This posting is here to collect cyber security news in November 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in November 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
373 Comments
Tomi Engdahl says:
Unpatched Unauthorized File Read Vulnerability Affects Microsoft Windows OS
https://thehackernews.com/2021/11/unpatched-unauthorized-file-read.html
Unofficial patches have been issued to remediate an improperly patched Windows security vulnerability that could allow information disclosure and local privilege escalation (LPE) on vulnerable systems.
Tracked as CVE-2021-24084 (CVSS score: 5.5), the flaw concerns an information disclosure vulnerability in the Windows Mobile Device Management component that could enable an attacker to gain unauthorized file system access and read arbitrary files.
But as observed by Naceri in June 2021, not only could the patch be bypassed to achieve the same objective, the researcher this month found that the incompletely patched vulnerability could also be exploited to gain administrator privileges and run malicious code on Windows 10 machines running the latest security updates.
However, it’s worth noting that the vulnerability can be exploited to accomplish privilege escalation only under specific circumstances, namely when the system protection feature is enabled on C: Drive and at least one local administrator account is set up on the computer.
Neither Windows Servers nor systems running Windows 11 are affected by the vulnerability, but the following Windows 10 versions are impacted
Tomi Engdahl says:
IKEA email systems hit by ongoing cyberattack https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/
IKEA is battling an ongoing cyberattack where threat actors are targeting employees in internal phishing attacks using stolen reply-chain emails. A reply-chain email attack is when threat actors steal legitimate corporate email and then reply to them with links to malicious documents that install malware on recipients’ devices. As the reply-chain emails are legitimate emails from a company and are commonly sent from compromised email accounts and internal servers, recipients’ will trust the email and be more likely to open the malicious documents.
Tomi Engdahl says:
Vanha huijauskikka jälleen liikkeellä: tilinumero sähköpostissa vaihtuu ja huijari vie rahat https://www.kauppalehti.fi/uutiset/vanha-huijauskikka-jalleen-liikkeella-tilinumero-sahkopostissa-vaihtuu-ja-huijari-vie-rahat/0f61510e-aafa-4ef3-90c5-f49c83a6bded
Vuosia vanha kikka kiertää verkossa edelleen ja saastuttaa järjestelmiä. It-yrittäjä Mikko Aaltonen varoittaa LinkedInissä haittaohjelmasta, johon hän on törmännyt kahdellakin asiakkaallaan.
Kyse on Outlookin saastuttaneesta haitakkeesta, joka tunnistaa lähetettävässä sähköpostissa olevan tilinumeron ja vaihtaa sen toiseksi. Toisessa Aaltosen mainitsemassa tapauksessa on työntekijä ilmoittanut palkanlaskijalle oman tilinumeronsa, toisessa on kyse ollut kansainvälistä kauppaa tekevästä yrityksestä.
Tomi Engdahl says:
Interpol arrests over 1, 000 suspects linked to cyber crime https://www.bleepingcomputer.com/news/legal/interpol-arrests-over-1-000-suspects-linked-to-cyber-crime/
Interpol has coordinated the arrest of 1, 003 individuals linked to various cyber-crimes such as romance scams, investment frauds, online money laundering, and illegal online gambling. This crackdown results from a four-month action codenamed Operation HAEICHI-II, ‘ which took place in twenty countries between June and September 2021.
Tomi Engdahl says:
Hackers are targeting this Microsoft Windows Installer flaw, say security researchers https://www.zdnet.com/article/hackers-are-targeting-this-microsoft-windows-installer-flaw-say-security-researchers/
Flaw can be exploited to give an attacker administrator rights on a compromised system, despite efforts to fix the problem. Hackers have already created malware in a bid to exploit an elevation of privilege vulnerability in Microsoft’s Windows Installer. Microsoft released a patch for CVE-2021-41379, an elevation of privilege flaw in the Windows Installer component for enterprise application deployment. It had an “important” rating and a severity score of just 5.5 out of 10.
It wasn’t actively being exploited at the time, but it is now, according to Cisco’s Talos malware researchers. And Cisco reports that the bug can be exploited even on systems with the November patch to give an attacker administrator-level privileges.
