Daily NCSC-FI news followup 2021-11-23

New Windows zero-day with public exploit lets you become an admin

www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/ A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server. BleepingComputer has tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network. The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.

Check your patches public exploit now out for critical Exchange bug

nakedsecurity.sophos.com/2021/11/23/check-your-patches-public-exploit-now-out-for-critical-exchange-bug/ At the start of this month, CVE-2021-42321 was technically an Exchange zero-day flaw. This bug could be exploited for unauthorised remote code execution (RCE) on Microsoft Exchange 2016 and 2019, and was patched in the November 2021 Patch Tuesday updates. Microsoft officially listed the bug with the words “Exploitation Detected”, meaning that someone, somewhere, was already using it to mount cyberttacks. The silver lining, if there is such a thing for any zero-day hole, is that the attacker first needs to be authenticated (logged on, if you like) to the Exchange server.

Invisible implants in source code

www.kaspersky.com/blog/trojan-source/42987/ Researchers from Cambridge describe the Trojan Source method for inserting hidden implants in source code. University of Cambridge experts described a vulnerability they say affects most modern compilers. A novel attack method uses a legitimate feature of development tools whereby the source code displays one thing but compiles something completely different. It happens through the magic of Unicode control characters. Most of the time, control characters do not appear on the screen with the rest of the code (although some editors display them), but they modify the text in some way. This table contains the codes for the Unicode Bidirectional (bidi) Algorithm, for example. In the authors’ work, they used such codes to, for example, move the comment terminator in Python code from the middle of a line to the end. They applied an RLI code to shift just a few characters, leaving the rest unaffected.

Security researchers play peek-a-boo with Conti ransomware server

blog.malwarebytes.com/ransomware/2021/11/security-researchers-play-peek-a-boo-with-conti-ransomware-server/ Conti ransomware is perhaps most well known for its use in the HSE healthcare attacks back in May. More than 80, 000 endpoints were shut down and the health service had to revert to the pen and paper approach. Providers in the US and New Zealand were also affected. Conti is created and distributed by “Wizard Spider”, a group which also created the well-known Ryuk ransomware. Conti, offered to affiliates as Ransomware as a Service, ran wild in the first quarter of 2021. RDP brute forcing, phishing, and hardware / software vulnerabilities are the chosen methods for Conti compromise. Where it gets interesting is that Conti directs victims to Dark Web “support portals” where they talk through the steps to unlocking impacted devices. This is where the current Conti issues have arisen.

Apple sues spyware-maker NSO Group, notifies iOS exploit targets

www.bleepingcomputer.com/news/apple/apple-sues-spyware-maker-nso-group-notifies-ios-exploit-targets/ Apple has filed a lawsuit against Pegasus spyware-maker NSO Group and its parent company for the targeting and spying of Apple users with surveillance tech. The company says the state-sponsored attacks that used NSO’s spyware only targeted “a very small number” of individuals, across multiple platforms, including iOS and Android. The exploits used to deploy NSO Group’s Pegasus spyware were used to hack and compromise the devices of high-profile targets such as government officials, diplomats, activists, dissidents, academics, and journalists worldwide. For instance, NSO’s FORCEDENTRY exploit was used by state-backed attackers to break into Apple devices to install the latest version of Pegasus spyware, as revealed by the Citizen Lab in August. “To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices, ” Apple added.. Apple’s release:

www.apple.com/newsroom/2021/11/apple-sues-nso-group-to-curb-the-abuse-of-state-sponsored-spyware/

UK Ministry of Justice secures HVAC systems ‘protected’ by passwordless Wi-Fi after Register tipoff

www.theregister.com/2021/11/23/unsecured_rcj_hvac_wifi_routers/ The Ministry of Justice has secured a set of Wi-Fi access points that potentially gave admin access to industrial control equipment after a tipoff by The Register. Four unsecured wireless networks named “Boiler Pump 1” to “Boiler Pump 4” were freely accessible in the Royal Courts of Justice (RCJ) until The Register told officials what was happening. The networks were all viewable from the ground floor of the Queen’s Building, a 1960s extension to the original neo-Gothic court building. The RCJ houses Britain’s most senior civil courts, including the Court of Appeal. A source told us that connecting to the passwordless access points exposed a login page for what appeared to be an industrial control system developed by Armstrong Fluid Technology. Armstrong’s website hosts PDF copies of equipment manuals complete with default administrator passwords, referred to by Armstrong as “Level 2” access.

Researchers warn of severe risks from Printjack’ printer attacks

www.bleepingcomputer.com/news/security/researchers-warn-of-severe-risks-from-printjack-printer-attacks/ A team of Italian researchers has compiled a set of three attacks called ‘Printjack, ‘ warning users of the significant consequences of over-trusting their printer. The attacks include recruiting the printers in DDoS swarms, imposing a paper DoS state, and performing privacy breaches. As the researchers point out, modern printers are still vulnerable to elementary flaws and lag behind other IoT and electronic devices that are starting to conform with cybersecurity and data privacy requirements. By evaluating the attack potential and the risk levels, the researchers found non-compliance with GDPR requirements and the ISO/IEC 27005:2018 (framework for managing cyber-risks). This lack of in-built security is particularly problematic when considering how omnipresent printers are, being deployed in critical environments, companies, and organizations of all sizes.

You might be interested in …

Daily NCSC-FI news followup 2020-01-26

Teenagers today. Can’t take them anywhere, eh? 18-year-old kid accused of $50m SIM-swap cryptocurrency heist www.theregister.co.uk/2020/01/25/security_roundup/ Also, Cisco, Citrix emit patches, US army advises using Signal Patching the Citrix ADC Bug Doesn’t Mean You Weren’t Hacked www.bleepingcomputer.com/news/security/patching-the-citrix-adc-bug-doesnt-mean-you-werent-hacked/ Citrix on Friday released the final patch for the critical vulnerability tracked as CVE-2019-19781 in its affected appliances. […]

Read More

Daily NCSC-FI news followup 2021-10-27

Free decrypters released for AtomSilo, Babuk, and LockFile ransomware strains therecord.media/free-decrypters-released-for-atomsilo-babuk-and-lockfile-ransomware-strains/ Antivirus maker and cyber-security firm Avast has released today free decryption utilities to recover files that have been encrypted by three ransomware strainsAtomSilo, Babuk, and LockFile. The AtomSilo and LockFile decrypters are being offered as one single download because of the similarities between the […]

Read More

Daily NCSC-FI news followup 2019-07-04

Sodinokibi ransomware is now using a former Windows zero-day www.zdnet.com/article/sodinokibi-ransomware-is-now-using-a-former-windows-zero-day/ A ransomware strain named Sodinokibi (also Sodin or REvil) is using a former Windows zero-day vulnerability to elevate itself to admin access on infected hosts.. see also securelist.com/sodin-ransomware/91473/ Sodin ransomware enters through MSPs www.kaspersky.com/blog/sodin-msp-ransomware/27530/ At the end of March, when we wrote about a GandCrab […]

Read More