Google announced that it paid its largest-ever bug bounty reward in 2022 for a security flaw worth $605,000 (approximately £503,000) in compensation.

The record reward was for a bug affecting the Android mobile operating system (OS) but Google did not offer any further details regarding the vulnerability or exploit chain itself.

Google’s lack of transparency regarding the bug’s nature coupled with the large reward could offer suggestions about the severity of the issue that is most likely now patched.

A researcher known by the alias of ‘gzobqq’ was singled out as the individual who earned the record-breaking reward.

They were also the recipient of 2021’s most valuable reward for a critical exploit chain in Android, tracked as CVE-2021-39698, earning $157,000 (£130,000).

Google’s outline of its rewards philosophy indicates that when deciding on the reward’s sum, the severity of the bug and the sensitivity of the affected product are considered.

Remote code execution vulnerabilities - ones that offer cyber attackers full access to a target device to launch their own malicious code - are seen as the most severe type of bugs and are likely to yield the most lucrative rewards.

The very top awards will also provide “near-complete control over user accounts”, Google said, such as cross-site scripting (XSS) flaws in the origin at accounts.google.com.

Also among the more lucrative awards are bugs that facilitate attacks on multiple users through a single compromised account or attack other non-Google accounts belonging to the same victim.

Google said that reward sums often change over time “to provide balanced incentives for external researchers - especially as we find certain classes of targets more difficult to attack”.

“When receiving multiple reports, we typically only reward once per root cause and group similar vulnerabilities together. For example, if there's a service that accidentally disabled CSRF protection, we wouldn't issue a reward for every handler that had CSRF protection disabled, but would instead issue a reward for the most serious CSRF vulnerability in the code.

“We might also give small bonus increases of around $1,000 for particularly clever or interesting vulnerabilities.”

According to the Android-specific bug bounty rules, the most lucrative payouts are made when flaws in Google’s Titan M chip are discovered.

Titan M was introduced in 2018 on the Google Pixel 3 smartphone. It acts as a physical security layer for mobile devices, aimed at reducing the likelihood of data exfiltration, data interception, and phishing.

Zero-click vulnerabilities allowing for code execution with persistence on a Titan M chip are eligible for a maximum reward of $1 million (£831,000) and $500,000 without persistence.

“For the full $1,000,000 reward, the Pixel Titan M exploit must be remote, demonstrate persistence, work on all vulnerable builds and devices, trigger with zero clicks, be easily reproducible with minimal visibility to the user, and have a write-up describing each step of the exploit chain,” Google said.

Data exfiltration vulnerabilities affecting Titan M chips also yield the biggest payouts of the kind. A maximum sum of $500,000 can be awarded for flaws that allow for the theft of high-value data secured by Titan M, and up to $250,000 for data secured by a “secure element”.

“Exploit chains found on specific developer preview versions of Android are eligible for up to an additional 50% reward bonus.”

Record-breaking year of payouts

Google also revealed that it paid 703 security researchers, based in 68 different countries, more than $12 million across 2022, an increase from $8.7 million in 2021 and $6.7 million in 2020.

Aman Pandey, founder of and CEO at Bugsmirror, was given a special mention for submitting more than 200 bugs to the Android bug bounty programme during the year, taking his total successful submissions to more than 500 since starting in 2019.

In the Chrome-specific bug bounty programme, Rory McNamara, an application security engineer, became the highest-rewarded researcher after participating for six straight years.

Windows 10 users have reported a broken Microsoft 365 trial offer which prevents access to the desktop until credit card details are entered.

On booting up, some Windows 10 devices have shown a full-screen offer for a trial version of Microsoft 365, the tech giant’s suite of productivity apps.

Buttons at the bottom of the screen read ‘Use for free’ and ‘No thanks’, but each leads to a screen prompting users to enter credit card details.

One Reddit user posted an example of the issue on the platform's Windows 10 community, noting that they had to put in their credit card details to gain access to their desktop and cancel afterwards to prevent being charged recurring payments.

No other buttons on the window enabled the user to skip entering payment details.

Microsoft 365 costs between £4.50 and £16.60 per month for businesses. It is unclear whether the nature of this bug enables it to appear on devices that are already subscribed to a plan with the suite, which could decide the likelihood of it being recreated on business laptops.

Another user posted a similar bug on a subreddit designed to highlight bad user interface (UI) design. Their full-screen offer advertised 50% off Microsoft 365 Family, and identically to the other post pressing ‘No thanks’ took them to the payment details screen.

The offer is meant to be shown in the Windows out of box experience (OOBE), which users see when a device is first turned on after purchase or immediately following a Windows 10 factory reset.

As the bug has not been addressed by Microsoft, it is not clear if it is the result of an erroneous update or a flaw with the individual users' machines.

One Reddit user asked for the name of the device's original equipment manufacturer (OEM).

"Looks like a bug in their OOBE - e.g. strings got swapped in their translations," wrote one individual.

"Not a [Microsoft] problem - though I'm sure if it gets into the right channels could mean a big fine for the OEM."

IT Pro has approached Microsoft for more information.

Google has tied a previously unknown spyware operation to a private company in Spain after receiving an anonymous tip-off regarding the malicious activity.

Its Threat Analysis Group (TAG) said the evidence suggests that Barcelona-based Variston IT has developed an exploit framework which leveraged zero days in Windows Defender, Firefox, and Chrome.

Google said the operation tied to Variston IT had developed the Heliconia framework which itself was split into smaller frameworks that exploited different systems and applications, like Windows and Chrome. The product gives customers all the tools needed to deploy a payload to a target device.

The frameworks included mature source code that could deploy the exploits. The first was Heliconia Noise, a web framework used to deploy an exploit for a Chrome renderer bug, followed by a sandbox escape.

Heliconia Soft was a separate web framework that dropped a malicious PDF to exploit a vulnerability in Windows Defender. The third and final framework was called Files - it consisted of a set of exploits targeting Firefox versions on both Windows and Linux systems.

The three companies targeted in the exploit, Microsoft, Mozilla, and Google, fixed the vulnerabilities in 2021 and early 2022. Google said it hadn’t detected active exploitation of the now-patched vulnerabilities, but instead predicted that they were used as zero-days in earlier attacks.

The tech giant only became aware of the Heliconia framework when it received an anonymous submission to its Chrome bug reporting programme.

“The submitter filed three bugs, each with instructions and an archive that contained source code,” said Google TAG researchers in a blog post. “They used unique names in the bug reports including, ‘Heliconia Noise,’ ‘Heliconia Soft’, and ‘Files'.

"TAG analysed the submissions and found they contained frameworks for deploying exploits in the wild and a script in the source code included clues pointing to the possible developer of the exploitation frameworks, Variston IT.”

Heliconia Noise, for example, leaked the name of the company in a line of code that prevented the framework from generating binaries containing strings such as 'Variston'.

The same for loop in Heliconia Noise's code also leaked the aliases of the developers who worked on the project: majinbuu, janemba, and freezer - all references to characters in the Dragon Ball manga franchise.

Google said that commercial spyware is used by governments to spy on journalists, human rights activists, and political opposition through its advanced surveillance abilities. The tech giant is aiming to disrupt the threat of these types of companies to protect users and raise awareness of the industry, it said.

IT Pro has contacted Variston for comment. It appears to be registered at an address in Barcelona and was founded by Jayaraman Ramanan and Ralf Dieter Wegener in 2018, according to Datos Cif, a Spanish database containing information about companies. Deloitte is also named as its auditor.

The OpenSSL project has now lifted its embargo detailing the 'second-ever critical vulnerability patch' in the project’s history.

OpenSSL version 3.0.7 is now available to download and brings fixes for two security vulnerabilities, tracked as CVE-2022-3786 and CVE-2022-3602, which have now been downgraded from the highest ‘critical’ severity to high’.

CVE-2022-3602 was originally the critical-severity flaw, a four-byte stack buffer overflow that could have been triggered in the name constraint checking process involved in X.509 certificate verification. Theoreticslly, successful exploitation could have led to a crash or remote code execution (RCE).

Attackers could have achieved this by crafting a malicious email address to overflow the four attacker-controlled bytes on the stack, causing a buffer overflow, OpenSSL said in an advisory.

This could only occur after certificate chain signature verification, it added, and would require either a certificate authority to have signed the malicious certificate or for the application to continue verifying even a path could not be constructed to a trusted issuer.

OpenSSL said there were a number of mitigating factors that led to the decision to downgrade the severity rating.

Considerations taken into account included the idea that many platforms deploy protections for such buffer overflows that would likely lead to the prevention of RCE, and sowas the thinking that the stack layout of any given platform may have further limited an exploit’s success.

Despite the severity downgrade, OpenSSL recommends all users of OpenSSL version 3 and above upgrade to the latest 3.0.7 version.

“We are not aware of any working exploit that could lead to code execution, and we have no evidence of this issue being exploited as of the time of release of this advisory,” it said.

According to OpenSSL’s security policy, a vulnerability will only be assigned ‘critical’ status if RCE is likely in common situations.

“We no longer felt that this rating applied to CVE-2022-3602 and therefore it was downgraded on 1 November 2022 before being released to high,” said OpenSSL in a separate blog post.

“CVE-2022-3786 was not rated as critical from the outset, because only the length and not the content of the overwrite is attacker-controlled,” it added. “Exposure to remote code execution is not expected on any platforms.”

A security researcher, Viktor Dukhovni, discovered the second vulnerability, CVE-2022-3786, while researching CVE-2022-3602 which was discovered by ‘Polar Bear’.

It was another buffer overflow issue with X.509 certificate verification that could cause a crash resulting in a denial of service, but had no potential for RCE.

When the security issues were announced last week, the two flaws were not detailed to reduce the likelihood of cyber attackers being able to use the information to engineer working exploits before the patch could be released.

Comparisons between the vulnerability in OpenSSL 3.0 and Heartbleed, the only other critical vulnerability in the project, have since been rejected.

"In short: While this is a potential remote code execution vulnerability, the requirements to trigger the vulnerability are not trivial, and I do not see this as a 'Heartbleed Emergency'," said Dr Johannes Ullrich, dean of research at SANS Technology Institute. "Patch quickly as updated packages become available, but beyond this, no immediate action is needed."

OpenSSL users do not need to replace their TLS server certificates, the project’s representatives said.

All OpenSSL 3.0 applications that verify X.509 certificates received from untrusted sources should be considered vulnerable, they added. All versions below 3.0 are unaffected.

Cryptocurrency exchange platform Binance has reported a theft of $566 million of Binance Coin (BNB) tokens.

An unidentified user exploited a vulnerability to release two payments of 1 million BNB token directly to their account, the company confirmed. The transfers were made at 18:26 and 20:43 UTC respectively.

Binance quickly froze its Smart Chain (BSC) to keep the funds from being deposited off-chain, but is believed to have already stolen between $100-110 million by the time that action was taken.

“An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologise for the inconvenience and will provide further updates accordingly,” tweeted Changpeng Zhao, CEO of Binance.

Online researchers speculated that the hacker was able to forge a ‘proof’ to validate the transfer of the funds, as their methodology was sophisticated enough to avoid detection for some hours after the transfers had been made.

“In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages,” said one web3 researcher, who goes by the alias of samczsun, in a tweet. "Fortunately, the attacker here only forged two messages, but the damage could have been far worse."

This hypothesis has since been confirmed in a Reddit thread by a Binance developer, who stated that “the exploit was through a sophisticated forging of the low-level proof into one common library.”

"The blockchain ecosystem contains many technologies besides the core blockchain," said Oded Vanunu, head of products vulnerability research at Check Point. "Some of the technologies that support the ecosystems are Bridges which are responsible to transfer data between blockchain networks and Oracles that are responsible for delivering data from the internet to the smart contracts.

"Hacking groups are making big efforts in the last year to hack these “injections” points that connect networks and are looking for vulnerabilities mainly in the smart contracts and platforms assets such as bridges," he added. "Once hackers manage to exploit vulnerabilities on the platforms or on the ecosystem, they have direct access in the context of the blockchain networks and this is why we see major hacks.