Tomi Engdahl says:
Marine services provider Swire Pacific Offshore hit by ransomware
https://www.bleepingcomputer.com/news/security/marine-services-provider-swire-pacific-offshore-hit-by-ransomware/
Marine services giant Swire Pacific Offshore (SPO) has suffered a Clop ransomware attack that allowed threat actors to steal company data.
Swire Pacific Offshore discovered an unauthorized network infiltration onto its IT systems, resulting in the compromise of some employee data.
Tomi Engdahl says:
New Windows zero-day with public exploit lets you become an admin
https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/
A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server.
BleepingComputer has tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges.
Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.
The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.
Researcher releases bypass to patched vulnerability
As part of the November 2021 Patch Tuesday, Microsoft fixed a ‘Windows Installer Elevation of Privilege Vulnerability’ vulnerability tracked as CVE-2021-41379.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379
This vulnerability was discovered by security researcher Abdelhamid Naceri, who found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft’s fix.
When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft’s decreasing payouts in their bug bounty program.
“Microsoft bounties has been trashed since April 2020, I really wouldn’t do that if MSFT didn’t take the decision to downgrade those bounties,” explained Naceri.
Naceri is not alone in his concerns about what researchers feel is the reduction in bug bounty awards.
Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows.
https://github.com/klinix5/InstallerFileTakeOver
Tomi Engdahl says:
North Korean hackers posed as Samsung recruiters to target security researchers
https://therecord.media/north-korean-hackers-posed-as-samsung-recruiters-to-target-security-researchers/
North Korean state-sponsored hackers posed as Samsung recruiters and sent fake job offers to employees at South Korean security companies that sell anti-malware software, Google said this week in the first edition of its new Threat Horizons report. “The emails included a PDF allegedly claiming to be of a job description for a role at Samsung; however, the PDFs were malformed and did not open in a standard PDF reader, ” Google said. If targets complained that they couldn’t open the job offer archive, the hackers offered to help by providing them with a link to a “Secure PDF Reader” app users could install.
Tomi Engdahl says:
New Side-Channel Vulnerability in the Linux Kernel Enabling DNS Cache Poisoning
https://www.infoq.com/news/2021/11/linux-dns-vulnerability/
Despite its critical role, DNS has been a fragile part of the security chain. Historically, efficiency was the primary consideration of DNS, leading to the design of a single query and response over UDP, which is still the primary mechanism used today.
While DNS security features are available, including DNSSEC and DNS cookies, they are not widely deployed due to backward compatibility, say the researchers. Instead, the only approach to make DNS more secure has been the randomization of UDP ports, known as ephemeral ports, with the aim to makes it harder for an attacker to discover them.
As a result of this, several attacks to DNS have been discovered in the past, including the recent SAD DNS, a variant of DNS cache poisoning that allows an attacker to inject malicious DNS records into a DNS cache, thus redirecting any traffic to their own server and becoming a man-in-the-middle (MITM).
More recently, some of the researchers who first disclosed SAD DNS have uncovered side channels vulnerabilities that had gone undetected inside the Linux kernel for over a decade. Those vulnerabilities enable the use of ICMP probes to scan UDP ephemeral ports and allowed the researchers to develop new DNS cache poisoning attacks.
Specifically, the research focused on two types of ICMP error messages, ICMP fragment needed (or ICMP packet too big in IPv6) and ICMP redirect. As the researchers show, the Linux kernel processes those messages using shared resources that form side channels. What this means, roughly, is that an attacker can target a specific port where they send ICMP probes.
The newly discovered side channels affect the most popular DNS software, say the researchers, including BIND, Unbound, and dnsmasq running on top of Linux. An estimated 13.85% of open resolvers are affected. Additionally, the researchers show an end-to-end attack against the latest BIND resolver and a home router only taking minutes to succeed.
This novel attack can be prevented by setting proper socket options, e.g. by instructing the OS not to accept the ICMP frag needed messages, which will eliminate the side-channel altogether; by randomizing the kernel shared caching structure itself; and by rejecting ICMP redirects.
As a consequence of the disclosure of this new vulnerability, the Linux kernel has been patched both for IPv4 and IPv6 to randomize the shared kernel structure. Additionally, BIND 9.16.20 sets IP_PMTUDISC_OMIT on IPv6 sockets.
