Weekly cyber-facts in review

Weekly cyber-factsin review

14/03/21

Vulnerabilities In Review

This month, Microsoft has fixed 82 flaws and 2 zero days in its Patch Tuesday. 10 of them are classified as critical and the rest are classified as

important. Within those we can find updates for Microsoft Exchange servers, which are being target by at least 10 APT groups from all around the

world (and which we will regard to later on this report).

Microsoft March 2021 Patch Tuesday

SAP’s March 2021 Security Patch Day updates include 9 sew security notes. Two of those refer to two critical vulnerabilities affecting the company’s

NetWeaver Application Server and Manufacturing Integration and Intelligence products. Ethe exploitation of these vulnerabilities allow attackers to

access SAP databases and tamper with records, move laterally to other servers, inject malware, and modify network configuration to potentially

compromise internal networks.

SAP Security Patch Day – March 2021

Microsoft, as part of its March Patch cycle, has also released new cumulative updates for all supported version of Windows 10, tracked as

KB5000808 & KB5000802. As these updates were installed by administrator, an error was displayed; Windows 10 crashed when printing. To solve

this error, users must uninstall both updates.

Windows 10 Cumulative Updates

Multiple Cisco products are affected by a vulnerability in the Ethernet Frame Decoder of the Snort detection engine that could allow an

unauthenticated, adjacent attacker to cause a denial of service (DoS) condition. Exploitation of this vulnerability allows an attacker to exhaust disk

space on the affected device, which could result in administrators being unable to log in the device or the device being unable to boot up correctly.

Multiple Cisco Products Snort Ethernet Frame decoder are vulnerable to DoS

F5 Networks has alerted its costumers to patch as soon as possible four critical vulnerabilities affecting most BIG-IP and BIG-IQ software versions.

Exploitation of those could lead to full system compromise, including interception of controller application traffic and lateral movement to the internal

network.

F5 Networks has patched critical vulnerabilities affecting most BIG-IP and BIG-IQ software versions

QNAP has addressed a critical security vulnerability in the Surveillance Station app that allows attackers to execute malicious code remotely on

network-attached storage (NAS) devices running the vulnerable software. The critical vulnerability is already fixed versions 5.1.5.4.3 and 5.1.5.3.3.

QNAP patches critical vulnerability in Surveillance Station NAS app

On Tuesday, Adobe released patches for critical code execution vulnerabilities affecting its Connect, Creative Cloud, and Framemaker product.

Available patches for Adobe Connect, Adobe Creative Cloud and Adobe Framemaker

Issues to keep in mind

6 | Weekly cyber-facts in review

VMware releases fix for severe View Planner RCE vulnerability

Vmware has addresed a hugh severity unauthenticated RCE vulnerability affecting

Vmware View Planner, allowin attackers to abuse servers running unpatched

software for remote code execution.

It is known that multiple attackers are scanning for vulnerable Vmware servers and

that thousands of unpatched vCenter servers are reachable over the Internet. That

is why Vmware is warning its costumer to patch as soon as possible.

Unpatched flaws in Netgear

A total of 15 vulnerabilities have been identified in ProSAFE Plus JGS516PE and

GS116Ev2 bussines switches from Netgear. The most important of this bug is rated

as critical and allows an unanthoriced user to execute romote code.

These vulnerabilities could lead to attackers taking full control of systems.

Serious vulnerabilities in Schneider Electric Power Meters

Two critical vulnerabilities have been identified in PowerLogic ION and PM serires

samrt meters. These could be exploited remotly by an unatuhorized attacker allowing

him to cause the targeted meter to reboot and possibly even to execute arbitrary

code.

Users of the affected Schneider Electric products should apply the patches and

mitigations to prevent potencial attacks, particularly since information about the flaws

has been made public.

Phishing in Review (1/2)

Phishing campaign using fake compliance audit

alerts

The US Financial Industry Regulatory Authority (FINRA) has

issued a regulatory notice warning US brokerage firms and

brokers of an ongoing phishing campaign using fake

compliance audit alerts to harvest information. The messages

are being sent from finra-online[.]com, a recently registered

web domain spoofing a legitimate FINRA website

It has been discovered that the TA800 threat group is

distributing through spear-phishing the NimzaLoader

malware, which is written in the Nim language and is believed

to be a variant of BazaLoader, malware previously used by

the group

TA800 group is distributing malware via spear-

phishing

Google reCAPTCHA Phishing

Microsoft users are being targeted with thousands of phishing

emails with the aim of steal their Office 365 credentials. The

attackers add a fake Google reCAPTCHA system and top-

level domain landing pages that include the logos of victims’

companies to appear legitimate.

Domains used in phishing of covid-19 vaccine

The U.S. Department of Justice has seized several domains

that have been used by attackers in covid-19 vaccine-related

phishing attacks. The latest domain impersonates an official

site of a biotechnology company involved in the development

of the COVID-19 vaccine.

Phishing in Review (2/2)

Phishing campaign impersonating BBVA

A malicious campaign of emails that attempt to infect victims' devices with malware has been detected. Threat actors

impersonate the BBVA bank in order to simulate the payment of a transfer in favor of the victim, related to invoices.

Phishing campaign impersonating Ibercaja

In this campaign attackers send fraudulent emails with the subject "New PSD2 standard", where they indicate that to comply

with European security regulations PSD2, their next access to Ibercaja must be done by filling in their data. The aim of this

campaign is stealing clients' credentials.