"In our opinion, this is going to continue to happen and we expect blockchain vendors to make sure they secure every layer in their blockchain networks, application logic layers & actual blockchain infrastructures."

When cryptocurrency is created and added to the blockchain, it must be verified as legitimate - ‘proof’ refers to the consensus mechanisms in place to carry this out, typically either ‘proof of work’ or ‘proof of stake’.

In proof of work, crypto miners solve mathematical problems to trade computational power or energy in exchange for coins worth a set value. The ‘solved’ problem is itself its own proof of validation, added to the blockchain to ensure that the number of coins within the system remains fixed. It is used by cryptocurrencies such as Bitcoin.

Proof of stake, the validation method used by BNB, selects users as ‘validators’ to stake their coins as capital and check new blockchain data to ensure that it passes verification. In return, validators are given fresh coins.

The blockchain is billed as more secure than conventional investment platforms, but concerns remain over how safe cryptocurrencies are.

Web3 projects have already lost more than $2 billion to hacks and exploits in 2022, with hacks such as the recent $4 million theft of Solana and USD Coin from Slope wallets.

"Last year, a total of $2.74 billion was lost across 132 separate incidents," said Rebecca Moody, head of data research at Comparitech. "With 129 attacks and counting, 2022 looks set to be an unprecedented year for crypto heists with record-breaking amounts stolen despite the drop in value across many cryptos."

Amidst the attacks, more money than ever at risk as inflation drives greater numbers to invest in cryptocurrencies. In 2021, the Financial Conduct Authority issued a warning that those investing in Bitcoin “should be prepared to lose all their money”.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a Binding Operational Directive (BOD) aimed at improving Federal Civilian Executive Branch (FCEB) agencies’ awareness of security vulnerabilities that may reside in their IT estates.

The BOD details its goals for building a sophisticated cyber defense in federal information systems. The guidelines further the US' sustained efforts in limiting federal agencies’ exposure to cyber attacks.

A catalog of Known Exploited Vulnerabilities (KEVs) that CISA began compiling back in November 2021 has been consistently updated and mandates FCEB agencies patch against a list of the most-exploited security vulnerabilities.

“Continuous and comprehensive asset visibility is a basic pre-condition for any organization to effectively manage cybersecurity risk,” the agency said in a public-facing notice.

“Accurate and up-to-date accounting of assets residing on federal networks is also critical for CISA to effectively manage cyber security for the FCEB enterprise.”

By April 3 2023, CISA will require all FCEB agencies to adhere to a number of mandatory cyber security practises such as initiating automated asset discovery every seven days, performing vulnerability enumeration across all discovered assets every 14 days, and uploading vulnerability enumeration results into the continuous diagnostics and mitigation (CDM) agency dashboard within 72 hours of discovery.

Agencies will also be required to initiate on-demand asset discovery and vulnerability enumeration within 72 hours of receiving a CISA request, providing available results within seven days.

The requirements do not apply to statutory national security systems, including certain systems operated by the Department of Defense or the intelligence community.

Per the White House cyber security executive order, federal agencies and CISA will deploy an updated CDM dashboard configuration that will enable analysts to access object-level vulnerability enumeration data by April 3 2023.

Underscoring CISA’s actions, the BOD stated that “within six months of issuance, the agency will publish data requirements for agencies to provide machine-level vulnerability enumeration performance data in a common data schema.”

FCEB agencies will be required to make a progress report at six, 12, and 18-month intervals detailing any dependencies that may prevent them from meeting the Directive's requirements.

Mozilla has released patches for 11 security vulnerabilities across its latest Firefox and Thunderbird versions, five of which have been assigned a ‘high’ severity rating.

The vulnerabilities affect the latest Firefox 105 version released this week as well as Firefox Extended Support Release (ESR) 102.3, and Mozilla’s open source email client Thunderbird 91.13.1.

One of the most serious bugs affects both the latest Firefox 105 and Firefox ESR browsers, potentially allowing for code execution.

The vulnerability, tracked as CVE-2022-40962, was discovered by Mozilla’s own Fuzzing Team which found memory corruption issues that could have been exploited to run arbitrary code “with enough effort”.

It’s not clear what this effort might entail but code execution is one of the most serious vulnerabilities that can affect a system, allowing attackers to execute a range of tasks such as installing malware, exfiltrating data, and stealing credentials.

Wider improvements to memory handling were one of the standout new features that Mozilla delivered to Firefox with the release of version 105 earlier this week, in a addition to an overall increase browser speed.

The browser’s stability is said to be improved thanks to the way in which it now handles low-memory situations better. Mozilla said Firefox is also now less likely to run out of memory on Linux, performing better on systems when system-wide memory is low.

Some of the other high-severity issues fixed involved a pair of vulnerabilities affecting Firefox 105 were fixed due to both of them leading to potentially exploitable crashes.

In the case of CVE-2022-3266, an out-of-bounds read error could occur when a user tried to decode a video which was encoded with the popular H.264 file compression codec.

The other was a use-after-free issue again potentially causing an exploitable crash in situations where concurrent use of the browser’s URL parser with non-UTF-8 data was not thread-safe. Non-UTF-8 data refers to characters that cannot be encoded by the UTF-8 Unicode standard.

CVE-2022-40959 is a vulnerability in Firefox 105 that led to device permissions leaked to untrusted documents. This occurred when specific pages didn’t initialise their FeaturePolicy during iframe navigation.

The final high-severity flaw impacted Thunderbird and could potentially lead to JavaScript code execution.

It could be exploited if a user replied to a specially crafted email containing a meta tag which had the ‘http-equiv=”refresh” attribute and the content attribute specifying an URL. In this scenario, Thunderbird would start a network request to that URL and when combined with other HTML elements and attributes, code execution could be achieved.

“The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email,” said Mozilla.

“The contents could then be transmitted to the network, either to the URL specified in the meta refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document.”

The US’ Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert pointing to the security advisories for Firefox and Thunderbird, advising users and system administrators to apply the necessary patches.

Security firm WordFence has warned of an actively exploited vulnerability in a widely-used WordPress plugin that could leave websites totally exposed to hackers.

WPGateway is a paid plugin that gives WordPress users the ability to manage their website from a centralised dashboard. The flaw, designated CVE-2022-3180, allows for threat actors to add their own profile with administrator access to the dashboard, and completely take over a victim’s website.

WordFence, which provides a firewall service for WordPress websites, released a rule to block the exploit for paying customers on its Premium, Care and Response packages ($99, $490 and $950 per year respectively).

However, customers using its free package will not receive protection against attacks until October 8, which could leave small or medium businesses exposed.

For a business, total website takoever could lead to the exfiltration of sensitive financial information or simply lead to the destruction of vital data or even the entire website. Alternatively, threat actors could use the control to launch phishing or malware campaigns through trusted websites, which could cause widespread damage to systems and incur reputational damage upon affected companies.

A similar strategy was recently observed in threat actors targeting Facebook Business or Ad accounts, with the aim of changing payment information on the administrator-side to channel money intended for the company directly to the threat actors.

WordFence claims that its firewall has detected and blocked more than 4.6 million attacks targeting the WPGateway vulnerability, across over 280,000 websites in the past month alone. The operators of WPGateway were informed of the vulnerability on September 8, but it is still believed to be an active threat in the wild.

Administrators of WordPress websites utilising WPGateway have been advised to be on the lookout for the addition of an administrator titled ‘rangex’, which indicates that the website has been breached by threat actors.

Logs indicating that the website has made a request to '//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1' also show that it has been targeted by an exploit, but are not certain indicators that takeover has already happened in the same way as the aforementioned rogue user.

“If you have the WPGateway plugin installed, we urge you to remove it immediately until a patch is made available and to check for malicious administrator users in your WordPress dashboard,” advised Wordfence in a blog post.

WordPress plugins have exposed sites to similar vulnerabilities in the past. Last year, over 90,000 websites were put at risk of total takeover because of a flaw in Brizy Page Builder, a plugin that provides users with a ‘no-code’ website building experience. 2020 saw similar exploits in the Elementor plugin used by hackers to install backdoors into a website’s CMS for total control.

IT Pro has approached WordFence for comment.

A package of six security vulnerabilities impacting the firmware of HP’s business-focused laptops and desktops and some have been left unfixed for months, security researchers said.

Experts at Binarly presented the package of vulnerabilities at the most recent Black Hat conference in August. More than a month after the public disclosure, the vulnerabilities remain unfixed for several HP devices.

The company has submitted 22 vulnerabilities to HP this year, including a package of 16 high-severity flaws in March that also impacted the firmware of enterprise-focused HP products including laptops, desktops, point-of-sale (PoS) systems, and edge computing nodes.

Binarly began notifying HP of the vulnerabilities included in the package of six that were publicly disclosed at Black Hat 2022 as far back as July 2021.

A wide range of HP devices is affected by the flaws, including HP Elite 2-in-1 PCs, HP EliteBook, HP ProBook laptops, HP ZBook workstations, and HP ZHAN notebooks. Some desktops, PoS systems, workstations, and thin clients are also vulnerable.

The patching status for the affected devices varies by each vulnerability, but a significant number of devices remain unpatched across each of the six publicly disclosed flaws.

HP has published three security advisories (1, 2, 3) that cover each of the six flaws found by Binarly, and the patching status for each device can be found in the dropdown menus.

Firmware vulnerabilities are particularly concerning, for businesses especially, because of the potential significance of the attacks they can facilitate.

If a cyber criminal was able to exploit a UEFI-level vulnerability and install malware at the root of the system, it has the potential to allow a high degree of persistence on the machine and can be difficult to both detect and remove.

Installing UEFI malware or a rootkit would afford an attacker a range of capabilities including the ability to implant a backdoor to the victim’s machine, create new users, remotely control the computer, exfiltrate data, and execute financially-driven campaigns like ransomware, for example.

Binary highlights the devices in its report that have still not received security updates following the public disclosure of the vulnerabilities more than a month ago.

When a vulnerability is publicly disclosed, it means cyber criminals have all the information they need to develop exploits for the flaws. If a device is not patched when a vulnerability is publicly disclosed, a user is then limited in what they can do to prevent an attack.

IT Pro has contacted HP for comment and will update the article if it responds.

Firmware bugs

All of the six vulnerabilities are privilege escalation flaws that can allow for arbitrary code execution in System Management Mode (SMM) which runs at a higher level of privileges that the operating system (OS) and the hypervisor.

“Running arbitrary code in SMM additionally bypasses SMM-based SPI flash protections against modifications, which can help an attacker to install a firmware backdoor/implant into BIOS,” said Binarly.

“Such a malicious firmware code in BIOS could persist across operating system re-installs. Additionally, this vulnerability potentially could be used by malicious actors to bypass security mechanisms provided by UEFI firmware (for example, Secure Boot and some types of memory isolation for hypervisors).”

Each of the individual vulnerabilities can lead to the same outcome but affect different components. They are tracked as:

• CVE-2022-23930 – rated 8.2 on the CVSS v3 severity scale - ‘high’
• CVE-2022-31644 – rated 7.5 on the CVSS v3 severity scale - ‘high’
• CVE-2022-31645 – rated 8.2 on the CVSS v3 severity scale - ‘high’
• CVE-2022-31646 – rated 8.2 on the CVSS v3 severity scale - ‘high’
• CVE-2022-31640 – rated 7.5 on the CVSS v3 severity scale - ‘high’
• CVE-2022-31641 – rated 7.5 on the CVSS v3 severity scale - ‘high’

HP has patched a privilege escalation security flaw in an application installed on its devices at the factory, before it’s shipped.

Rated ‘high’ on the CVSSv3.1 severity scale with a score of 8.2, the bug could allow cyber attackers to assign their payloads greater powers in a system after initially gaining access, opening the victim up to more damaging attacks.

In this scenario, system-level privileges can be achieved, opening up victims to the deployment of malware or other malicious payloads.

The capabilities of the malware available to hackers could be wide-reaching and varied. Spyware, worms, and credential stealers are some of the possible tools at hackers’ disposal.

