header image

Cyber Intelligence Briefing: 16 April 2021

Billy Gouveia, Mona Damian 16 April 2021
16 April 2021    Billy Gouveia, Mona Damian

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.

OVERVIEW


New Exchange server vulnerabilities  

  • Four new vulnerabilities found in Exchange servers. Microsoft and NSA urge patches be applied as soon as possible.  
  • NSA finds two remote code execution vulnerabilities. CVE-2021-28480 and CVE-2021-28481 could facilitate attack without requiring user interaction. 
  • The fixes are included in this week’s Patch Tuesday, featuring 114 CVEs affecting Microsoft products. 

 SO WHAT?  Given the current threat actor focus on Exchange severs, clients are advised to patch for these new vulnerabilities as soon as possible. 


FBI deletes ProxyLogon web shells from compromised Exchange servers 

  • FBI executes court-authorised cyber operation. After the barrage of Hafnium related attacks affecting Microsoft Exchange servers, the FBI was authorised to delete malicious web shells found on compromised servers. 
  • First public operation of its kind. The FBI managed to remove one early hacking group‘s remaining web shells, which could have provided access to US networks. 

 SO WHAT?  While the FBI may have removed the web shells, organisations must still take proactive measures and apply patches to vulnerable systems.


Name:Wreck. Serious vulnerabilities in DNS protocol in 4 TCP/IP stacks 

  • Nine vulnerabilities affecting the Domain Name System (DNS) implementation in four major TCP/IP stacks have been disclosed. Globally, over 100 million devices are affected.  
  • Collectively, Name:Wreck, affects DNS implementation in four major TCP/IP stacks. If exploited, Name:Wreck could allow an attacker to gain control, take affected devices offline, and even steal sensitive data.  

 SO WHAT?  If possible, patch affected devices. If not, enforce segmentation controls, configure devices to rely on internal DNS servers where feasible, and monitor external DNS traffic for malicious packets.  


New campaign uses customer support to deliver banking trojan 

  • A new attack uses corporate website contact forms to deliver the IcedID banking trojan. The campaign uses legitimate Google URLs to add credibility to the attack. Analysts suggest this process could have been automated using a bypass on CAPTCHA protections. 
  • A battle of the banking trojans is ongoing, with the QBot trojan becoming more prevalent again. The re-emergence of QBot comes as actors rotate payloads once again away from IcedID. 
  • QBot was recently seen incorporating the EtterSilent malicious document builder service, mentioned in last week’s brief. 

 SO WHAT?  Attackers continue to abuse legitimate infrastructure to make social engineering attacks more believable.  Educating employees to be able to identify social engineering is essential. 


Chrome zero-day exploit published on Twitter 

  • A security researcher posted a working exploit code on Twitter for a zero-day vulnerabilityThe exploit is for a vulnerability within the V8 JavaScript engine, affecting Chrome and Microsoft Edge.
  • The vulnerability was first discovered five days earlier at the Pwn2Own 2021 hacking competition. The researcher recreated the exploit code after Google made an open-source change to the JavaScript engine. 
  • Google has released a new Chrome version to fix this vulnerability. 

 SO WHAT?  This highlights the vulnerabilities of open-source patch gap; threat actors are able to exploit security bugs before the patches are rolled out to downstream programs.


Data breach responses and what it means for users 

  • ParkMobile breach leaves 21 million users information on Russian cybercrime forum. License plate numbers, email addresses, and phone numbers were exposed. ParkMobile is investigating and has notified law enforcement.  
  • Breach or leak? Does it matter? Data of Facebook, LinkedIn, and Clubhouse users was recently exposed online. The platforms say these were ‘data leaks’ due to publicly visible data being scraped. Leak or breach, it has meant user data was published online, leading to accusations of loose interpretation of regulations from some quarters.  

 SO WHAT?  ParkMobile users should change their password and vehicle nicknames. Secure your social media accounts with the highest available privacy settings to limit impacts from breaches…or leaks. 

 

Cyber Threat Intelligence Briefing

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy gouveia Senior Managing Director Email Billy
Mona Damian
Mona damian Associate Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report