Weekly cyber-facts in review 23/05/21 - Aiuken Cybersecurity
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Weekly cyber-facts in review 23/05/21
2 | Weekly cyber-facts in review
Vulnerabilities In
Review
3 | Weekly cyber-facts in review
Bind
A denial-of-service vulnerability is released in Bind (a popular DNS server implementation). It consists of the generation of a Denial of Service
condition (the DNS server process is interrupted) when a DNS request specifically designed to exploit the vulnerability is presented. An
attacker could abuse these vulnerabilities to deny service to any infrastructure that depends on the DNS service over BIND.
Emerson
Corrective patches are released for 6 vulnerabilities in Xtream systems. Emerson Xtream devices are sensors for monitoring gas composition.
Three of the vulnerabilities are calssified as high severity. These consist of a lack of input control in the admission of files allowing access to
device credentials, a weak implementation of cryptographic algorithms for password protection, and a lack of controls in the file system that
allows executing a transversal path. An attacker can abuse these vulnerabilities to take control of the affected devices.
Android
Google patches Android, fixing 4 zero-days. The four vulnerabilities have to do with memory referencing problems, the first two affect the
Qualcomm graphics component, while the last two affect the ARM graphics component. The patch also fixes other critical vulnerabilities in the
System component. An attacker could exploit the vulnerabilities to take control of the affected systems.4 | Weekly cyber-facts in review
Issues to keep
in mind5 | Weekly cyber-facts in review
Scheme Flooding
A user tracking new technique has been discovered. Most of the applications installed on
mobile devices and computers allow the use of the web browser to interact with the user
and other applications. This interaction is done through API's with specific "handlers" Vuln-storm
(special type of url).
A PoC has been released for the CVE-2021-31166 vulnerability. The vulnerability
is an INPUT validation error for the HTTP request listener (a component built
The technique enumerates installed applications with browser capabilities. An "attacker"
within several windows server applications) on Microsoft's IIS server.
could use this ability to perform an automated check on the applications that a user has
installed on their system and assign an identifier to it, when the victim visits the "attacker's"
The vulnerability can lead to denial-of-service conditions (Blue Screen Of Death)
website. In this way, even if the user changes their browser, they will continue to be
and remote code executions. Once one device has fallen victim of the attack, it
tracked. An "attacker" could access certain sensitive data that the victim may contain in
can be leveraged to attack other devices. By doing so, entire networks could be
their applications.
compromised. The affected versions are from 2004 to 20H2.
It is unknown that there are active campaigns, but this vulnerability is easy to execute and,
We recommend patching assets as soon as possible. If you have not started
according to the researchers, the only browser that presents any countermeasures
patching yet, we recommend that you start with the assets mentioned in this
against this type of "attack" is Chrome.
communication (Windows 10 and Server 2004 / 20H2) victims.
Aiuken Cybersecurity knows that there are organizations that present themselves as
legitimate that, in the face of flaws in the way browsers work, have used such flaws to
track individuals, claiming to perform microtargeting.6 | Weekly cyber-facts in review
Phishing
Campaigns in
Review7 | Weekly cyber-facts in review
Phishing campaigns with fake Pfizer surveys Fake Instagram draws
A new campaign distributing fake surveys aiming to steal A new trend has been identified in Instagram. Whenever a
personal data has been identified giving away a fake Pfizer gift celebrity or a brand start a raffle, new Instagram profiles
card. impersonating the legitimate ones from those celebrities or
brands open, This profiles are use by threat actors to contact
participants to commit fraud and steal their personal data or
New phishing campaign impersonating Barceló
even demand a small amount of money.
Overlapping with the ease of COVID restrictions and with
more people scheduling their travels, a fake Barceló app has
been identified in different marketplaces. This app is capable FBI alerts on spear-phishing campaigns
of steal your phones data. impersonating several banking entities
Threat actors are impersonating financial institutions attempting
Treat actors capitalize on the shift to cloud-based to infect recipients with what looks like remote access trojan
business services during the pandemic malware. This malware has a list of capabilities among which we
Attackers have sent al least 52 million malicious messages would like to highlight privilege escalation, system registry
leveraging the likes of Office 365, Azure, OneDrive, manipulation, file dropper, code injection, screenshot grabbing,
SharePoint, G-Suite and Firebase storage in Q1 2021. and running keyloggers.8 | Weekly cyber-facts in review
Ransomware
in Review9 | Weekly cyber-facts in review
AXA and Acer Finance hit by Avaddon ransomware attack
Insurance giant AXA and financial consultancy firm Acer Finance suffered a security incident caused by Avaddon ransomware
gang. Victims are the Asian branch of AXA and France-based financial consultancy firm Acer Finance. Threat actor behind
both attacks is Avaddon gang which is perpetrating an ongoing ransomware campaign. It is believed that the attack vector
exploited was a phishing campaign. Cybercriminal gang stole at leas 3TB of data from AXA, and the amount of information
stolen from Acer has note been released yet.10 | Weekly cyber-facts in review
Ireland’s health service hit by Conti ransomware
Ireland’s health service executive, the HSE, which is the country’s publicly funded healthcare system, shut down all of their IT
systems on Friday after suffering a Conti ransomware attack. Cybercriminal gang claim to have stolen 700GB of data and the
demanded ransom ascends to $20 million. Exploited entry vector is believed to be a phishing campaign.