Tracked as CVE-2022-38395, the flaw appears to be found specifically in the Fusion component which is used to launch HP Performance Tune-up - a diagnostic tool found in HP Support Assistant.

It’s a dynamic link library (DLL) hijacking vulnerability that can be exploited in Fusion and the privilege escalation can take place when Fusion launches HP Performance Tune-up, HP said in its security advisory.

DLL vulnerabilities are exclusive to Windows machines and exploit the way in which Windows systems search for and load DLL files.

DLL files can be seen as little parts of a Windows programme and each can be used for different things, like common functions such as looking up domain names.

Hackers can place their own DLL file in the same location as the legitimate one. The vulnerable part of a programme will then look in the usual place for the DLL it needs to perform a given action and execute the malicious code residing in the hijacked file.

This code can then run using the same privileges given to the vulnerable part of the programme, HP Performance Tune-up, which runs with system-level privileges, allowing hackers to elevate their own code’s level of access on the system.

The bug was found in HP Support Assistant which is factory-installed on new HP desktops and laptops, and can also be installed on other manufacturers’ devices to access resources for HP printers, for example.

The app provides automated fixes and other troubleshooting functions to users, as well as helping users find the information they’re looking for. It also offers automatic updates for PC and printer firmware and drivers.

Communications company Zoom has released a patch to address a flaw that allowed threat actors to control a victim’s operating system on macOS.

The Zoom client has limited permissions as far as access to critical system files is concerned. However, once installed the Zoom auto-update function would run in the background continuously, with superuser privileges.

In normal circumstances, this would simply check for updates from Zoom to install. Upon receiving one, the Zoom updater would run a process to verify that the update bore a cryptographic signature from the company, and was, therefore, a legitimate file to run.

Objective-See founder Patrick Wardle discovered that any file, renamed with Zoom’s cryptographic certificate, would be accepted by the updater as a legitimate Zoom file. As a result, threat actors could use the Zoom updater to run any file as a superuser.

As a result of the flaw, Zoom for macOS had unwittingly become a launchpad for privilege escalation attacks, in which a threat actor with limited access to a victim’s machine uses an exploit to gain elevated privileges that give them greater control. In the case of the Zoom flaw, threat actors could use the updater to delete or amend key system files, with the superuser privilege granting almost unlimited access to the machines of victims.

An update, released on August 13 by Zoom, has now appeared to have fixed the problem. On its security bulletin, the company identified the issue being fixed as “a vulnerability in the auto-update process".

“We released an update to address the newly reported vulnerability for the macOS auto updater in the Zoom Client for Meetings for macOS version 5.11.5 and are evaluating additional security enhancements,” said a Zoom spokesperson, in a statement to IT Pro.

This is not the first flaw found with Zoom's macOS app, with an update released earlier this year addressing an issue in which the microphones of users continued to be accessed by the Zoom client even after a meeting had ended.

Wardle exposed the flaw publicly during his talk ‘"You're M̶u̶t̶e̶d̶ Rooted’ at the Def Con hacking conference on August 12, stating that he had made the company aware of it through the proper channels as far back as December 2021.

In the months that followed, the company was reportedly slow to act. On August 9, a patch designated CVE-2022-28751 was released, but Wardle found that the exploit was still achievable after the patch through an unspecified extra step.

Since the update, Wardle has voiced his approval on Twitter, stating “Mahalos to @Zoom for the (incredibly) quick fix!”. He also detailed the key change that the update brings, namely that the Zoom installer now invokes a function called lchown to modify the update file’s permissions, rather than the updater running at constant superuser privilege.

This article was updated to include a statement from Zoom.

Microsoft has patched 17 ‘critical’ vulnerabilities and one remote code execution (RCE) zero-day in its August monthly Patch Tuesday.

A total of 121 vulnerabilities were patched in the Tuesday update, as well as 20 additional Chromium-based Microsoft Edge flaws on Friday 5 August.

Impacting Microsoft Windows Support Diagnostic Tool (MDST), the zero-day vulnerability (CVE-2022-34713) is among the most notable fixes this month and is a variant of the previously disclosed ‘Dogwalk’, Microsoft said.

Rated 7.8 on the CVSSv3 severity scale, it can be exploited by tricking a target into opening a malicious document via email phishing, or through an attacker-controlled website that hosts a malicious file.

Dogwalk drew major attention in May 2022 but dates back to an initial discovery in 2020. It was ‘lazily’ named by a security researcher who was walking his dog at the time of being asked to name it, he claimed.

The vulnerability itself is a path traversal flaw in MDST affecting Windows 7 devices or newer. To exploit it, targets have to become infected with a malicious .diagcab file which drops the payload into the Windows Startup folder and executed by Windows when the user next logs in, according to an analysis by SOC Prime.

A zero-day vulnerability is one that has been previously disclosed publicly and with active exploitation spotted. A separate RCE flaw in MDST (CVE-2022-35743) was also patched this month, but active exploitation has not been found and therefore cannot be considered a zero-day.

Microsoft categorised 17 of the now-patched vulnerabilities as ‘critical’ since they facilitated the elevation of privileges and RCE. Only three of the 121 total flaws were classified as ‘critical’ on the CVSSv3 severity scale - vulnerabilities with scores between 9.0 and 10.0.

All three of the most severe vulnerabilities were all RCEs with one affecting Windows Network File System (NFS) (CVE-2022-34715) and two separate flaws impacting the Windows Point-to-Point Protocol (PPP) (CVE-2022-30133 and CVE-2022-35744).

CVE-2022-34715 was classed as a low-complexity exploit by Microsoft and involves an attacker making an unauthenticated call to an NFS service (version 4.0) to trigger an RCE.

Although rated 9.8/10.0 on the CVSSv3 scale, Microsoft branded this vulnerability as ‘important’ - the second-highest severity rating because a target would be presented with a prompt or warning during the kill chain.

CVE-2022-30133 and CVE-2022-35744 were both rated 9.8/10.0 on the CVSSv3 scale and also classified as ‘critical’ by Microsoft since RCE could be achieved without any user intervention at all.

In both cases, an unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS), Microsoft said, which could lead to RCE on the RAS server machine.

The remaining critical-rated vulnerabilities, as classified by Microsoft, all fell below the ‘critical’ threshold of the CVSSv3 scale but require no user intervention to exploit them.

The remaining flaws impacted the following: Active Directory Domain Services, Windows Secure Socket Tunneling Protocol, Windows Hyper-V, SMB Client and Server, and Microsoft Exchange Server.

The full list of fixed vulnerabilities can be found on Microsoft’s dedicated web page.

August’s Patch Tuesday marks the second-biggest round of updates in 2022, behind April’s which fixed 145 different flaws.

Early reports from system administrator communities are indicating that the updates are applying successfully and not impacting any wider components as Patch Tuesday updates have in the past.

Earlier this year, Windows Server admins collectively agreed to forgo a month of patches due to the security updates causing other services in their IT environments to break.

A number of the world’s most pervasive malware campaigns have switched infection tactics after Microsoft blocked VBA macros by default.

The likes of Emotet and Qakbot have both been observed abusing Windows Explorer and LNK files as an alternative infection exploit, from the second quarter of 2022 onwards.

Microsoft's ban on VBA macros in February was welcomed almost universally, and was considered a long-overdue move from the company in light of cyber attackers having abused the feature to distribute malware for years.

Blocking VBA macros meant Microsoft prevented the execution of commands from untrusted sources such as an Excel document downloaded from an email, so hackers have pivoted to abusing trusted contexts like Windows Explorer instead, the researchers said.

Windows Explorer is the most popular living-off-the-land binary (LOLbin) abused in these types of attacks, Sentinel Labs researchers said, and attackers are abusing it to distribute malicious Windows shortcut files (LNK files).

Windows Explorer was the most-abused LOLbin by far, according to the cyber security company’s figures, with 87.2% prevalence. This was followed by Powershell at 7.3%, then Windows Script Host (wscript) at 4.4%, and rundll32 at 0.5%.

A total of 27,510 malicious LNK samples were analysed from open source security intelligence platform VirusTotal, the company said, and research co-author said a surprising observation was that Microsoft Malware Protection Engine (msmpeng) wasn’t more widely abused.

MsMpEng has previously been used by the likes of the now-shuttered REvil ransomware operation in its supply chain attack on Kaseya to side-load malware.

In almost all of the malicious LNK samples that were analysed (92,526%), Windows Command prompt was the target which then executed Windows commands and/or attacker-provided files.

These commands typically spanned tasks like flow control, file manipulation, executing attacker-supplied code in LOLbins like Explorer, information gathering and reconnaissance, and controlling the output of the command interpreter.

The shift towards LNK files over VBA macros is a relatively new one, but one that’s being made by many threat actors.

Sentinel Labs said tools like NativeOne’s mLNK tool, a malicious LNK generator, have been released recently to help cyber criminals more easily create LNK-abusing malware campaigns.

QuantumBuilder is another tool that’s similar to mLNK that features an intuitive user interface. Advertising campaigns for this tool first surfaced in May 2022, the researchers said.

Additionally, Russian state-sponsored cyber criminals have been found abusing the brand-new penetration testing tool Brute Ratel C4. The latest red teaming tool to gain popularity has been dubbed ‘the next Cobalt Strike’ and also uses LNK files to infect victims with malware.

In March, Google Threat Analysis Group (TAG) identified initial access broker (IAB) Exotic Lily using LNK shortcuts to drop malicious ISO files in ransomware-for-hire campaigns.

The new tools and techniques have all surfaced after Microsoft first announced that it would block VBA macros by default. Since then, it temporarily backtracked on the decision, but recently said they will be blocked for good.

Security researchers have revealed a string of vulnerabilities in a massively popular GPS tracker that could be exploited to disable the vehicles of some of the most high-value organisations in the world.

The six “severe” vulnerabilities were discovered in the MiCODUS MV720 GPS tracker that researchers believe to be fitted in 1.5 million vehicles across 169 countries.

The affected vehicles are thought to be in use by the likes of Fortune 50 companies, militaries, governments, nuclear power operators, and law enforcement bodies.

The researchers at BitSight who discovered the security flaws said hackers could feasibly exploit them to stealthily track the vehicles and remotely disable entire fleets of vehicles.

Being able to track high-value vehicles could potentially lead to the tracking of government personnel and locating sensitive locations such as safehouses.

BitSight said potential exploits could also lead to the immobilisation of emergency services vehicles - subsequently leading to real-world harms - and stopping civilian vehicles on dangerous motorways, for example.

The GPS tracker is capable of monitoring real-time speed, locations, and historical routes, and can even remotely shut fuel supplies in the event of a theft, or disable features like alarms, the researchers said.

The MiCODUS MV720 is a Shenzhen, China-manufactured device and although the research was focused on this model, BitSight said other MiCODUS products may also be vulnerable to the same or similar exploits.

Typically sold for around $20 online, the MV720 tracker has been assigned CVE tracking numbers for five of the six vulnerabilities the researchers discovered.

The entire exploit chain has also been deemed so severe that CISA has published a dedicated security advisory and the CVSSv3 severity score is 9.8/10 due to it being remotely exploitable and requiring a low degree of complexity.

BitSight said that CISA has made repeated attempts to disclose the findings with MiCODUS but has been met with disregard from the company. The US cyber authority subsequently concluded that the flaws require public disclosure.

Vulnerability breakdown

Hard-coded password (API server) - CVE-2022-2107 - CVSSv3 score: 9.8 (critical)

This is one of the most serious vulnerabilities that allow hackers to conduct the most severe actions after exploiting the device such as disabling alarms and fuel supplies and tracking vehicles.

“Although the API server has an authentication mechanism, devices use a hard-coded master password allowing an attacker to log into the web server, impersonate the user, and directly send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number,” BitSight said.

Broken authentication (API server/GPS tracker protocol) - CVE-2022-2141 - CVSS 3.1 score: 9.8 (critical)

The second critical-rated vulnerability allows hackers to send commands to the device over SMS as if they were the device administrator.

