The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- New Exchange server vulnerabilities: NSA and Microsoft urge patches.
- FBI takes proactive approach: FBI deletes malicious web shells from compromised Exchange servers.
- Name:Wreck: Over 100 million devices affected by DNS vulnerabilities.
- Contact form trojan: New attack campaign uses contact forms on websites to deliver malware.
- Chrome exploit on Twitter: Researcher publishes proof-of-concept exploit code on Twitter.
- A tale of two breaches: The best and worst of responses – ParkMobile and the others.
New Exchange server vulnerabilities
- Four new vulnerabilities found in Exchange servers. Microsoft and NSA urge patches be applied as soon as possible.
- NSA finds two remote code execution vulnerabilities. CVE-2021-28480 and CVE-2021-28481 could facilitate attack without requiring user interaction.
- The fixes are included in this week’s Patch Tuesday, featuring 114 CVEs affecting Microsoft products.
SO WHAT? Given the current threat actor focus on Exchange severs, clients are advised to patch for these new vulnerabilities as soon as possible.
FBI deletes ProxyLogon web shells from compromised Exchange servers
- FBI executes court-authorised cyber operation. After the barrage of Hafnium related attacks affecting Microsoft Exchange servers, the FBI was authorised to delete malicious web shells found on compromised servers.
- First public operation of its kind. The FBI managed to remove one early hacking group‘s remaining web shells, which could have provided access to US networks.
SO WHAT? While the FBI may have removed the web shells, organisations must still take proactive measures and apply patches to vulnerable systems.
Name:Wreck. Serious vulnerabilities in DNS protocol in 4 TCP/IP stacks
- Nine vulnerabilities affecting the Domain Name System (DNS) implementation in four major TCP/IP stacks have been disclosed. Globally, over 100 million devices are affected.
- Collectively, Name:Wreck, affects DNS implementation in four major TCP/IP stacks. If exploited, Name:Wreck could allow an attacker to gain control, take affected devices offline, and even steal sensitive data.
SO WHAT? If possible, patch affected devices. If not, enforce segmentation controls, configure devices to rely on internal DNS servers where feasible, and monitor external DNS traffic for malicious packets.
New campaign uses customer support to deliver banking trojan
- A new attack uses corporate website contact forms to deliver the IcedID banking trojan. The campaign uses legitimate Google URLs to add credibility to the attack. Analysts suggest this process could have been automated using a bypass on CAPTCHA protections.
- A battle of the banking trojans is ongoing, with the QBot trojan becoming more prevalent again. The re-emergence of QBot comes as actors rotate payloads once again away from IcedID.
- QBot was recently seen incorporating the EtterSilent malicious document builder service, mentioned in last week’s brief.
SO WHAT? Attackers continue to abuse legitimate infrastructure to make social engineering attacks more believable. Educating employees to be able to identify social engineering is essential.
Chrome zero-day exploit published on Twitter
- Google has released a new Chrome version to fix this vulnerability.
SO WHAT? This highlights the vulnerabilities of open-source patch gap; threat actors are able to exploit security bugs before the patches are rolled out to downstream programs.
Data breach responses and what it means for users
- ParkMobile breach leaves 21 million users’ information on Russian cybercrime forum. License plate numbers, email addresses, and phone numbers were exposed. ParkMobile is investigating and has notified law enforcement.
- Breach or leak? Does it matter? Data of Facebook, LinkedIn, and Clubhouse users was recently exposed online. The platforms say these were ‘data leaks’ due to publicly visible data being scraped. Leak or breach, it has meant user data was published online, leading to accusations of loose interpretation of regulations from some quarters.
SO WHAT? ParkMobile users should change their password and vehicle nicknames. Secure your social media accounts with the highest available privacy settings to limit impacts from breaches…or leaks.