Posts

Cybersecurity Updates For Week 16 of 2022

CVE-2021-3970, CVE-2021-3971, CVE-2021-3972: Lenovo UEFI Firmware Vulnerabilities

Security company ESET discovered 3 new vulnerabilities in the UEFI firmware of Lenovo laptops which affected hundreds of Lenovo models including Lenovo Flex; IdeaPads; Legion; V14, V15, and V17 series; and Yoga laptops.

Read more:
https://securityonline.info/cve-2021-3970-lenovo-uefi-firmware-vulnerabilities/

Hackers Are Getting Caught Exploiting New Bugs More Than Ever

A pair of reports from Mandiant and Google found a spike in exploited zero-day vulnerabilities in 2021. The question is, why?

Read more:
https://www.wired.com/story/zero-day-exploits-vulnerabilities-google-mandiant/

Access Bypass, Data Overwrite Vulnerabilities Patched in Drupal

Drupal on Wednesday announced the release of security updates to resolve a couple vulnerabilities that could lead to access bypass and data overwrite.

Read More:
https://www.securityweek.com/access-bypass-data-overwrite-vulnerabilities-patched-drupal

Other news worth mentioning:

Amazon’s Hotpatch for Log4j Flaw Found Vulnerable to Privilege Escalation Bug
Critical Chipset Bugs Open Millions of Android Devices to Remote Spying
Denonia Malware Shows Evolving Cloud Threats
Oracle Releases 520 New Security Patches With April 2022 CPU
Emotet reestablishes itself at the top of the malware world

Cybersecurity Updates For Week 10 of 2022

Intel and Arm CPUs have a major security flaw

A new Spectre class speculative execution vulnerability, called Branch History Injection (BHI) or Spectre-BHB, was jointly disclosed on Tuesday by VUSec security research group and Intel.

Read more:
https://www.techspot.com/news/93706-arm-intel-cpus-vulnerable-new-spectre-style-attack.html

Microsoft tests new cloud-based Microsoft Defender for home users

Microsoft has announced that the company’s new cloud-based Microsoft Defender security solution has entered preview for home customers in the United States.

Read more:
https://www.bleepingcomputer.com/news/microsoft/microsoft-tests-new-cloud-based-microsoft-defender-for-home-users/

Mozilla fixes Firefox zero-days exploited in the wild (CVE-2022-26485, CVE-2022-26486)

Mozilla has released an out-of-band security update for Firefox, Firefox Focus, and Thunderbird, fixing two critical vulnerabilities (CVE-2022-26485, CVE-2022-26486) exploited by attackers in the wild.

Read More:
https://www.helpnetsecurity.com/2022/03/07/cve-2022-26485-cve-2022-26486/

Other news worth mentioning:

New Linux bug gives root on all major distros, exploit released
CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector
Microsoft Addresses 3 Zero-Days & 3 Critical Bugs for March Patch Tuesday
Computer science professor takes a ‘hands-on’ approach to smartphone security

Cybersecurity Updates For Week 4 of 2022

Apple Fixes Zero-Day Vulnerabilities

The latest versions of iOS / iPadOS (15.3) and macOS (11.6.3, 12.2) released on January 26, 2022, Apple patched several vulnerabilities in the OS presumed exploited in the wild to hack iPhone and Mac devices.

Apple has been working hard to keep their OS secure by fixing these vulnerabilities as soon as they are discovered and making sure that their products are not exploitable to hackers. So please make sure to update all of your devices.

Read more:
macOS: https://support.apple.com/en-us/HT213056
iOS / iPadOS: https://support.apple.com/en-us/HT213056

New local privilege escalation found in PwnKit – CVE-2021-4034

Qualys has discovered a vulnerability in Polkit, which is an application that handles privilege requests. This vulnerability has been named PwnKit (CVE-2021-4034) and it has been found to be in Polkit—once known as PolicyKit.

Even this is a local privilege escalation, meaning that someone would need to have access to your machine in order to exploit this. We still recommend you to update this as soon as possible. By having this vulnerability not patches, it means any other security breach will give the attackers by default root access by abusing the PwnKit vulnerability.

Read more:
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

New Linux Kernel exploit – CVE-2022-0185

The vulnerability affects all Linux kernels and containers.