This is because the tracker’s default password is set to 123456, as is the web interface and mobile app. Researchers said this should be changed but there is no prompt to do so from the manufacturer, and many installations are left unchanged from the default settings.

The full SMS commands list includes sending a Google Maps link to the device’s coordinates, changing the password, and resetting to factory defaults.

Default Password (API Server) - no CVE tracker - CVSS 3.1 score: 8.1 (high)

The one vulnerability BitSight wasn’t able to get a CVE tracker for was the fact that devices shipped with default passwords that didn't enforce a change from the user.

The researchers said this represents a “severe vulnerability” in itself, although unsecured default passwords are all too common in IoT devices.

The remaining vulnerabilities ranged in score between 6.5 (medium) to 7.5 (high). These were:

• CVE-2022-2199, CVSSv3 score: 7.5 (high): A cross-site scripting (XSS) vulnerability could allow an attacker to gain control by deceiving a user into making a request
• CVE-2022-34150, CVSSv3 score: 7.1 (high): The main web server has an authenticated Insecure Direct Object References (IDOR) vulnerability on parameter “Device ID,” which accepts arbitrary Device IDs without further verification
• CVE-2022-33944, CVSSv3 score: 6.5 (medium): The main web server has an authenticated IDOR vulnerability on POST parameter “Device ID,” which accepts arbitrary Device IDs

Risk of death

BitSight said the plausible risks to high-value individuals are myriad. Everyone from civilians to leading politicians could be tracked, threatening personal safety. Hackers could also use tracking data to inform burglaries of wealthy targets such as business leaders.

Hackers could also deploy ransomware to vehicles, demanding a ransom to restore it to working order. The same kind of attack could lead to supply chain issues for some businesses.

Emergency services vehicles could be disabled, perhaps as a result of a ransomware attack, affecting the services’ ability to meet the demand of patients and real-world crime, for example.

There was a case in Germany in 2020 where a woman died while being transported to hospital by an ambulance which was disrupted by a ransomware infection en route.

At the time, it was believed to be the first known case of a cyber attack leading to a loss of life, but a police investigation later debunked the idea, saying the woman’s health was so poor she likely would have died anyway.

The risk to life remains, however, and especially with geopolitical relations between the US and China being as tense as they are, experts told BitSight that the idea of China being able to control US vehicles is “a problem”.

The US Department of Homeland Security has released the Cyber Safety Review Board’s (CSRB) report into Log4j vulnerabilities, which details actionable recommendations for government and industry.

The CSRB is a new public-private initiative within CISA that aims to bring together government and industry leaders to review and assess significant cyber security events and threats.

The board’s first report addresses the “continued risk” posed by the Log4Shell vulnerability in the widely used Log4j open-source software library, discovered in late 2021. It is one of the most prominent cyber security threats of recent years.

Described as “one of the most serious vulnerabilities discovered in recent years”, the CSRB’s recommendations focus on driving better security in software products, as well as enhancing organizations’ response abilities.

“The CSRB’s first-of-its-kind review has provided us – government and industry alike – with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security,” commented Secretary of Homeland Security Alejandro Mayorkas, who delivered the report to President Biden.

Grabbling with the Log4Shell vulnerability

First disclosed on 9 December 2021, Log4Shell is a zero-day remote code execution vulnerability in Java logger Log4j, which was awarded a 10/10 criticality rating by CISA.

In a nutshell, the flaw enables attackers to submit a specially crafted request to a vulnerable system, causing it to execute arbitrary code. As a result, the attackers can take full control of the affected system from a remote location.

The vulnerability was found to have been exploited by coin miners, remote access trojans (RATs), botnets, ransomware, and advanced persistent threats (APTs)

According to CISA, cyber threat actors have continued to exploit the vulnerability in VMware Horizon and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.

Log4Shell: Recommendations and best practice

The CSRB engaged with nearly 80 organizations and key individuals to gather insights into the Log4j event and develop actionable recommendations for future incidents.

The 19 recommendations outlined in the report have been split into four categories; the first focuses on addressing the continued risks and states that both organizations and government bodies should be prepared to apply vigilance to Log4j vulnerabilities “for the long term”.

The second outlines recommendations for driving best practices for security hygiene, advising adoption of industry-accepted best practices and standards for vulnerability management. That includes investment in security capabilities and development of response programs and practices.

The third category advises organizations on building a better software ecosystem to move to a proactive model of vulnerability management, including increasing investments in open source software security, as well as training software developers in secure software development.

Lastly, the fourth group notes that investing in new systems and groups for the future will be essential in securing the US’ infrastructure and digital resilience in the long term.

“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future,” said Robert Silvers, CSRB Chair and DHS Under Secretary for Policy.

“Our review of Log4j produced recommendations that we are confident can drive change and improve cyber security.”

Researchers at ETH Zurich have discovered a serious hardware vulnerability in Intel and AMD microprocessors, affecting all Linux operating systems that use the affected chips.

Doctoral student Johannes Wikner and assistant professor Kaveh Razavi discovered the vulnerability, and dubbed it ‘Retbleed’. This name stems from the vulnerability's methodology, exploiting the messy way that processors handle return instructions, which occur after a function has been executed. In a blog post

By hijacking speculative execution processes, Retbleed can leak kernel memory from Intel and AMD CPUs, as well as the root password hash for Linux systems using the affected CPUs. Any system using an Intel CPU from generations 6-8, or AMD Zen1, Zen1+ and Zen2 is likely affected.

To end, Retbleed represents a very widespread and severe threat to the security of hardware to the majority of business PCs, given the vast market share enjoyed by both Intel and AMD.

Speculative execution is used to access computational steps before it has been confirmed that they are necessary for the process; in effect, the processor ‘guesses’ what might be needed before finishing the chain of instructions to speed things up and improve its overall power. Unneeded speculative calculations are discarded, but leave a trace in the cache that hackers can use as a backdoor. This can be used to gain access to information in the memory, which could be highly sensitive.

In this way, Retbleed is similar to Spectre, which was discovered in 2018 and caused widespread alarm in the computing world. Although Intel and AMD have since mitigated Spectre, how they did this led to reliance on the exact construct that Retbleed now exploits.

To shield the indirect jumps utilised by many processors, a construct known as Retpoline is utilised, to favour the use of returns. When this was implemented, it was widely believed that returns were not a valid vector of attack, a belief that Retbleed has now disproven.

"Since the mitigation measures taken so far did not take the return instructions into account, most existing microprocessor computer systems are vulnerable to 'Retbleed'," Razavi stated.

Affected manufacturers were made aware of the vulnerability before the general public. They have already taken steps to identify the weaknesses within their processors and enact mitigation measures, with Intel having already released a technical advisory on the subject. Hardware vulnerabilities are not always easily remedied, and can prove next to impossible to patch altogether.

In a statement to IT Pro, Intel offered information on the steps they have taken to protect users:

"Intel worked with our industry mitigation partners, the Linux community and VMM vendors to make mitigations available to customers. Windows systems are not affected as they already have these mitigations by default."

Unfortunately, the researchers have said that mitigations are expensive to implement, with a 14-39% predicted overhead for AMD and Intel patches. As with the hardware-based flaws before it, Retbleed is already proving a costly and troublesome exploit. Additionally, current mitigations can lead to performance costs, with increased security on microprocessor decisions on return destinations decreasing overall efficiency. The researchers claim to have seen up to a 28% hit in performance as a result.

Its discoverers are due to present a paper on their findings at the 2022 USENIX Security Conference, on August 12.

The Microsoft Office zero-day vulnerability reported widely this week is already being used in active attacks by Chinese state-sponsored hackers, a cyber security company has said.

The advanced persistent threat (APT) group tracked as TA413 has been spotted impersonating the Women’s Empowerment Desk of the Central Tibetan Administration - a genuine division dedicated to issues such as gender equality and combating violence against women.

Proofpoint researchers said the malicious documents are delivered via zip archives through URLs that aim to imitate the genuine Tibetan government, but didn’t comment on the type of payload that’s delivered.

The vulnerability that exploits the ms-msdt Microsoft Office Uniform Resource Identifier (URI) scheme is now tracked with CVE-2022-30190 and has been shown to work on all versions of Microsoft Office and Windows Server, including Office 365 which was previously thought to not be vulnerable.

Successful exploitation of the diagnostic and troubleshooting tool can lead to the execution of malicious code on Windows systems.

If the malicious document is saved using the Rich Text Format (RTF), code can also be executed by looking up the document in the Windows Explorer preview tab, without even opening it up.

Under the radar

Since CVE-2022-30190 became widely reported this week, it has since emerged that Microsoft was made aware of the vulnerability as far back as 12 April 2022.

A researcher by the alias of crazyman, who is part of a bug-hunting collective called Shadow Chaser Group, was credited with the discovery once Microsoft assigned the vulnerability a CVE code.

Crazyman posted proof of their submission to Microsoft online and found an example of in-the-wild exploitation seemingly from a Russian-speaking threat actor more than a month ago.

A member of Microsoft Security Response Centre (MSRC) responded to the submission after looking at it “critically” and decided that it was “not a security-related issue”.

The team acknowledged that the MSDT scheme was executed as part of the malicious document but since it required a passcode when it started - a passcode that did not work for the MSRC analyst during testing - the case was ultimately closed.

Independent security researcher and former Microsoft-employed security professional Kevin Beaumont, whose report of the zero-day vulnerability sparked wider interest in it this week, said MSRC’s response sounded like they wanted to re-triage the report, rather than dismiss it entirely.

On the same day, a threat intelligence researcher at MalwareBytes also discovered the Russian-language maldoc sample but the cyber security company said the remote template was already down at the time which meant that identification was not possible.

Microsoft’s guidance

Along with assigning the zero-day CVE tracking identifier, Microsoft has released a support document for Windows and Microsoft Office users, advising of the temporary workarounds they can deploy to mitigate the threat.

The recommended workaround is to disable the MSDT URI to prevent troubleshooters from being launched as links, including links throughout the operating system.

Troubleshooters can still be accessed by using the Get Help application, Microsoft said, and through system settings.

To disable MDST, Microsoft instructed users to do the following:

• Run Command Prompt as Administrator.
• To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename”
• Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

To undo the workaround - potentially useful information when a full patch is released, users should do the following:

• Run Command Prompt as Administrator.
• To restore the registry key, execute the command “reg import filename”

It was previously reported that Microsoft Defender for Endpoint did not detect exploitation of CVE-2022-30190 but Microsoft said it now provides alerts in Microsoft 365 Defender portal under the following titles:

• Suspicious behaviour by an Office application
• Suspicious behaviour by Msdt.exe

Microsoft Defender Antivirus also now provides detections for possible exploitation using the following signatures using detection build 1.367.719.0 or newer:

• Trojan:Win32/Mesdetty.A (blocks msdt command line)
• Trojan:Win32/Mesdetty.B (blocks msdt command line)
• Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)

A team of German researchers have discovered a new threat model affecting Apple iPhones that allows malware to be installed on a device even when it’s switched off.

Researchers were able to show that malware could be installed on an iPhone’s Bluetooth chip - one of the few components that both remain active after the device is shut down, and also has access to an iPhone’s secure element.

The discovery is reliant on an iPhone user running iOS 15 or later since this was the release that added the functionality to find the device even after it had been shut down.

Most wireless chips remain activated on an iPhone for users who have enabled the ‘Find My network’ setting in Apple’s Find My app, even if it has been manually powered down.

These wireless chips: Bluetooth, NFC, and ultra-wideband (UWB) are all hardwired to the phone’s secure element - the area in which secrets are stored - and can therefore no longer be trusted components of the device, the researchers said, given that they are accessible after a shutdown.

The researchers were able to write to the Bluetooth chip in an iPhone 13 by exploiting a legacy feature that requires iOS to be able to write to the executable RAM regions using a vendor-specific host-controller interface (HCI) command.

Attackers could theoretically modify the custom functionality of the Bluetooth chip during a low power mode, via malware, to send the device’s location to the attacker, or add new functionality entirely, the researchers said in a paper.

