Daily NCSC-FI news followup 2021-09-15

Patch now! PrintNightmare over, MSHTML fixed, a new horror appears OMIGOD

blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/ The September 2021 Patch Tuesday could be remembered as the final patching attempt in the PrintNightmare nightmare. The ease with which the vulnerabilities shrugged off the August patches doesn’t look to get a rerun. So far we haven’t seen any indications that this patch is so easy to circumvent. The total count of fixes for this Patch Tuesday tallies up to 86, including 26 for Microsoft Edge alone. Only a few of these vulnerabilities are listed as zero-days and two of them are “old friends”. There is a third, less-likely-to-be-exploited one, and then we get to introduce a whole new set of vulnerabilities nicknamed OMIGOD, for reasons that will become obvious. Azure was the subject of five CVE’s, one of them listed as critical. The four that affect the Open Management Infrastructure (OMI) were found by researchers, grouped together and received the nickname OMIGOD. Additional source:

therecord.media/microsoft-fixes-omigod-bugs-in-secret-azure-app/. Additional source:

threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/. Additional source:

www.bleepingcomputer.com/news/microsoft/microsoft-fixes-remaining-windows-printnightmare-vulnerabilities/. Additional source:


“Secret” Agent Exposes Azure Customers To Unauthorized Code Execution

www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution Wiz’s research team recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services. The source of the problem is a ubiquitous but little-known software agent called Open Management Infrastructure (OMI) that’s embedded in many popular Azure services. When customers set up a Linux virtual machine in their cloud, the OMI agent is automatically deployed without their knowledge when they enable certain Azure services. Unless a patch is applied, attackers can easily exploit these four vulnerabilities to escalate to root privileges and remotely execute malicious code (for instance, encrypting files for ransom). We named this quartet of zero-days “OMIGOD” because that was our reaction when we discovered them. We conservatively estimate that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk. Today Microsoft issued the following CVEs for OMIGOD and made a patch available to customers during their Patch Tuesday release:. CVE-2021-38647 Unauthenticated RCE as root (Severity: 9.8); CVE-2021-38648 Privilege Escalation vulnerability (Severity: 7.8); CVE-2021-38645 Privilege Escalation vulnerability (Severity: 7.8); CVE-2021-38649 Privilege Escalation vulnerability (Severity: 7.0).

Attackers Impersonate DoT in Two-Day Phishing Scam

threatpost.com/attackers-impersonate-dot-phishing-scam/169484/ Threat actors impersonated the U.S. Department of Transportation (USDOT) in a two-day phishing campaign that used a combination of tactics including creating new domains that mimic federal sites so as to appear to be legitimate to evade security detections. Between Aug. 16-18, researchers at e-mail security provider INKY detected 41 phishing emails dangling the lure of bidding for projects benefitting from a $1 trillion infrastructure package recently passed by Congress, according to a report written by INKY’s Roger Kay, vice president of security strategy, that was published on Wednesday. The campaign which targeted companies in industries such as engineering, energy and architecture that likely would work with the USDOT sends potential victims an initial email in which they’re told that the USDOT is inviting them to submit a bid for a department project by clicking a big blue button with the words “Click Here to Bid.”. The emails themselves are launched from a domain, transportationgov[.]net, that was registered by Amazon on Aug. 16, Kay said. The date of its creation revealed by WHOIS seems to signal that the site was set up specifically for the phishing campaign. To anyone familiar with government sites, the domain would appear suspicious given that government sites typically have a.gov suffix. However, “to someone reading through quickly, the domain name might seem at least somewhere in the ballpark of reality, ” Kay observed.

Amid vaccine mandates, fake vaccine certificates become a full blown industry

blog.checkpoint.com/2021/09/14/amid-vaccine-mandates-fake-vaccine-certificates-become-a-full-blown-industry/ Black market for fake vaccine certificates booms. Check Point Research (CPR) continues to monitor the black market in which fake COVID-19 vaccine certificates are being sold to anyone willing to pay. Black market for fake vaccine certificates expands globally, now selling certificates in 28 countries, 9 of which are new Including: Austria, Brazil, Latvia, Lithuania, Malta, Portugal, Singapore, Thailand, UAE. On August 10, CPR saw roughly a 1000 vendors on Telegram. Now, CPR sees north of 10, 000 vendors claiming to offer fake vaccine certificates, marking a 10x increase. Prices globally range from US$85-US$200. Following Biden’s vaccine mandate announcement “Registered” CDC vaccine card in the US has risen from US$100 to US$200 and Telegram group members in the US risen from 30K to over 300, 000

Hushpuppi – the Instagram influencer and international fraudster

www.bbc.com/news/world-africa-58553109 Ramon Abbas – known to his 2.5 million Instagram followers as Hushpuppi – is considered by the FBI to be one of the world’s most high-profile fraudsters and faces a prison sentence of up to 20 years in the US after pleading guilty to money laundering. The BBC has used newly available court documents to uncover the man behind cyber heists that have cost his victims millions, from his humble beginnings as a “Yahoo Boy” hustler in Nigeria to a so-called “Billionaire Gucci Master” living a life of luxury in Dubai before his arrest last year. The 37-year-old began his career in Oworonshoki, a poor coastal area in the north-east of Lagos, Nigeria’s commercial capital. “Yahoo Boys” are romance scammers who took their name from the first free email available in Nigeria. “They came up with the idea of stealing identities. And then with that identity theft, they went into dating [scams], ” explains Dr Adedeji Oyenuga, a cybercrime expert at Lagos State University. Once a relationship is established via a false identity, romance scammers wheedle money from their online lovers. Like many Yahoo Boys, Abbas broadened his criminal horizons. Many went to Malaysia – and Abbas followed them, ending up in Kuala Lumpur around 2014, then Dubai in 2017.