Linux kernel is the heart of any operating system. It is responsible for managing resources and controlling access to hardware, such as the CPU and memory. Containers are a way to create an isolated environment that runs on top of the Linux kernel. This vulnerability in Linux kernel can be exploited by attackers in order to escape from containers and get full control over the node.

It is therefore advisable to update your Linux kernel as soon as possible.

Read More:
https://sysdig.com/blog/cve-2022-0185-container-escape/

Other news worth mentioning:

105 Million Android Users Targeted by Subscription Fraud Campaign
Attackers Connect Rogue Devices to Organizations’ Network with Stolen Office 365 Credential
Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHuB
GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild

Showing a laptop being updated

Supply chain attacks and Zero-days

The year 2021 has seen several high profiled vulnerabilities being actively exploited in big
and popular software, including Microsoft Exchange and Solar Winds Orion.
Experience shows that in some cases it is too late to patch even after a few days.
Many organizations work with the guideline of patching within 30 days, if the vendor states the
update is of important nature. This is an attempt to verify that the patch does not cause any
adverse effects. The need for a vigilant Vulnerability Management process that continuously triage
published vulnerabilities is becoming clear.

Some of the issues published lately is Supply chain attacks, where an attacker manipulates
products or product delivery mechanisms prior to receipt by a final consumer or exploiting
previously unknown vulnerabilities (so called Zero Days). Defending against these attacks is in
some cases not possible, or at least demands such a high level of security that it often is difficult
to stay productive and profitable. Seemingly in some cases it seems like the best an organization
can do is to not be the weakest link and the easiest target.

It is important to prepare for an attack and have a plan for incident response. Perform exercises.
Deploy a security framework in order to engage in continuous improvement of the security
posture.

Adobe Flash Zero Day Exploit

There is a vulnerability available for Adobe Flash Player that means anyone running anything but the latest version of Flash has the risk of being infected by malware when browsing a website. One of the most common ways to get infected these days are by drive-by methods, which means that a common website will unknowingly start serving malware through advertisement systems or by simply getting compromised.

It doesn’t matter if you run MAC OS X, Windows or Linux; Flash is universal and everyone run the risk if they are not keeping up-to-date (same as with Java).

I really wish I could say that this is an uncommon or ground-breaking attack vector, but unfortunately it’s the same as with Java – new exploits are coming every month and those who do not keep up-to-date will get compromised. You can find multiple other entries by, for example, searching for patch tuesday; http://bfblogg.wpengine.com/?s=patch+tuesday

For those who are unsure if they are vulnerable to this, you can browse to this page to see the status of your plugins (should work with all browsers), and update as necessary: https://www.mozilla.org/en-US/plugincheck/

It could even be a good idea to set it as your start-page in order to verify your browser each and every day.

As we mentioned in a previous newsletter ( http://bfblogg.wpengine.com/blog/basefarm-sirt-weekly-newsletter-2/ ), you should really turn on “click-to-play” in your browser for flash and other objects (or use NoScript or something similar, but that’s for more technical people).

I personally recommend using Chrome as your browser. The reason for this is that Flash will auto update itself without you having to do anything, whenever there is a new release. So, those running Chrome does not need to worry about this specific vulnerability.

You can check which version of Flash you’re running by going to this website: http://helpx.adobe.com/flash-player.html

It should say you’re running 12.0.44 if you’re running Mac/Windows, and 11.2.202.336 if you are running Linux.

You can find more information here: http://helpx.adobe.com/security/products/flash-player/apsb14-04.html

Zero-day Microsoft Internet Explorer

A new high risk zero Internet Explorer day exploit is currently being active in the wild.

That means that anyone using Internet Explorer 7,8 or 9 to browse the internet has the potential of getting infected by simply visiting a webpage with the specific bad code in it. The code will then download an exploit pack to your computer and can give the unauthorized people access into the infrastructure.

There is currently no patch or solution to the issue from Microsoft, so the only viable option is to switch to another browser. Thinking “I won’t click any links from unknown people” is unfortunately not enough, as it’s getting more and more common for these kind of people to either hack known sites and add the code, or to purchase banner space etc for well known sites which then launches the code without you noticing anything at all.

Two browsers you could use are:
Firefox: http://www.getfirefoxcom
Chrome: http://www.google.com/chrome/

For more information: http://www.kb.cert.org/vuls/id/480095

Update: Since, Microsoft has released an update. Run Windows Update to get the latest versions available.