Although the attack is not currently exploited in the wild, and according to other researchers speaking to Vice, prospective attackers would need to chain this vulnerability with a separate exploit to execute it, the researchers’ work presents a new threat model to be aware of.

Businesses that have equipped their workforce with iPhones running iOS 15 or later should consider turning off the Find My network as a device policy before issuing to employees.

The researchers did stipulate that the Find My network feature did, overall, improve the security of the iPhone, despite the new threat model its new functionality presents.

IT Pro contacted Apple for a response but it did not reply at the time of publication and declined to comment on the story to other media outlets.

The severity of an actively exploited Windows security vulnerability rises to the highest severity rating if used by attackers in an NTLM relay attack.

The spoofing vulnerability in Windows Local Security Authority (LSA) subsystem, tracked as CVE-2022-26925, has a CVSSv3 severity rating of 7.1 on its own, but climbs to 9.8 if harnessed in tandem with an NTLM relay attack, Microsoft said.

NTLM relay attacks involve the exploitation of Microsoft’s NTLM authentication protocol, now in its thirtieth year and thus deeply embedded in enterprise networks, allowing attackers to sit in between clients and servers to intercept authentication requests to capture credentials and move around networks.

All supported versions of Windows are vulnerable to the attack and Microsoft said hackers are already finding ways to exploit it. Experts told IT Pro that it’s a bug that should worry every IT professional and one that could lead to remote code execution (RCE).

“While the advisory lists this as a CVSSv3 of 7.1 - the score jumps to a 9.8 when used as part of an NTLM attack,” said Kev Breen, director of cyber threat research at Immersive Labs. “While all servers are affected - domain controllers should be a priority for protection as, once exploited, this provides high-level access to privileges, often known as ‘the keys to the kingdom’.”

Microsoft has already published an article and a separate advisory for system administrators who are looking for more information on how to protect their environments from NTLM relay attacks.

The Zero Day Initiative (ZDI) also noted that the patch affects some backup functionality on Windows Server 2008 SP2 so it’s worth reading the vulnerability’s documentation carefully to ensure backups continue to work as needed.

PrintSpooler continues to threaten

It’s nearly been a year since Microsoft’s bungled PrintNightmare fiasco first started affecting Windows machines and a further three vulnerabilities have been addressed in Print Spooler - the built-in Windows component in this month’s round of fixes.

Although Microsoft is not aware of any active exploitation, all three vulnerabilities are classified as ‘exploitation more likely’ and should be patched as soon as possible.

“Print Spooler shows that it remains an Achilles heel in enterprise security teams’ infrastructure with the trio of vulnerabilities CVE-2022-29104, CVE-2022-29114, and CVE-2022-29132,” said Breen. “An often forgotten, but still default, component on all Windows devices, servers, and desktops - Print Spooler still presents an attractive bullseye for attackers.”

Back to normality

May 2022’s Patch Tuesday fixed 74 different vulnerabilities, a figure that’s “par for the course in terms of both number and severity of vulnerabilities,” according to Greg Wiseman, lead product manager at Rapid7, and will theoretically require less patching work compared to last month’s 145 vulnerabilities.

A total of seven vulnerabilities were classified as ‘critical’ and three had near top severity ratings of 9.8/10.

An RCE bug in Windows Network File System tracked as CVE-2022-26937, is among the three highest-rated flaws. “This can be mitigated by disabling NFSV2 and NFSV3 on the server; however, this may cause compatibility issues and upgrading is highly recommended,” said Wiseman.

A set of ten RCE issues in Windows Lightweight Directory Access Protocol (LDAP), two of which were rated 9.8/10 and comprised the final two highest-rated vulnerabilities in the list, are also cause for concern.

“With a headline score of 9.8, a set of 10 remote code execution vulnerabilities in LDAP appear particularly threatening, however, have been marked by Microsoft as ‘exploitation less likely’ as they require a default configuration unlikely to exist in most environments,” said Breen. “It’s not to say there is no need to patch these, rather a reminder that context is important when prioritising patches.”

Of the 74 total CVEs, seven were rated ‘critical’, 66 were rated ‘important’, and one was rated ‘low’. Windows administrators are advised to update as soon as possible and unlike with previous releases, the community has responded positively to this month's patches, so far.

Microsoft has patched considerably more than 100 security vulnerabilities this week, as part of its monthly ‘Patch Tuesday’, including ten rated ‘critical’.

The 145 now-fixed vulnerabilities were dominated by privilege escalation flaws and remote code execution (RCE) vulnerabilities, a total of 55 and 47 respectively. Denial of service, information disclosure, and spoofing flaws comprised the majority of the remainder.

Of the ten critical-rated vulnerabilities, three of them scored nearly maximum marks (9.8), representing a serious threat to organisations.

All three 9.8-rated vulnerabilities are RCE flaws that require a low degree of attack complexity in order to exploit, two of which are wormable, according to Zero Day Initiative (ZDI).

The first of the two wormable flaws is CVE-2022-26809, a flaw that could allow an attacker to execute arbitrary code on a machine with high privileges. The static port used in this exploit (TCP port 135) is usually blocked at the network perimeter, ZDI said, but it’s still a highly dangerous vulnerability that should be patched swiftly.

The second wormable attack can be exploited through a combination of two vulnerabilities amounting to a critical rating, both affecting the Windows Network File System (NFS) and tracked as CVE-2022-24491 and CVE-2022-24497.

“On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction,” said ZDI. “Again, that adds up to a wormable bug – at least between NFS servers.

“Similar to RPC, this is often blocked at the network perimeter. However, Microsoft does provide guidance on how the RPC port multiplexer (port 2049) ‘is firewall-friendly and simplifies deployment of NFS.’ Check your installations and roll out these patches rapidly.”

Another of the more notable vulnerabilities was CVE-2022-26904. Found jointly by CrowdStrike and the US National Security Agency, it’s a privilege escalation issue that can be exploited if an attacker can win a race condition.

Microsoft categorised the flaw as ‘high’ complexity in order to exploit it and there is functional proof-of-concept (PoC) code available that works in most situations where the vulnerability exists, it said.

Its CVSS v3 score is comparatively lower than the aforementioned critical vulnerabilities, scoring 7.0, but ZDI also noted that there is a functional Metasploit module also available for CVE-2022-26904. This means the widely abused penetration testing software now has pre-built functionality to exploit the security vulnerability, making attacks easier for cyber criminals.

As with all security vulnerabilities and especially zero-day exploits, businesses are urged to apply the patches as soon as possible to prevent cyber attacks and potential data loss. Now that these vulnerabilities are published, prospective attackers can analyse the exploit methodology and use it to their advantage.

“With so many vulnerabilities to manage, it can be difficult to prioritise,” said Greg Wiseman, Lead Product Manager at Rapid7 to IT Pro. “Thankfully, most of this month’s CVEs can be addressed by patching the core operating system.

"Administrators should first focus on updating any public-facing servers before moving on to internal servers and then client systems. The SMB Client vulnerabilities can also be mitigated by blocking port 445/tcp at the network perimeter – victims need to be enticed to connect to a malicious SMB server, and this would help against Internet-based attackers. Of course, this won’t help much if the malicious system was set up within the perimeter.”

Full details of this week's round of patches can be found in Microsoft's detailed rundown.

Microsoft has released this month’s score of patches for Windows security flaws, fixing a bug found in February that prevented some users from erasing all their files after a system reset.

The Windows manual reset option is designed to effectively restore a device to its factory-shipped settings, removing user data. Microsoft published a workaround at the time, but the updates to Windows 11 and Windows 10 released on Tuesday will eliminate the bug, though Microsoft did say it may take up to seven days for the changes to take effect.

A total of 92 vulnerabilities were patched across Windows and other Microsoft products, including three critical-rated remote code execution (RCE) vulnerabilities and three security feature bypass flaws.

Two of the critical-rated flaws affected Video Extensions for advertisements, tracked as CVE-2022-24501 and CVE-2022-22006, and both were able to be exploited to achieve RCE with a ‘low’ attack complexity.

In both cases, an attacker would need to convince a user to download a specially crafted file that would lead to a crash. Successful attackers would also need local access to a victim’s machine, either via its mouse and keyboard or a secure shell connection (SSH).

The other critical flaw, tracked as CVE-2022-23277, is a remote code execution vulnerability in Microsoft Exchange Server with a low degree of attack complexity and low privileges required to exploit. In all three cases, there is no known exploit code available, but patching is still recommended, especially for security vulnerabilities of this severity.

“The vulnerability most likely to raise eyebrows this month is CVE-2022-23277, a Critical RCE affecting Exchange Server,” said Greg Wiseman, lead product manager at Rapid7.

“Thankfully, this is a post-authentication vulnerability, meaning attackers need credentials to exploit it. Although passwords can be obtained via phishing and other means, this one shouldn’t be as rampantly exploited as the deluge of Exchange vulnerabilities we saw throughout 2021. Exchange administrators should still patch as soon as reasonably possible.

A total of 29 RCE vulnerabilities were addressed in Microsoft’s March ‘Patch Tuesday’, and three of the total 92 flaws had been previously disclosed.

Of these three previously known issues, both CVE-2022-21990 and CVE-2022-24459, RCE and privilege escalation vulnerabilities respectively, have known proofs-of-concept (PoC) available but no exploitation has been observed in the wild.

The final known vulnerability was an RCE flaw affecting .NET and Visual Studio; this has also now been patched but no PoC code is thought to have been developed, Microsoft said. It would be difficult to exploit this vulnerability alone, and would be more likely used as part of a chained attack, it added.

Other vulnerabilities such as privilege escalation, security feature bypass, information disclosure, denial of service, and spoofing flaws were also found across Microsoft’s products. All updates are available in the Microsoft Update Catalog now.

Google has announced it will be doubling the rewards it offers to bug hunters who can demonstrate working exploits for a range of zero-day and one-day vulnerabilities across a variety of platforms.

The reward increases will be applied to exploits discovered in the Linux Kernel, Kubernetes, Google Kubernetes Engine (GKE), or kCTF (Kubernetes-based infrastructure for capture the flag exercises), with the next review coming at the start of 2023.

Rewards offered for valid one-day security exploits increase by more than double to a maximum of $71,337, up from $31,337 previously. Sometimes known as 'n-days', one-days are publicly known vulnerabilities that have patches for them, but Google will offer rewards for novel exploits in this case.

Bug hunters seeking rewards for valid one-day exploits will have to provide a link to the existing patch in their report. Google also said it will be limiting the number of rewards for one-day vulnerabilities to only one version or build.

"There are 12-18 GKE releases per year on each channel, and we have two clusters on different channels, so we will pay the $31,337 base rewards up to 36 times (no limit for the bonuses)," said Eduardo Vela, Product Security Response TL/M at Google. "While we don't expect every upgrade to have a valid 1day submission, we would love to learn otherwise."

Valid exploits for previously unknown zero-day vulnerabilities will nearly double to a maximum reward of $91,337, up from $50,337 previously. Zero-day vulnerabilities typically attract greater rewards because any given vendor would always want to secure the weakness before news of it ever reached cyber criminals.

"We launched an expansion of kCTF VRP on 1 November 2021 in which we paid $31,337 to $50,337 to those that are able to compromise our kCTF cluster and obtain a flag," said Vela. "We increased our rewards because we recognised that in order to attract the attention of the community we needed to match our rewards to their expectations. We consider the expansion to have been a success, and because of that, we would like to extend it even further to at least until the end of the year (2022)."

An increasing amount of recent research has highlighted cyber criminals' shift in focus towards Linux environments, both in and outside of the cloud.

Qualys published findings earlier this year regarding a Linux root privilege flaw that went unnoticed for 12 years while "hiding in plain sight", while VMware observed an increasing number of ransomware attacks targeting Linux-based multi-cloud environments last week.

Full details on the reporting process can be found in the Google blog post.

Reward structure

Google will offer a base reward of $31,337 for the first valid exploit for a given vulnerability, zero-day or one-day. This will only be paid once per vulnerability and once per cluster version or build. Duplicate exploits will not be awarded unless it presents a novel exploit chain, Google said.