Microsoft accounts can go passwordless, making “password123” a thing of the past

arstechnica.com/gadgets/2021/09/starting-today-you-can-remove-your-password-from-your-microsoft-account/ Microsoft has been working to make passwordless sign-in for Windows and Microsoft accounts a reality for years now, and today those efforts come to fruition: The Verge reports that starting today, users can completely remove their passwords from their Microsoft accounts and opt to rely on Microsoft Authenticator or some other form of verification to sign in on new devices. Microsoft added passwordless login support for work and school accounts back in March, but this is the first time the feature has been offered for regular, old individual Microsoft accounts. Passwordless accounts improve security by taking passwords out of the equation entirely, making it impossible to get any kind of access to your full account information without access to whatever you use to verify your identity for two-factor authentication. Even if you protect your Microsoft account with two-factor authentication, an attacker who knows your Microsoft account password could still try that password on other sites to see if you’ve reused it anywhere. And some forms of two-factor authentication, particularly SMS-based 2FA, have security problems of their own. Additional source:


US fines former NSA employees who provided hacker-for-hire services to UAE

therecord.media/us-fines-former-nsa-employees-who-provided-hacker-for-hire-services-to-uae/ The US Department of Justice has fined three former NSA employees who worked as hackers-for-hire for a United Arab Emirates cybersecurity company. Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40, broke US export control laws that require companies and individuals to obtain a special license from the State Department’s Directorate of Defense Trade Controls (DDTC) before providing defense-related services to a foreign government. According to court documents [PDF], the three suspects helped the UAE company develop and successfully deploy at least two hacking tools. The three entered into a first-of-its-kind deferred prosecution agreement with the DOJ today, agreeing to pay $750, 000, $600, 000, and $335, 000, respectively, over a three-year term, in order to avoid jail time for their actions.

ELFant in the Room capa v3

www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html Since our initial public release of capa, incident responders and reverse engineers have used the tool to automatically identify capabilities in Windows executables. With our newest code and ruleset updates, capa v3 also identifies capabilities in Executable and Linkable Format (ELF) files, such as those used on Linux and other Unix-like operating systems. This blog post describes the extended analysis and other improvements. You can download capa v3 standalone binaries from the project’s release page and checkout the source code on GitHub.

Kali Linux 2021.3 released with new pentest tools, improvements

www.bleepingcomputer.com/news/security/kali-linux-20213-released-with-new-pentest-tools-improvements/ Kali Linux 2021.3 was released yesterday by Offensive Security and includes a new set of tools, improved virtualization support, and a new OpenSSL configuration that increases the attack surface. Kali Linux is a Linux distribution designed for cybersecurity professionals and ethical hackers to perform penetration testing and security audits.

Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus

www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html Citizen Lab has released a report detailing sophisticated iPhone exploits being used against nine Bahraini activists. The activists were reportedly hacked with the NSO Group’s Pegasus spyware using two zero-click iMessage exploits: Kismet, which was identified in 2020; and ForcedEntry, a new vulnerability that was identified in 2021. Zero-click attacks are labeled as sophisticated threats because unlike typical malware, they do not require user interaction to infect a device. The latter zero-click spyware is particularly notable because it can bypass security protections such as BlastDoor, which was designed by Apple to protect users against zero-click intrusions such as these. According to Citizen Lab’s report, Kismet was used from July to September 2020 and was launched against devices running at least iOS 13.5.1 and 13.7. It was likely not effective against the iOS 14 update in September. Then, in February 2021, the NSO Group started deploying the zero-click exploit that managed to circumvent BlastDoor, which Citizen Lab calls ForcedEntry. Amnesty Tech, a global collective of digital rights advocates and security researchers, also observed zero-click iMessage exploit activity during this period and referred to it as Megalodon.

You might be interested in …

[NCSC-FI News] Alert (AA22-108A) – TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) are issuing this joint Cybersecurity Advisory (CSA) to highlight the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020 This group is […]

Read More

Daily NCSC-FI news followup 2020-03-31

Trends in Internet Exposure blog.shodan.io/trends-in-internet-exposure/ More companies are going remote due to COVID-19 and as a result there’s been a lot of speculation around how this impacts the exposure of companies and the Internet as a whole (in terms of publicly-accessible services). I was actually already working on creating trends for various services due to […]

Read More

Daily NCSC-FI news followup 2019-11-16

Holiday Shoppers Beware: 100K Malicious Sites Found Posing as Well-Known Retailers threatpost.com/holiday-shoppers-malicious-sites-posing-retailers/150326/ As the holiday season looms, cybercrooks are going after shoppers with more than 100,000 lookalike domains mimicking legitimate retailers.. To that point, Venafi researchers uncovered the copycat phishing sites, which use trusted, valid TLS certificates (60 percent of them are free certificates from […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.