Tomi Engdahl says:
APT37 targets journalists with Chinotto multi-platform malware
https://www.bleepingcomputer.com/news/security/apt37-targets-journalists-with-chinotto-multi-platform-malware/
North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists in watering hole, spear-phishing emails, and smishing attacks delivering malware dubbed Chinotto capable of infecting Windows and Android devices. APT37 (aka
Reaper) has been active since at least 2012 and is an advanced persistent threat group (APT) linked to the North Korean government with high confidence by FireEye. Other security companies also track it as StarCruft (Kaspersky Lab), Group123 (Cisco Talos), or FreeMilk (Palo Alto Networks).
Tomi Engdahl says:
Kaspersky – ScarCruft surveilling North Korean defectors and human rights activists
https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
Technical analysis on StarCruft activities
Tomi Engdahl says:
Wind turbine maker Vestas confirms recent security incident was ransomware https://www.theregister.com/2021/11/29/wind_turbine_maker_vestas_confirms/
10 days after attack ‘almost all systems’ up and running, refuses to say if ransom was paid. Wind turbine maker Vestas says “almost all” of its IT systems are finally up and running 10 days after a security attack by criminals, confirming that it had indeed fallen victim to ransomware.
Tomi Engdahl says:
Panasonic discloses four-months-long data breach
https://therecord.media/panasonic-discloses-four-months-long-data-breach/
Japanese electronics giant Panasonic has disclosed on Friday a major security breach after an unidentified threat actor had gained access to its internal network. The Osaka-based company said it detected the security breach earlier this month, on November 11. “As the result of an internal investigation, it was determined that some data on a file server had been accessed during the intrusion, ” the company said in a short statement published on Friday.
Tomi Engdahl says:
Hackers plant card-stealing malware on website that sells baron and duke titles
https://therecord.media/hackers-plant-card-stealing-malware-on-website-that-sells-baron-and-duke-titles/
A threat actor has hacked the website of the Principality of Sealand, a micronation in the North Sea, and planted malicious code on its web store, which the government is using to sell baron, count, duke, and other nobility titles. Called a “web skimmer”, the malicious code allowed the hackers to collect user and payment card details for anyone who purchased products, such as nobility titles, from the country’s online store.
Tomi Engdahl says:
Dark web market Cannazon shuts down after massive DDoS attack
https://www.bleepingcomputer.com/news/security/dark-web-market-cannazon-shuts-down-after-massive-ddos-attack/
Cannazon, one of the largest dark web marketplaces for buying marijuana products, shut down last week after suffering a debilitating distributed denial of service attack. As the admins explained in a message signed with the market’s PGP key, they are officially retiring and claim not to be pulling an exit scam on their vendors. The admins posted that message on November 23, 2021, and today, Cannazon went offline, allegedly forever.
Tomi Engdahl says:
Zoom finally adds automatic updates to Windows, macOS clients
https://www.bleepingcomputer.com/news/security/zoom-finally-adds-automatic-updates-to-windows-macos-clients/
Zoom has announced today the launch of an automatic update feature designed to streamline the update process for desktop clients. The new feature is currently available only for desktop Zoom clients on Windows and macOS, with the Linux platform not currently supported.
Zoom says that mobile device users can also keep their apps automatically updated through their respective app stores’ built-in automated updaters.
Tomi Engdahl says:
Telegram channel admins who sold fake vaccine cards arrested
https://www.bleepingcomputer.com/news/legal/telegram-channel-admins-who-sold-fake-vaccine-cards-arrested/
The Italian financial crime agency (Guardia di Finanza GdF) has announced the arrest of several individuals suspected of managing Telegram channels to promote fake vaccine certificates, aka ‘Green Passes.’. The operation was supported by evidence collected by investigators at Group-IB’s high-tech crime unit, who managed to unmask the criminals despite measures to keep their identities hidden.