eCh0raix ransomware is actively targeting QNAP NAS devices
QNAP have warned costumers about an actively exploited Roon Server zero-day bug and eCh0raix ransomware attacks targeting
their NAS devices.11 | Weekly cyber-facts in review
Spyware in
Review12 | Weekly cyber-facts in review
The Bizzaro banking Trojan FIN7 distributes a new back door
The Brazilian-origin banking Trojan identified as Bizarro has The threat group FIN7 is distributing a backdoor, called Lizar,
affected more than 70 bank entities, expanding rapidly across capable of exfiltrating information from Windows systems posing
Europe. The hacker group behind this malware is unknown, as an ethical hacking pentesting tool. Among his victims with this
which has a global impact mainly against different bank backdoor are gambling establishments, educational institutions
entities and their clients. and various companies around the world. This group has been
active since 2015 whose main objective was POS.
New technique used by Magecart groups Massive campaign distributing the STRRAT trojan
The threat group Magecart Group 12 uses a new technique It has been identified a massive phishing campaign distributing
based on the implementation of PHP web shell skimmer. This the STRRAT malware, which is a remote access trojan (RAT)
technique, used by groups dedicated to the perpetration of with capabilities to steal victims' data and falsify ransomware
Magecart attacks, has been used on e-commerce websites attacks. The emails include an image that is passed through an
around the world that use Magento 2 versions. attached PDF file but that when opened connects to a malicious
domain to download the trojan.13 | Weekly cyber-facts in review
Other Attacks
in Review14 | Weekly cyber-facts in review
Ardagh Group suffers a cyberattack
The company Ardagh Group which is one of the largest producers of glass and metal packaging products based in Luxembourg
has suffered a cyberattack. As a result of the attack, they had to shut down certain systems and applications, causing some
delays, although it was possible to safely continue operations at its facilities despite the incident. Currently they launched a
forensic investigation and strengthening their security with new protection tools and reviewing their overall technology roadmap to
ensure effective information security capabilities.
Monday [.] com impacted by the attack against Codecov
The Monday [.] com platform was impacted by the security incident suffered by Codecov in January 2021, which caused them to
gain access to a copy of their source code. It is dedicated to remote workflow management used in projects, marketing teams
and departments at the organizational level. In addition, they have indicated that there is no evidence that attackers have
manipulated the code, that customer data has been leaked, or that any of their products have been affected, even if they do not
rule it out directly.15 | Weekly cyber-facts in review
Rush & Order16 | Weekly cyber-facts in review
Rush & Order
As a consequence of the succession of unfortunate incidents from the campaign against Solarwinds to the cyberattack against Colonial's pipeline,
politicians in US have started taking actions to strengthen a not-enough cybersecurity posture nationwide. For example, some have started to cheer up for
the approval of, once dismissed, Pipeline Security Act. Such law would enforce to run security audits to pipeline operators. But among all those
efforts, the most notorious was the executive order issued by Joe Biden, in the hopes to boost US cyber-defense capabilities.
The package consists of the imposition of incidents and threat communication to the administration from victimized companies; the modernization of IT
security infrastructure of public entities; the integration of security in the development cycle of computer products, at least for those bought by public
administration; the establishment of a cybersecurity review board; the imposition of an incident response guide to public administrations; and the
implementation of a control network for endpoints along the administration.
As Aiken Cybersecurity Intelligence Unit anticipated, the move that Joe Biden did, matches with Europe's NIS regulation. European Union now forces, too,
companies named "critical operator" inform to public entities in charge (CERT's) about suffered incidents. What comes next is still unknown. However, it
will depend on if enough visibility will be reached or not, and if subsequent compulsory actions will generate the desired effect.
In case that not enough visibility was reached, more reporting measures to the administration would be expected. In case that public administration was
not able to rule coherently to decrease the frequency and impact of cybersecurity incidents, drastic intervention of how companies govern their data could
be expected. We still have to wait to see the effects of NIS and US executive order that mimics it, but having calling for the attention of politicians, a
revamp of compliance renders itself foreseeable.Calle Francisco Tomás y Valiente nº 2
Boadilla del Monte · 28660 Madrid (España)
Teléfono:+34 912 909 805
aiuken.comYou can also read