Phishing campaign impersonating Santander Bank

It has been detected a phishing campaign in which Banco Santander has been impersonated in order to steal customers'

credentials. The message tells the victim that if he does not verify the personal data his account will be deleted, so when

accessing the link provided, they are redirected to a fake website of the bank where their credentials are stolen.

Ransomware in Review

The State Public Employment Service (SEPE) has suffered an attack with the Ryuk ransomware. This

attack has led to the delay in managing thousands of appointments throughout Spain. The measures

that have been implemented have been the communication of the incident to CCN-CERT and McAffe,

the shutdown of all communications interfaces in the routers of all centers in order to isolate the

network and isolation of all central service VLANs.

SEPE has suffered a ransomware attack

New extortion techniques used by REvil operators

The operators of the REvil ransomware contacted

professionals in February to include new extortion

techniques. Attackers now not only threaten their victims

with posting the files that steal from them, but they also

appear to be executing DDoS attacks and VOIP calls.

It has been discovered that the DearCry ransomware is

installed on Microsoft Exchange servers using the recent

ProxyLogon vulnerabilities that compromised the Microsoft

Exchange servers in early March 2021.

Threat actors install the DearCry ransomware on

Microsoft Exchange servers

Malware in Review

A new backdoor called Sunshuttle or GoldMax, which is associated with the SolarWinds attack, has been identified. It has

been attributed to threat group UNC2452, and was first identified on March 4, targeting entities in the EE.UU., although it

has global impact potential.

New backdoor identified

New variant of Gafgyt botnet

It has been identified a new variant of the Gafgyt botnet, called Gafgyt_tor, that targets vulnerable IoT devices and D-Link

devices using Tor communications. The botnet was first identified in 2014 and the threat group behind it is unknown. The

input vectors exploited by Gafgyt are weak Telnet passwords and vulnerabilities (especially the CVE-2019-16920 of D-

Link devices and the Citrix CVE-2019-19781)

Data Leaks in Review

Passenger and customer data from numerous airlines has

been affected by a data breach suffered by SITA, an

international telecommunications company. Airlines that have

confirmed that they have been affected are Lufthansa, Air

New Zealand, Singapore Airlines, SAS, Cathay Pacific, Jeju

Air, Malaysia Airlines and Finnair, although Japan Airlines is

believed to have also been affected.

SITA has suffered a data breach

Breach exposes Verkada security cameras

Hackers claim to gain unauthorized access to live feeds of 150.000 security cameras after a

breach in the Silicon Valley start up, Verkada. The group behind this attack was Advanced

Persistent Threat 69420, and they claim to have access to security cameras of Florida

hospital Halifax Health and Tesla factory in Shanghai, among others.

The US bank, Flagstar, has disclosed a data breach after Clop

ransomware gang hacked their Accellion file transfer server in

January. Accellion informed Flagstar of the impact the hacking

against flagstar had on the bank on January 22, 2021. On

March 8, after Flagstar confirmed the data breach, the threat

group behind Clop has released screenshots of the data

stolen from Flagstar.

Flagstar bank has confirmed a data breach

Other cases

After Microsoft report that the vulnerabilities were actively exploited by a Chinese APT group named Hafnium, they said

that several other threat actors are also exploiting the four critical Exchange flaws. This groups are APT27, Bronze Butler,

and Calypso among others.

More groups abusing the ProxyLogon flaws

Office 365 gets protection against malicious XML macros

Microsoft has added an extra protection to identify malicious activity even when hidden using heavy obfuscation and to

detect and block malware abusing Office VBA macros and the code regularly used to deploy malware payloads via Office

document macros. This is by expanding the runtime defense provided by Office 365's integration with Antimalware Scan

Interface (AMSI) to include Excel 4.0 (XLM) macro scanning.

Malicious activity against Microsoft Exchange Servers

On March the 2nd, Microsoft warned about the

exploitation of four vulnerabilities tracked as

CVE-2021-26855, CVE-2021-26857, CVE-

2021-26858 and CVE-2021-27065 affecting

MS Exchange Servers.

Those vulnerabilities, now dubbed as Proxy

Logon, allow threat actors to perform remote

code execution on publicly exposed MS

Exchange servers utilizing Outlook on the Web

(OWA).

Details about these worldwide abused vulnerabilities.

The malicious activity was firstly attributed to a highly sophisticated group of

hackers called Hafnium. This group appear to be of Chinese origin, and it is

believed to be sponsored by its Government.

Now, at least 10 different APT groups are targeting these MS Exchange

Servers vulnerabilities, which grant to them full access to the server, and

motivation seems to be espionage. It is believed that at least 250,000 MS

Exchange Servers have been impacted globally.

In response, Microsoft has released several advisories to mitigate these

vulnerabilities. Among them, we can find security updates, alternative

mitigations released only for occasions in which organizations are unable to

apply the updates, and two scripts to check if systems have been

compromised.

What to do?

Aiuken Cybersecurity has provided its clients with all the details and

advisories published by different organizations regarding this issue.

MICROSOFT EXCHANGE SERVERS

Calle Francisco Tomás y Valiente nº 2

Boadilla del Monte · 28660 Madrid (España)

Teléfono:+34 912 909 805

aiuken.com