Daily NCSC-FI news followup 2022-01-11

Microsoft Patch Tuesday – January 2022

isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+January+2022/28230/ Microsoft fixed 126 different CVEs with this month’s update (this includes the Chromium issues patched in Edge). Six of the issues were publicly disclosed, and nine are rated critical. Noteworthy updates: CVE-2022-21907: This is a remote code execution vulnerability in http.sys. http.sys is part of anything in windows processing HTTP requests (e.g. IIS!). But this vulnerability only affects the HTTP Trailer feature, which is not enabled by default (not sure if there is a good reason to enable it). CVE-2022-21846: Another critical remote code execution vulnerability in Exchange. But this vulnerability is not exploitable across the internet and requires the victim and the attacker to share the same network. CVE-2021-22947: This vulnerability in curl was originally disclosed in September, which is why it is noted as “Publicly Disclosed”. This update fixes several vulnerabilities, not just the listed CVE.

KCodes NetUSB bug exposes millions of routers to RCE attacks

www.bleepingcomputer.com/news/security/kcodes-netusb-bug-exposes-millions-of-routers-to-rce-attacks/ A high-severity remote code execution flaw tracked as CVE-2021-45388 has been discovered in the KCodes NetUSB kernel module, used by millions of router devices from various vendors. Successfully exploiting this flaw would allow a remote threat actor to execute code in the kernel, and although some restrictions apply, the impact is broad and could be severe. The router vendors that use vulnerable NetUSB modules are Netgear, TP-Link, Tenda, EDiMAX, Dlink, and Western Digital. also:

www.sentinelone.com/labs/cve-2021-45608-netusb-rce-flaw-in-millions-of-end-user-routers/

Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure Alert (AA22-011A)

www.cisa.gov/uscert/ncas/alerts/aa22-011a This joint Cybersecurity Advisory (CSA)authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats.

APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit

research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/ In this article, we share the details of the latest attacks by APT35 exploiting the Log4j vulnerability and analyze their post-exploitation activities including the new modular PowerShell-based framework dubbed CharmPower, used to establish persistence, gather information, and execute commands.

Night Sky ransomware uses Log4j bug to hack VMware Horizon servers

www.bleepingcomputer.com/news/security/night-sky-ransomware-uses-log4j-bug-to-hack-vmware-horizon-servers/ The Night Sky ransomware gang has started to exploit the critical CVE-2021-44228 vulnerability in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems. On Monday, Microsoft published a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware. The company adds that the group is known for deploying other ransomware families in the past, such as LockFile, AtomSilo, and Rook. Previous attacks from this actor also exploited security issues in internet-facing systems like Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473 – ProxyShell). It is believed that Night Sky is a continuation of the aforementioned ransomware operations.

Offense will win some battles, but cyber defense will win the war

www.cyberscoop.com/offense-will-win-some-battles-but-cyber-defense-will-win-the-war/ Policymakers and security researchers are now using combative efforts to “impose cost” on hackers. Sanctions, hacking back, infrastructure disruption, indictments and other offensive activities all have a negative impact on cybercriminals. But to have real, long-term impact on these nefarious activities, organizations and governments need to more actively consider the ways that defense can impose costs too: Robust, consistent and well-funded cyber defenses cost adversaries time, effort and the likelihood of success. Defense, and investment in mandatory cybersecurity requirements, is how we will solve the fundamental problems at the heart of the ransomware epidemic.

noPac Exploit: Latest Microsoft AD Flaw May Lead to Total Domain Compromise in Seconds

www.crowdstrike.com/blog/nopac-exploit-latest-microsoft-ad-flaw-may-lead-to-total-domain-compromise/ Microsoft recently published two critical CVEs related to Active Directory (CVE-2021-42278 and CVE-2021-42287), which when combined by a malicious actor could lead to privilege escalation with a direct path to a compromised domain. In mid-December 2021, a public exploit that combined these two Microsoft Active Directory design flaws (referred also as “noPac”) was released. The exploit allowed the escalation of privileges of a regular domain user to domain administrator, which enables a malicious actor to launch multiple attacks such as domain takeover or a ransomware attack. This is a serious concern because this exploit was confirmed by multiple researchers as a low-effort exploit with critical impact. Researchers at Secureworks have demonstrated how to exploit these Active Directory flaws to gain domain privileges in just 16 seconds. Yes, you read it right a compromised domain in a quarter of a minute!

New SysJoker Backdoor Targets Windows, Linux, and macOS

www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ In December 2021, we discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal. We named this backdoor SysJoker. SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution. After further investigation, we found that SysJoker also has Mach-O and Windows PE versions. Based on Command and Control (C2) domain registration and samples found in VirusTotal, we estimate that the SysJoker attack was initiated during the second half of 2021. Below we provide a technical analysis of this malware together with IoCs and detection and response mitigations.

