engdahl says:

    Apple Patches ‘Actively Exploited’ iOS Security Flaw
    https://www.securityweek.com/apple-patches-actively-exploited-ios-security-flaw

    Apple late Wednesday pushed out an urgent iOS update with fixes for 11 documented security flaws and warned that one of the vulnerabilities “may have been actively exploited.”

    In a barebones advisory, Apple acknowledged the zero-day took aim at a memory corruption issue in IOMobileFrameBuffer, an oft-targeted iOS kernel extension.

    The CVE-2022-22587 bug is described simply as a memory corruption issue that allows a malicious application to execute arbitrary code with kernel privileges.

    “Apple is aware of a report that this issue may have been actively exploited,” the company said cryptically. Interestingly, Apple credited three different researchers for reporting the flaw and helping with the patch.

    About the security content of iOS 15.3 and iPadOS 15.3
    https://support.apple.com/en-us/HT213053

    Reply
  37. Tomi Engdahl says:

    Apple Pays Out $100,000 for Webcam, User Account Hacking Exploit
    https://www.securityweek.com/apple-pays-out-100000-user-account-webcam-hacking-exploit

    A security researcher claims to have received a significant bug bounty from Apple for reporting a series of Safari and macOS vulnerabilities that could have been exploited to hijack a user’s online accounts and webcam.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*