Weekly threat roundup: Internet Explorer, Linux, GitHub

Graphic showing a red unlocked padlock surrounded by blue locked padlocks
(Image credit: Shutterstock)

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Microsoft fixes exploited Internet Explorer vulnerability

The latest wave of Patch Tuesday fixes saw Microsoft patch an actively exploited flaw in Internet Explorer which has previously been used to attack security researchers.

The bug, tracked as CVE-2021-26411, is a memory corruption vulnerability that allows cyber criminals to run malware on victims’ systems by luring them into accessing a specially crafted website. This is the fifth actively exploited Microsoft flaw to be patched in recent weeks following the discovery of four extremely serious Microsoft Exchange Server flaws.

The Internet Explorer flaw was patched alongside 88 other vulnerabilities across various Microsoft systems, which included 14 flaws rated as critical, with businesses urged to apply these fixes immediately.

Critical remote code execution flaw in F5’s Big-IP

F5 Networks has warned its users about the presence of seven remote code execution vulnerabilities in its Big-IP platform, including four critically-rated flaws.

The company’s BIG-IP family of products spans both software and hardware modules involved in application delivery and security. Four of these flaws are embedded across all BIG-IP modules, while the remaining three are found in BIG-IP Advanced Web Application Firewall / Application Security Manager (WAF/ASM).

The most severe is CVE-2021-22987, rated 9.9 out of ten on the CVSS threat severity scale. This flaw manifests in the traffic management user interface (TMUI) when running BIG-IP in Application mode. The next most worrisome, tracked as CVE-2021-22986 and rated 9.8 on the CVSS scale, lies in the iControl REST interface. This specific bug also affects the company’s BIG-IQ products.

Due to the severity of the flaws, F5 has recommended that all customers install updated versions of the software as soon as possible.

Chinese state-backed hackers deploy Linux malware

Cyber criminals are targeting legacy Linux systems and endpoints with a sophisticated strain of malware thought to have been built by hackers backed by the Chinese government.

Dubbed RedXOR, this Linux backdoor was compiled with a legacy compiler in the now out-of-date Red Hat Enterprise Linux (RHEL) 6, and encodes its network data width a scheme based on the XOR Boolean logic operation used in cryptography.

The evidence suggests its operators are actively targeting legacy Linux systems in order to browse files, steal data, and tunnel network traffic alongside performing a variety of other functions. The backdoor is also difficult to identify, disguising itself as a polkit daemon, which is a background process for managing system-wide privileges.

Red Hat ended mainstream support for RHEL 6 in November 2020, ten years after its initial release, with users urged to update to the latest version. There are roughly 50,000 RHEL users in total across the world.

Z0Miner malware spreading through unpatched servers

Unpatched Jenkins and Elasticsearch servers are proving fertile hunting ground for a cryptocurrency mining botnet, which is targeting vulnerable systems to propagate and mine Monero.

Researchers with Tencent discovered the z0Miner botnet last year as it exploited two WebLogic remote code execution vulnerabilities to spread between systems. At the time, they estimated the botnet had compromised 5,000 servers.

Qihoo 360’s research team has identified how the botnet has now evolved to now exploit remote code exploitation flaws in Elasticsearch and Jenkins servers. A recent surge in cyber activity, the researchers said, mirrors a rise in mainstream interest in cryptocurrencies. They claim the botnet has so mined more than $4,600 (approximately £3,300) worth of Monero to date, although the hackers likely use several wallets, meaning the true figure could be much higher.

GitHub bug grants users access to each others’ accounts

Microsoft’s flagship development platform GitHub has logged all its users out of their accounts to protect the community against a potentially serious security flaw.

In a handful of cases, a bug meant that GitHub misrouted a user’s session to the browser of another GitHub user. This wasn’t due to compromised passwords, secure shell (SSH) keys, or tokens, but instead due to the improper handling of authenticated sessions.

The bug existed in GitHub for less than two weeks at various times between 8 February and 5 March, and was immediately patched upon discovery, the company said. A second patch was later applied on 8 March to implement additional measures to protect the platform from this type of bug appearing in future. The number of affected users hasn’t been disclosed, although the platform claims it affected fewer than 0.001% of authenticated sessions.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.