From there, a total of three bonuses of $20,000 are available depending on the nature of the exploit disclosed.

• $20,000 will be awarded if the exploit is a zero-day
• A further $20,000 will be awarded for exploits that do not require unprivileged user namespaces
• Another $20,000 is on offer to those who can demonstrate novel exploit techniques. This also applies to duplicate exploits and Google requires a full write-up to qualify as a valid submission

An 'easily exploitable' root privilege security vulnerability has been discovered in popular default Linux distributions and "has been hiding in plain sight" for more than 12 years, according to security researchers.

Qualys discovered and developed a working exploit for the vulnerability, dubbed 'PwnKit', which could allow an unprivileged user to gain root privileges on a vulnerable machine. The researchers said it affects popular distros including Ubuntu, Debian, Fedora, and CentOS, adding that other distros are also likely vulnerable and exploitable.

The flaw was found in Polkit - a component in Unix-like systems that allows non-privileged processes to communicate with privileged processes using the command 'pkexec' followed by the command set to be executed.

Qualys said the vulnerability affects all versions of pkexec since its first version in May 2009 (commit c8c3d83) and is tracked as CVE-2021-4034. Achieving root access allows an attacker to execute any command on, and access any part of a system.

The vulnerability is not remotely exploitable, which means the attacker would need to have physical access to the target machine, but Qualys said the exploit can be executed quickly to gain root privileges.

The author of the blog post that detailed the vulnerability, Bharat Jogi, director of vulnerability and threat research at Qualys, said he would not be publishing exploit code but given the simple nature of exploiting it, Qualys expects publicly available exploits to be circulating within days.

Businesses concerned about the vulnerability in their environments can check for patches for their specific distro but if there are none available, one workaround is to remove the SUID-bit from pkexec as a temporary mitigation.

Technical details of PwnKit

The full technical details can be found in Qualys' blog post but in summary, the vulnerability lies in the way pkexec reads environmental variables and attackers can re-introduce unsecured environmental variables that are normally removed from the environment of SUID programs before the main function is called.

Qualys' concise description: "If our PATH is “PATH=name=.”, and if the directory “name=.” exists and contains an executable file named “value”, then a pointer to the string “name=./value” is written out-of-bounds to envp[0]."

Although polkit supports other non-Linux operating systems such as Solaris and *BSD, Qualys has not yet investigated if the exploit works on these systems but can confirm OpenBSD is not exploitable.

"Given the breadth of the attack surface for this vulnerability across both Linux and non-Linux OS, Qualys recommends that users apply patches for this vulnerability immediately," said Jogi.

Multiple cases of the covert Pegasus spyware have been found targeting journalists and activists in El Salvador, a report from Citizen Lab at the University of Toronto has revealed.

A total of 35 cases were confirmed after journalists and members of civil society contacted Citizen Lab to analyse their devices after becoming suspicious of a Pegasus infection, which allows operators to surreptitiously install information-harvesting and remote monitoring tools on targeted iPhones.

Targets included journalists at Salvadoran news outlets El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists.

Fundación DTJ - an NGO promoting transparency in the Salvadoran justice system, Cristosal - a school on human rights, and another unnamed NGO were also successfully targeted by Pegasus, Citizen Lab said.

Developed by Israeli outfit NSO Group, Pegasus has been used to target a number of high-profile journalists, activists, and diplomatic figures in recent years, including prominent journalist and Saudi critic Jamal Khashoggi who was murdered in 2018.

Many of the affected individuals received notifications from Apple on their devices indicating they may have been a victim of a state-sponsored spyware campaign. Apple launched a lawsuit against NSO Group the same day.

The confirmed cases were corroborated by Amnesty International’s Security Lab, an independent analysis group that drew the same conclusions as Citizen Lab.

Uncovering Pegasus

The researchers said attribution is typically difficult in Pegasus cases due to the way the spyware hides key data, but in this case, the analysis revealed one operator operating almost exclusively on El Salvador soil since at least November 2019.

Citizen Lab researchers refer to this individual as TOROGOZ and have connected the operator to an infection attempt against the El Faro news organisation.

"While there is no conclusive technical evidence that TOROGOZ represents the Salvadoran government, the strong country-specific focus of the infections suggests that this is very likely," the Citizen Lab report said. "Additionally, in the single case of hacking in this investigation in which we recovered the domain names of the Pegasus servers used, the TOROGOZ operator was implicated."

The researchers were unable to attribute the attacks to NSO Group or the El Salvador administration, but found evidence that strongly suggested the operator had ties with the country's government.

The timing of the attacks coincided with moments at which the affected organisations were working on issues with great interest to President Nayib Bukele - perhaps best known in the technology community as the brainchild of El Salvador's volcano-powered Bitcoin city and the decision-maker in adopting Bitcoin as an official national currency in 2021.

TOROGOZ's "near-total focus of infections within El Salvador" was another clue linking the cases to the government, Citizen Lab said, as well as one individual from El Faro being targeted with Pegasus' telltale zero-click FORCEDENTRY exploit which is patched on more recent iOS versions.

NSO Group has consistently denied any wrongdoing and claims Pegasus is a national security tool that is not used for malicious purposes, including state-sponsored espionage. A 2021 investigation found at least ten countries had access to Pegasus and El Salvador was not previously included in that list.

Technical analysis of the attacks

Two zero-click exploit chains were used against the targeted journalists: KISMET and FORCEDENTRY. The latter of these two exploits affects older versions of iOS but was sent to an El Faro journalist's patched iPhone. Citizen Lab said it's unclear why a patched device was targeted with FORCEDENTRY but it may indicate that operators may not always be able to determine the device's iOS version before launching an attack.

KISMET is another exploit chain that requires no user interaction with a device in order to achieve infection. First disclosed in 2020, it too is now patched in more recent versions of iOS but was used in attacks launched between July and December 2020, on devices running iOS versions 13.5.1 to 13.7.

Researchers are only able to extract a forensic artefact from the KISMET exploit chain, rather than the full exploit, but it is thought to utilise .JPG attachments and an old iMessage flaw.

There are also variants of Pegasus available for Android smartphones too, which is "capable of extracting data from popular messengers such as WhatsApp, Facebook, and Viber, as well as email clients and browsers," said Jakub Vavra, Mobile Threat Analyst at Avast, speaking to IT Pro.

"The spyware is capable of remote surveillance through microphone and camera as well as taking screenshots of the user’s screen and keylogging the user's inputs. These features make it a dangerous tool that can be misused to spy on unwitting individuals."

El Salvador media and political landscape

El Salvador has a troubled history tainted with cases of authoritarianism and coups - in addition to organised crime, drug trafficking, and corruption. Civil war ravaged the country in the late 1900s which left a legacy of political and military corruption.

There are plenty of critical news organisations in the region, but journalists face challenges in the form of press freedoms and access to information. The country is often ranked poorly in terms of the level of freedom given to the press - it ranks 82nd for press freedom according to Reporters Without Borders - and there are a number of cases where journalists have been blocked from attending events such as government conferences.

Users of Lenovo's range of ThinkPad workstations have been warned to patch their systems following the discovery of flaws that allows hackers to launch privilege escalation attacks.

It's believed that two separate flaws can be chained together to target the ImControllerService component and change a user's access level to a system, according to security researchers at NCC Group.

The ImControllerService is a component present on Lenovo's ThinkPad hardware range and controls tasks such as system power management and app and driver updates.

The vulnerability can be triggered by exploiting two flaws, tracked as CVE-2021-3922 and CVE-2021-3969, affecting the way in which the ImControllerService handles the execution of highly privileged child processes, NCC Group said.

The normal running of a system will have the ImControllerService periodically start child processes that open named pipe servers. These named pipe servers connect to the parent process in order to retrieve and execute the necessary XML serialised commands.

One of these commands is to load a plugin from an arbitrary location on the system. The child process is required to validate the digital signature of the plugin dynamic-link library (DLL) before loading and executing the file.

However, hackers are able to hijack this process in order to change privileges and load any payload of their choosing onto the machine.

The first vulnerability lies in the fact that the child process fails to check whether the source of the initial connection is legitimate. This creates a race condition that effectively sees the hacker try and make a connection with the named pipe ahead of the parent process.

"An attacker using high-performance filesystem synchronisation routines can reliably win the race with the parent process to connect to the named pipe," said NCC Group. During testing NCC Group’s proof of concept code never failed to connect to the named pipe before the parent service could do so.

"Because the child process does not validate the source of the connection it will begin accepting commands from the attacker after the race condition has been exploited."

The second vulnerability is a time-of-check to time-of-use flaw, which stems from how the child process validates the plugin it's being asked to load. When loading a DLL, the child process validates its authenticity by checking if it's signed by Lenovo.

However, attackers can use opportunistic locking (OpLocks) on a file to stall the validation process long enough for them to load their own DLL. Once the lock is released, the machine will load the DLL of the attacker's choosing which leads to privilege escalation.

Lenovo has released an advisory in which it warns users to patch machines to the latest IMController version (version 1.1.20.3). The component is automatically updated by the Lenovo System Interface Foundation Service, which means the update can be triggered by rebooting the machine or manually restarting the 'System Interface Foundation Service' service, it said.

It's currently unclear how many Lenovo machines were, or currently are, thought to be affected globally, but Lenovo told IT Pro: "Lenovo worked with NCC in line with industry best practices and fixed the issue in November and customers are already protected."

The scale of the threat associated with the recently discovered Log4Shell vulnerability has been quantified for the first time, with nearly 1 million attack attempts launched in just 72 hours following the critical vulnerability's disclosure on 9 December.

Experts from Check Point Research published observations from early vulnerability scans on Tuesday, which revealed attempts to exploit systems vulnerable to Log4Shell increased from 40,000 in the immediate 12-hour period following disclosure, to 830,000 attempts after just three days.

Researchers said the vulnerability "is clearly one of the most serious vulnerabilities on the internet in recent years, and the potential for damage is incalculable". The security community is still scrambling to fully understand the attack surface for Log4Shell, the RCE vulnerability in the log4j Java logging component revealed last week.

"The number of combinations of how to exploit it give the attacker many alternatives to bypass newly introduced protections," researchers said. "It means that one layer of protection is not enough, and only multi-layered security posture would provide a resilient protection. Three days after the outbreak, we are summing up what we see until now, which is clearly a cyber pandemic that hasn’t seen its peak yet."

The industry has banded together to share quick fixes and easy ways to remediate issues in the enterprise, but research has shown attackers are finding new ways to exploit the vulnerability.

Check Point Research said it has seen a steady increase in exploit evolutions over the course of 72 hours since Log4Shell's discovery, with more than 60 different methods already in use.

Findings from their investigation are said to resemble a cyber pandemic, in which attacks spread quickly and evolve continually to break through attempted fixes.

Who is most vulnerable to Log4Shell?

The investigation also looked at corporate exposure to Log4Shell and concluded that a global average of 40% of all networks across the world could be vulnerable to log4j flaws.

Australia and New Zealand were found to be the most exposed at 46.2% of all corporate networks, with Europe close behind with 42.2%. Asia and North America are the least exposed at 37.7% and 36.4% respectively.

Value-added resellers and the education sectors were found to be particularly vulnerable compared to other industries, with around half of all organisations across the two sectors thought to be affected.

Unlike with the COVID-19 pandemic, the retail and hospitality sectors are thought to be the least affected, with around a quarter of organisations exposed to log4j-based attacks.

There is significant pressure felt by security teams across the globe to fully patch the vulnerability. Upgrading to the latest version of the log4j library, version 2.15.0, is so far the best mitigation against the flaw.

Also this week, the US' Cybersecurity and Infrastructure Security Agency (CISA) told all federal agencies they had until 24 December to patch systems and protect them from Log4Shell.

It follows a recent increase in focus on patch management across the US public sector, led by CISA, after the agency issued deadlines to all federal departments in November to patch a 300-strong list of major cyber security vulnerabilities. The first deadline passed weeks later but CISA declined to confirm to IT Pro if all federal agencies had met the requirements in time.

