Weekly threat roundup: Google Chrome, Pulse Secure, Telegram

Graphic showing a red unlocked padlock surrounded by blue locked padlocks
(Image credit: Shutterstock)

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Businesses hacked through SonicWall’s Email Security flaws

Researchers have found evidence that hackers have exploited three severe zero-day vulnerabilities in SonicWall’s Email Security platform to breach the network of an unidentified business.

Cyber criminals are said to have chained three flaws, CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, together to install a backdoor, access files and emails, and move across the victim’s organisation. These vulnerabilities were first discovered in March 2021, and a hotfix was made available for the first two flaws on 9 April 2021. SonicWall then released a fix for the final vulnerability this week, before disclosing details of the exploitation.

Hackers exploit Pulse Secure VPN flaws

Two major hacking groups have deployed a dozen malware families to compromise US and European organisations by exploiting vulnerabilities in Pulse Secure’s VPN platform.

Tracked as CVE-2021-22893, the critical remote code execution flaw in Pulse Connect Secure is rated a maximum of ten on the threat severity scale. It was chained with other previously known flaws in Pulse Secure products to infiltrate a series of organisations, including those in the US defence sector. An alert issued by the Cybersecurity and Infrastructure Security Agency (CISA) confirmed multiple government agencies and critical organisations in the US were breached.

Ivanti, Pulse Secure’s parent company, has released a number of mitigations, although a full patch won’t be available until next month. The purpose of the hack, and its scale, isn’t fully clear, although FireEye researchers have linked the attack to Chinese state-backed groups.

Telegram used to remotely control ToxicEye malware

Hackers are using the Telegram instant messaging app to remotely control and distribute several malware families, including ToxicEye.

Researchers with Check Point Research (CPR) have so far found evidence of more than 130 cyber attacks involving ToxicEye that were managed through Telegram. Telegram-based malware is a growing trend and coincides with the app’s increasing popularity.

This approach allows hackers to send malicious commands and operations through the app, even if Telegram isn’t installed or being used by the victim. Attackers simply begin the process by creating a Telegram account and a dedicated bot. They then execute commands to spread the malware through spam campaigns as well as through email attachments.

Benefits of using Telegram include the fact it’s a legitimate and easy-to-use app that isn’t blocked by any enterprise security software or network management tools. Anonymity also means that attackers are difficult to identify, given you only need a phone number to create an account. Unique features in Telegram also mean attackers can easily exfiltrate data from victims’ PCs and transfer new malicious files to infected machines.

Google fixes another actively exploited Chrome bug

Google patched seven vulnerabilities this week including another zero-day flaw that has been actively exploited, adding to a growing list of flaws in the web browser that hackers have hijacked this year.

Tracked as CVE-2021-21224, this vulnerability was described as "type confusion in V8", although the precise attack mechanism or the consequences of successful exploitation weren’t disclosed. This bug follows two more Google Chrome flaws that were patched in recent months, including CVE-2021-21220 and CVE-2021-21166, both described as memory corruption bugs.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.