European Space Agency: Come on, hack our satellite if you think you’re hard enough

www.theregister.com/2022/01/11/ops_sat_hack/ The European Space Agency (ESA) is inviting applications from attackers who fancy having a crack at its OPS-SAT spacecraft. It’s all in the name of ethical hacking, of course. The plan is to improve the resilience and security of space assets by understanding the threats dreamed up by security professionals and members of the public alike.

TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang

www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/ The TellYouThePass ransomware family was recently reported as a post-exploitation malicious payload used in conjunction with a remote code execution vulnerability in Apache Log4j library, dubbed Log4Shell. Previously known TellYouThePass ransomware samples were written in traditional programming languages like Java or.Net., but two new recent samples reported in public repositories have been rewritten and compiled in Golang. Golang’s popularity among malware developers has steadily increased over the past years. It allows them to use the same codebase and compile it for all major operating systems, making cross-platform development work more accessible.

WordPress Vulnerabilities More Than Doubled in 2021 and 77% of Them Are Exploitable

www.riskbasedsecurity.com/2022/1/11/wordpress-vulnerabilities-more-than-doubled-in-2021/ 10, 359 vulnerabilities were reported to affect third-party WordPress plugins at the end of 2021. Of those, 2, 240 vulnerabilities were disclosed last year, which is a 142% increase compared to 2020.

Critical SonicWall NAC Vulnerability Stems from Apache Mods

threatpost.com/sonicwall-nac-vulnerability-apache-mods/177529/ Rapid7 has offered up more details on a SonicWall critical flaw that allows for unauthenticated remote code execution (RCE) on affected devices, noting that it arises from tweaks that the vendor made to the Apache httpd server. The bug (CVE-2021-20038) is one of five vulnerabilities discovered in its series of popular network access control (NAC) system products.

Multiple Node.js vulnerabilities fixed in flurry of new releases

portswigger.net/daily-swig/multiple-node-js-vulnerabilities-fixed-in-flurry-of-new-releases The developers behind Node.js have released new versions of several release lines to address four vulnerabilities in the server-side technology. The security flaws, three of medium severity and one marked as low severity, have been fixed in new versions of the 12.x, 14.x, 16.x, and 17.x branches.

Deepfakes The Good, The Bad, And The Ugly

www.forbes.com/sites/bernardmarr/2022/01/11/deepfakes–the-good-the-bad-and-the-ugly/ The algorithms used to create “deepfakes” as artificial intelligence (AI)-generated imitations are known are widely considered by cyber security experts to be a major challenge society will face in coming years.

FinalSite: No school data stolen in ransomware attack behind site outages

www.bleepingcomputer.com/news/security/finalsite-no-school-data-stolen-in-ransomware-attack-behind-site-outages/ FinalSite announced today the findings of a six-day investigation into last week’s ransomware attack, stating it found no evidence schools’ data accessed or stolen by hackers.

How the Pentagon enlisted ethical hackers amid the Log4j crisis

therecord.media/how-the-pentagon-enlisted-ethical-hackers-amid-the-log4j-crisis/ The Pentagon last month pivoted an ongoing bug bounty program to track down Log4j vulnerabilities on potentially thousands of public-facing military websites, the first time the Defense Department marshaled the ethical hacker community to tackle an emerging digital crisis.

You might be interested in …

Daily NCSC-FI news followup 2020-10-13

Windows Update can be abused to execute malicious programs www.bleepingcomputer.com/news/security/windows-update-can-be-abused-to-execute-malicious-programs/ MDSec researcher David Middlehurst discovered that Windows Update client (wuauclt) can also be used by attackers to execute malicious code on Windows 10 systems. Middlehurst also found a sample using it in the wild. Microsoft October Patch Tuesday fixes 87 bugs, six publicly disclosed www.bleepingcomputer.com/news/security/microsoft-october-patch-tuesday-fixes-87-bugs-six-publicly-disclosed/ […]

Read More

Daily NCSC-FI news followup 2020-08-06

Australia’s 2020 Cyber Security Strategy www.pm.gov.au/media/australias-2020-cyber-security-strategy The Morrison Governments 2020 Cyber Security Strategy outlines how we will keep Australian families and businesses secure online, protect and strengthen the security and resilience of Australias critical infrastructure and ensure law enforcement agencies have the powers and technical capabilities to detect, target, investigate and disrupt cybercrime, including on […]

Read More

Daily NCSC-FI news followup 2021-10-13

How Coinbase Phishers Steal One-Time Passwords krebsonsecurity.com/2021/10/how-coinbase-phishers-steal-one-time-passwords A recent phishing campaign targeting Coinbase users shows thieves are getting smarter about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email […]

Read More