Check Point Research said it thinks the vulnerability in the log4j library "will stay with us for years to come" due to the complexity in patching it and the ease in which attackers can exploit it.

Security researchers have observed a significant increase in the number of attacks against Zoho software, with a number of instances and organisations already affected across the world.

A total of 13 organisations across industries including defence, energy, technology supply chain, healthcare, and education have been compromised over a three-month period, according to Palo Alto Networks' Unit 42.

Successful exploitation of the software flaws can lead to remote code execution (RCE) and supply attacks using administrator privileges.

Attacks began back in September when CISA warned of cyber criminals exploiting a newly identified, critical-rated vulnerability, tracked as CVE-2021-40539, in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution product from Zoho.

Zoho issued a patch for the exploit in September, followed by an advisory on 22 November explaining the severity of the issue to customers and urging them to patch their systems.

However, researchers at Unit 42 drew attention to a second campaign targeting a different Zoho product in November. The exploit tracked as CVE-2021-44077 which affects ManageEngine ServiceDesk Plus, a help desk and asset management product, was more sophisticated and difficult to detect, researchers noted.

Unit 42 researchers determined that 47% of ADSelfService Plus and 62% of ServiceDesk Plus instances across the globe are still using vulnerable versions and have yet to be patched by customers.

The most recent findings from the past two weeks have confirmed an additional four businesses compromised using the vulnerabilities, two in ADSelfService Plus and two in ServiceDesk Plus, bringing the total to 13 after an initial nine cases were confirmed.

Researchers said they hadn't identified any publicly available proof of concept code for the exploit but observed that the group behind the attacks was indeed using one of their own exploits to compromise unpatched versions of the software.

The group used a variety of initial access vectors to breach Zoho's infrastructure, allowing them to drop a Godzilla webshell using RCE to provide the group with additional access and persistence in compromised systems.

Two requests were sent to the REST API allowing the attackers to upload the msiexec.exe executable and launch the malicious payload.

Godzilla was used in attacks on both ADSelfService Plus and ServiceDesk Plus, but used different files. A Java Server Pages (JSP) file was used with ADSelfService Plus but Godzilla was dropped using an Apache Tomcat Java Servlet Filter with ServiceDesk Plus.

Using a filter allowed attackers to sift inbound and outbound requests to determine which were meant for the webshell. Installing Godzilla as a webshell also meant that there was no specific URL used by the group to send its requests to the webshell, and it could also bypass a ServiceDesk Plus security filter designed to stop webshells.

Unit 42 researchers said "the best defence against this evolving campaign is a security posture that favours prevention". Businesses are advised to patch all instances and assess the business need for all internet-facing Zoho products.

Zoho customers are also advised to review all files that have been created in the affected products since October 2021 and get in touch with Unit 42 if they think they are affected.

IT Pro has contacted Zoho for comment on the research.

The Federal Bureau of Investigation (FBI) confirmed on Saturday that a hacker exploited its systems to send fake emails to law enforcement partners alerting them to a supposed cyber attack.

The hacker exploited a misconfiguration in its Law Enforcement Enterprise Portal (LEEP) web app to send legitimate-looking alerts to partners warning them that they had suffered a cyber attack and that a threat actor was currently in their system.

Emails were sent to partners from an official FBI email account with an @ic.fbi.gov domain, the headers of which also appeared to be legitimate after being sanitised.

The hacker falsely informed recipients they had fallen victim to a "sophisticated chain attack" attributed to Vinny Troia, a reputable security researcher and oft subject of memes in the cyber security industry.

Troia rejected his involvement in the attack shortly after its discovery.

The FBI confirmed the threat actor was unable to access or compromise any sensitive data held by the FBI, and said the server used to send the false emails was used only to push notifications for LEEP rather than being connected to the FBI's corporate email service.

"The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails," it said on Saturday. "LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners.

"While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks."

Researchers at Spamhaus drew attention to the early reports of fake emails on Saturday, saying the recipients were chosen indiscriminately and email addresses were scraped from an ARIN database.

ARIN is a regional internet registry responsible for the management and distribution of internet number resources such as internet protocol (IP) addresses and autonomous system numbers (ASNs).

The email sent to recipients appeared as follows:

Spamhaus said its telemetry indicated two 'waves' of spam emails being sent, one just before 05:00 on Saturday and then another shortly after 07:00.

Security researchers reported having contacted the FBI at the time of the incident said the staff were "slammed" with calls from alarmed recipients trying to verify if the correspondence was legitimate or not.

A hacker known by the alias Pompompurin claimed responsibility for the attack in an interview with security researcher Brian Krebs. They said they wanted to draw attention to the security vulnerability in the LEEP web app.

Pompompurin said LEEP allowed anyone to apply for an account, despite it being reserved only for law enforcement partners of the FBI. Account authentication was also run through a one-time passcode emailed to the applicant - a code which the FBI's website leaked in the HTML code of its web page.

When users requested a confirmation code, they were sent a POST request which included parameters for the email subject and body content. Pompompurin replaced the parameters with his own email subject and body to automate thousands of email sends.

Experts have suggested that the level access Popompurin was able to achieve was worrying and that a wider attack campaign could have bene launched to compromise law enforcement partners across the US.

"The hack could have enabled an attacker to disperse a phishing email campaign to all the FBI’s state and local law enforcement partners - one that was designed to compromise US-wide law enforcement," said Alan Calder, CEO at GRC International Group.

A senior UK-based cyber security researcher has been awarded $50,000 (£37,168) for successfully hacking a Samsung Galaxy S21 device using a novel exploit.

Sam Thomas, director of research at Pentest Limited, broke into one of Samsung's premium smartphones while competing in Pwn2Own Austin, a regular hacking competition run by Trend Micro's Zero Day Initiative (ZDI).

Thomas used a "unique three-bug chain" to compromise the Samsung Galaxy S21, a feat no other competitor was able to achieve.

The specific methods Thomas used to achieve compromise the device have not been detailed by either the researcher or the ZDI. IT Pro contacted Thomas for further details but he did not reply at the time of publication.

The researcher's success came a day after two other researchers from Singapore-based STARLabs also successfully achieved code execution on the Samsung Galaxy S21.

In Pwn2Own competitions, researchers are required to enter a disclosure room with the affected vendor after the competition round is over to detail the vulnerability they exploited. At this stage, it was revealed that the bug STARLabs researchers used to break the smartphone was already known to Samsung, though not known to the public.

Because of this, the STARLabs researchers were given a reduced prize of $25,000 (£18,620). Thomas received the biggest prize due to the novel nature of the exploit he used.

A day before Thomas' Samsung success, he also demonstrated how a different three-bug chain could be used to achieve code execution on a My Cloud Pro Series PR4100 network attached storage (NAS) device. The chain included an unsafe redirect and a command injection - a piece of work which earned Thomas a further $40,000 (£29,790) in prize money.

Pwn2Own tournaments see security experts compete against each other in a series of rounds over a number of days to accumulate prize money and 'Master of Pwn' points. The researcher with the most points wins the competition, a trophy, a champion's jersey, and 65,000 ZDI points.

The ZDI points give the researcher Platinum status in the ZDI, meaning they receive a one-time payout of $25,000 (£18,620), a 25% bonus on rewards for any future vulnerability disclosures, and a 50% point multiplier for further discoveries.

At the time of writing, and with one day remaining in the event, Thomas sits in fourth place with a total of nine points and $90,000 (£66,960) in accumulated prize money.

The devices to be targeted in Pwn2Own competitions are chosen before each event by the organisers. NAS drives were introduced last year, returning this year, with printers also being included as a new addition to the competition.

Apple's iPhone 12 and Google's Pixel 5 were both in the smartphone category for this year, but no attempts had been made on either of them at the time of writing.

The full list of device categories for Pwn2Own 2021 includes smartphones, printers, NAS drives, home automation, televisions, routers, and external SSDs.

So far, the ZDI has awarded $1,016,250 (£756,908) in prize money with one day left to go.

In previous Pwn2Own events, high-profile disclosures have been found in major products such as Microsoft Teams, Apple's iPhone, Zoom, Adobe Reader, Oracle VirtualBox, Google Chrome and many more.

Compromised Microsoft Exchange servers are being used to spread the SquirrelWaffle malspam campaign, according to security researchers.

Speaking to IT Pro, Amir Hadžipašić, CEO and founder of SOS Intelligence, said a vulnerability in Microsoft Exchange, left unpatched as of the last 12 October update, was being exploited using a method similar to ProxyShell - a recent exploit affecting Microsoft Exchange servers that afforded attackers remote code execution access.

Conversations held between SOS Intelligence and organisations who have fallen victim to the campaign confirmed Hadžipašić's suspicions that compromised Exchange servers were being used to launch the malspam campaign.

The new development is particularly concerning for businesses given the sophisticated nature of the attack. SquirrelWaffle hijacks inboxes and sends malicious emails in response to existing email chains, increasing the likelihood that a victim will click on a malicious link or open an infected file because it came from a trusted source. Analysis of victims' logs reveals ProxyShell exploitation leads to mail exporting with Microsoft Exchange Web Services (EWS), allowing it to send from existing chains.

"What is interesting about this particular campaign and is an important development is that all of the emails we observed originated from on-premise Microsoft Exchange Servers that appeared to be vulnerable to ProxyShell," Hadžipašić tosaid to IT Pro.

"Following an investigation of the sender mail servers all were confirmed (by http://Shodan.io) to be vulnerable, further discussions with a number of victims - who had confirmed to have been compromised by a ProxyShell type exploit and indeed were a source of these emails - confirms that Exchange servers and email threads were being 'hijacked' to deliver this malspam."

Another new development in the campaign, observed only in the past few days, is that the URLs in the malspam emails are now changing. Previous hyperlinks have been abandoned for non-hyperlinked, shortened URLs which lead to the download of a malicious payload such as Qakbot if followed.

This opens up the campaign to an element of failure, given victims must manually copy and paste the URL into a browser in order for the malware to be dropped.

URLs have omitted the HTTP/HTTPS prefix to the link, removing the hyperlink and bypassing URL rewrite in the process, and this has led to an uptick in infections because it helps to evade email spam filters.

"Both of these factors increase the likelihood of success since they are social engineering a victim, who will receive an email apparently related to a topic discussed not long ago with the sender and secondly the link was sent in such a way as to bypass any URL rewrite protection mechanisms," said Hadžipašić.

"It is strongly suspected that this campaign is being orchestrated by the 'TR Distro Actor' / TA577 utilising compromised Exchange servers to send these malicious spam emails delivering via an Excel Spreadsheet the Qakbot," he added.

Speaking on the recent TLP Green discoveries, other security researchers, as well Hadžipašić, have warned of the severity of the situation. It is believed that Qakbot campaigns are closely linked to ransomware groups.

Businesses are advised to urgently patch their Exchange servers to Cumulative Update 22, at the very least, and prevent EWS exposure to the internet, most importantly.

IT Pro contacted Microsoft for comment but it did not reply at the time of publication.

SquirrelWaffle at a glance

Cisco Talos researchers published a report detailing the SquirrelWaffle campaign in late October 2021 and how it was infecting systems with a new malware family that has been seen infecting with increased regularity which "could become the next big player in the spam space".

The report notes that SquirrelWaffle provides attackers with a foothold onto victims' machines which then allows them to compromise the victim further and distribute further infections. Qakbot and the penetration testing tool Cobalt Strike were the common payloads the Cisco Talos team observed.

Infections were observed dating back to the middle of September with researchers observing email chains being hijacked in a way not dissimilar to the way Emotet spread before law enforcement intervened in the spread of the botnets.

In these hijacked emails, the researchers identify what they believed to be a degree of localisation taking place, since the emails largely matched the language and style used in the chains that were hijacked. The attack mainly targets English-speaking victims with less than a quarter of emails written in other languages.

While this a relatively new attack vector, the common malware payload, Qakbot, has been around for some time. Back in 2020, researchers discovered the link between Qakbot infections and distributions of DoppelPaymer - the ransomware used to target the likes of Newcastle University, Foxconn, and Compal.