Tomi Engdahl says:
8-year-old HP printer vulnerability affects 150 printer models
https://www.bleepingcomputer.com/news/security/8-year-old-hp-printer-vulnerability-affects-150-printer-models/
Researchers have discovered several vulnerabilities affecting at least
150 multi-function (print, scan, fax) printers made by Hewlett Packard. Since the flaws discovered by F-Secure security researchers Alexander Bolshev and Timo Hirvonen date back to at least 2013, they’ve likely exposed a large number of users to cyberattacks for a notable amount of time. HP has released fixes for the vulnerabilities in the form of firmware updates for two of the most critical flaws on November 1, 2021.
Tomi Engdahl says:
8-year-old HP printer vulnerability affects 150 printer models
https://www.bleepingcomputer.com/news/security/8-year-old-hp-printer-vulnerability-affects-150-printer-models/
Researchers have discovered several vulnerabilities affecting at least
150 multi-function (print, scan, fax) printers made by Hewlett Packard. Since the flaws discovered by F-Secure security researchers Alexander Bolshev and Timo Hirvonen date back to at least 2013, they’ve likely exposed a large number of users to cyberattacks for a notable amount of time. HP has released fixes for the vulnerabilities in the form of firmware updates for two of the most critical flaws on November 1 Researchers have discovered several vulnerabilities affecting at least 150 multi-function (print, scan, fax) printers made by Hewlett Packard.
Since the flaws discovered by F-Secure security researchers Alexander Bolshev and Timo Hirvonen date back to at least 2013, they’ve likely exposed a large number of users to cyberattacks for a notable amount of time.
HP has released fixes for the vulnerabilities in the form of firmware updates for two of the most critical flaws on November 1, 2021., 2021.
These are CVE-2021-39237 and CVE-2021-39238. For a complete list of the affected products, click on the tracking numbers for the corresponding advisories.
The first one concerns two exposed physical ports that grant full access to the device. Exploiting it requires physical access and could lead to potential information disclosure.
The second one is a buffer overflow vulnerability on the font parser, which is a lot more severe, having a CVSS score of 9.3. Exploiting it gives threat actors a way to remote code execution.
CVE-2021-39238 is also “wormable,” meaning a threat actor could quickly spread from a single printer to an entire network.
As such, organizations must upgrade their printer firmware as soon as possible to avoid large-scale infections that start from this often ignored point of entry.
Tomi Engdahl says:
Hackers all over the world are targeting Tasmania’s emergency services https://blog.malwarebytes.com/hacking-2/2021/11/hack-tasmania/
Emergency servicesunder which the police, fire, and emergency medical services departments fallis an infrastructure vital to any country or state. But when those services come under threat from either physical or cyber entities, it’s as good as putting the lives of citizens at risk as well.
Tomi Engdahl says:
DNA testing firm discloses data breach affecting 2.1 million people
https://www.bleepingcomputer.com/news/security/dna-testing-firm-discloses-data-breach-affecting-21-million-people/
DNA Diagnostics Center (DDC), an Ohio-based DNA testing company, has disclosed a hacking incident that affects 2102436 persons.
Tomi Engdahl says:
AT&T takes action against DDoS botnet that hijacked VoIP servers
https://therecord.media/att-takes-action-against-ddos-botnet-that-hijacked-voip-servers/
AT&T is investigating and has taken steps to mitigate a botnet that infected more than 5, 700 VoIP servers located inside its network, a spokesperson has told The Record earlier today. All the infected devices were EdgeMarc Enterprise Session Border Controllers, a type of Voice-over-IP server designed to balance and reroute internet telephony traffic from smaller enterprise customers to upstream mobile providers. According to Netlab, a network security division of Chinese tech giant Qihoo 360, a threat actor used an old exploit
(CVE-2017-6079) to hack into unpatched EdgeMarc servers and install a modular malware strain named EwDoor.
Tomi Engdahl says:
Rights groups petition Israel’s top court over Omicron phone tracking
https://www.reuters.com/world/middle-east/rights-groups-petition-israels-top-court-over-omicron-phone-tracking-2021-11-29/
Rights groups petitioned Israel’s top court on Monday to repeal new
COVID-19 measures that authorise the country’s domestic intelligence service to use counter-terrorism phone tracking technology to contain the spread of the Omicron virus variant. Announcing the emergency measures on Saturday, Prime Minister Naftali Bennett said the phone tracking would be used to locate carriers of the new and potentially more contagious variant in order to curb its transmission to others.