Swiss-based code quality and code security firm SonarSource has published details on a critical vulnerability it found in the Java-based GoCD CI/CD solution that could see attackers leak intellectual property or install backdoors in software before it's released to the public.

The GoCD framework is a particularly attractive target for attackers since it's currently used by a range of non-governmental organisations (NGOs) and Fortune 500 companies, SonarSource said.

The company noted that the vulnerability bears similarities to the one responsible for the SolarWinds hack, the infamously devastating attack launched at the start of 2021 that Microsoft dubbed the most sophisticated cyber attack ever recorded in history. In the case of SolarWinds, a small percentage of the Orion software's code was maliciously re-written before the update was pushed to customers, leading to backdoors being implanted in around 18,000 businesses' networks.

Simon Scannel, vulnerability researcher at SonarSource, discovered a faulty filter safeguarding the HTTP requests sent to a GoCD server, which allowed any unauthenticated request through - including any made by an attacker. Detailing the bug in greater depth in his blog post, he said there was one type of request that was always tied to this filter which meant that anyone who used the request path that matched the type assigned to the faulty filter, in this case it was /add-on/, could target endpoints exposed by add-ons and attack them.

The Business Continuity add-on for GoCD is installed and enabled by default in all affected versions. This contained an arbitrary file-read vulnerability that could be controlled by an attacker and, by setting the right parameters, the researcher found it was possible to read a file on a GoCD server. Two additional endpoints were identified as leaking sensitive information. One leaked an encryption key used to encrypt things like access tokens, and another leaked the main configuration file of a GoCD server.

This means an attacker was required to make just two requests to a GoCD server to steal sensitive data from a victim’s software pipeline - one to get the encryption key and another access the encrypted secrets.

SonarSource plans to release a report detailing how they were able to get a remote code execution (RCE) chain working using this bug.

Speaking to IT Pro, Scannel said he has identified companies in a wide range of industries that are vulnerable to the exploit, including restaurant chains, banks, and IT consulting firms. SonarSource has also said that a number of Fortune 500 companies have been alerted to the issue.

"An attack on a CI/CD solution of a large organisation, such as a Fortune 500 company, could enable an attacker to compromise a wide range of internal tools the company uses, as well as the software the company distributes to their customers," said Scannell to IT Pro. "An attacker could compromise various production environments and steal intellectual property and user data.

"In contrast to a vulnerability that affects only a single service or library of a company, a compromised CI/CD server could affect every piece of software that is built and distributed by the CI/CD server."

All GoCD instances within the version range v20.6.0 0 and v21.2.0 are affected. For any businesses or users who run GoCD and believe they may be infected, SonarSource suggests patching to version v21.3.0 as soon as possible.

"This might be the vuln with the highest impact I found so far.. and it is very simple to exploit," Scannel said in a tweet. "Please patch your instances."

The vulnerability is deemed highly critical by SonarSource because an attacker could extract all tokens and secrets used in all build pipelines.

"For instance, attackers could leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files that are being produced as part of the build processes, leading to supply-chain attacks," said Scannel.

"Having a broken authentication vulnerability would allow anyone to access the environment," said Calvin Gan, senior manager with F-Secure’s Tactical Defense Unit. "What could have transpired from there is the modification of a software package to a malicious one, or could be used to steal passwords stored on the environment (possibly combined with another vulnerability), or as stated by SonarSource, they could also potentially achieve remote code execution.

"Achieving remote code execution on a server would mean that it’s game over as the bad actor has already obtained enough access to run anything they wish in the environment because they have full control over it. Therefore, auditing your authentication deployment to ensure proper access checks are done should be an immediate next, while also ensuring that your development environment is not exposed to the public Internet."

SonarSource noted that the GoCD security team responded to the issue "very quickly", patching the vulnerabilities within two days of private disclosure. The issue was addressed by "removing the Business Continuity add-on from the core altogether," Scannel noted.

IT Pro contacted ThoughtWorks, the sponsor of the open source GoCD server for additional comment but it did not respond at the time of publication.

First published by SonarSource on Wednesday, the 'highly critical' vulnerability was initially not given a Common Vulnerabilities and Exposures (CVE) ID. Most organisations rely on CVEs to detect vulnerabilities in their infrastructure, so the issue could have been missed if attention wasn't brought to it.

CVEs are assigned to vulnerabilities by the MITRE corporation, which receives funding from the US' Cybersecurity and Infrastructure Security Agency (CISA).

SonarSource has requested a CVE ID for the individual vulnerabilities and these are expected to be shared in the next few days.

Researchers have unearthed a series of vulnerabilities that could have compromised thousands of WordPress websites.

Potentially exploitable bugs were found in the Brizy Page Builder, a WordPress plugin that is installed across more than 90,000 websites, according to security firm Wordfence.

The company's Threat Intelligence team reported the issues in August and a fix was released shortly afterwards, but it's likely that a number of installations still remain unpatched. If exploited, it could allow attackers to execute "complete site takeover" and add malicious code to existing posts.

The vulnerabilities could also allow for any registered user, including subscribers, to pass as an administrator, where they could modify posts and pages, even if they had already been published on a site.

The Wordfence's Threat Intelligence team said it stumbled upon the vulnerability while conducting a routine review of the Wordfence firewall in July. It said the plugin "did not appear" to be under active attack, but they were led to believe that there was something amiss following "unusual traffic".

"The unusual traffic led us to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced," Wordfence wrote in a blog post. "Both new vulnerabilities could take advantage of the access control vulnerability to allow complete site takeover."

A patched version of the Brizy Page Builder plugin, was released on 24 August, just a few days after Wordfence disclosed the vulnerability. Wordfence "strongly recommends" users update to the latest version of the Brizy Page Builder (2.3.17) as soon as possible.

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Microsoft’s Patch Tuesday fixes 86 bugs

Microsoft has fixed a raft of vulnerabilities as part of its latest wave of Patch Tuesday updates, including an actively exploited flaw in the MSHTML browser engine that powers Internet Explorer.

Using the vulnerability, tracked as CVE-2021-40444, hackers are able to craft malicious ActiveX controls to be used in a Microsoft Office document that hosts the browser rendering engine. They would then target victims by tricking them into opening these files. This has been fixed as part of 66 updates to core Microsoft products, and 20 updates to the Chromium-based Edge browser.

Microsoft has patched this flaw alongside a string of vulnerabilities across Microsoft products, including several fixes for the beleaguered Print Spooler component in Windows. One of these updates is for a remote code execution flaw tracked as CVE-2021-36958, which was disclosed on 11 August.

‘OMIGOD’ flaws render Azure users vulnerable to attack

Also featured in this month's Patch Tuesday were fixes for four vulnerabilities involving the Open Management Infrastructure software agent, used across Microsoft Azure services.

Tracked as CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649, these critical flaws allow attackers to remotely execute arbitrary code within a network with a single request. The flaws are easy to exploit, according to the security firm Wiz, with a vast swathe of public cloud users affected.

OMIGOD impacts a number of Azure services, including Azure Log Analytics, Azure Diagnostics, and Azure Security Center, because Microsoft uses OMI as a common component for many of its management services for virtual machines (VMs).

Users are advised to apply the latest patches as soon as possible.

HP Omen machines embedded with driver flaw

SentinelLabs researchers have discovered a flaw in HP Omen gaming devices that could equip attackers with the tools to escalate user privileges and seize control of a machine.

The now-patched flaw, tracked as CVE-2021-3437, is embedded in the HP Omen Gaming Hub, previously known as HP Omen Command Center. This software includes tools to control performance-related settings such as fan speeds, CPU overclocking, and memory configuration.

Unpatched systems are vulnerable because the Gaming Hub uses an open source driver, embedded with this flaw, that could allow cyber criminals to achieve privilege escalation without requiring admin rights. Abusing the vulnerability could let attackers disable security products, overwrite system components, corrupt the operating system or perform other malicious actions.

Apple plugs ForcedEntry hole exploited by NSO Group

The zero-day vulnerability infamously exploited by the spyware developer NSO Group has been fixed in iOS, iPadOS, watchOS, and macOS as part of Apple’s latest security updates.

Dubbed ForcedEntry, the exploit targets the vulnerability tracked as CVE-2021-30860 and allows hackers to take over victims' systems, according to Citizen Lab. The flaw, which centres on Apple’s image rendering library, allows NSO Group customers to send malicious PDF files to a victim’s device through iMessage in a zero-click attack. It was used to target Bahraini activists between February and July 2021.

It was developed to successfully bypass an in-built security feature known as BlastDoor, which itself was introduced to address a flaw known as Kismet.

Microsoft has issued a fix for an actively exploited zero-day vulnerability embedded in the browser engine that powers legacy Internet Explorer as part of its latest wave of Patch Tuesday updates.

Users are being urged to apply the patch for the vulnerability tracked as CVE-2021-40444, which has been exploited in limited, targeted attacks prior to being disclosed last week.

This flaw, rated 8.8 out of ten on the CVSS threat severity scale, is a remote code execution flaw embedded in the MSHTML browser engine that powers Internet Explorer. It allows hackers to craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser engine, which they then trick victims into opening.

Researchers with EXPMON and Mandiant first detected the vulnerability before reporting this to Microsoft, with the former labelling the exploit as “a highly sophisticated zero-day attack”. They added that the exploit uses “logical flaws” so abusing the vulnerability is perfectly reliable and dangerous.

This vulnerability has been fixed alongside 66 bugs in core Microsoft products and 20 flaws in the Chromium-based Edge browser as part of September’s Patch Tuesday round of fixes. The products affected this month include Azure, Office, SharePoint Server, Windows, Windows DNS and the Windows Subsystem for Linux.

Of the vulnerabilities highlighted in this month’s round of updates is yet more fixes for flaws in the Print Spooler component, which gave Windows users and IT admins several headaches earlier in the year.

The latest flaws - tracked as CVE-2021-38671, CVE-2021-38667 and CVE-2021-40447 - are all elevation of privilege flaws and haven’t been exploited in the wild, unlike many previous Print Spooler vulnerabilities. They have, however, all been assigned a rating of 7.8 out of ten on the CVSS threat severity scale.

They’ve also come alongside an update for the remote code execution flaw in Print Spooler tracked as CVE-2021-36958, which was first disclosed on 11 August. This vulnerability was first discovered in December 2020, and allows an attacker to run arbitrary code on targeted machines with system-level privileges. This then lets them install programmes as well as view and edit data. Microsoft said last month that a functional exploit code was available, but that there were no signs it was being abused.

This round of Patch Tuesday updates dwarfs the 44 fixes released in August, although Microsoft generally tends to patch far more in any given month. For instance, the July wave of updates, for example, included patches for 117 separate vulnerabilities in Microsoft products.

Apple has issued a fix for a vulnerability in iOS, iPadOS, watchOS and macOS that paved the way for the spyware company NSO Group to develop and market a zero-click exploit to national government clients.

The ForcedEntry exploit, which targets the vulnerability tracked as CVE-2021-30860, centres on Apple’s image rendering library and effectively bypasses the in-built Apple security feature known as BlastDoor.

NSO Group had deployed the zero-click exploit to the Bahraini government, only for the client to target Bahraini activists between February and July 2021, according to Citizen Lab, which discovered the vulnerability.

Hackers had been able to exploit CVE-2021-30860 by sending a malicious iMessage that required no user interaction in order to compromise its victim.

This exploit is really similar in nature to another flaw the NSO Group had weaponised, known as Kismet, which was also used to target Bahraini activists.

Apple, however, has now issued patches for both this flaw and a WebKit vulnerability tracked as CVE-2021-30858 that’s also been exploited in the wild. This latter is a use after free issue that was addressed with improved memory management.

“Despite promising their customers the utmost secrecy and confidentiality, NSO Group’s business model contains the seeds of their ongoing unmasking,” a team of Citizen Lab researchers said.

“Selling technology to governments that will use the technology recklessly in violation of international human rights law ultimately facilitates discovery of the spyware by investigatory watchdog organizations, as we and others have shown on multiple prior occasions, and as was the case again here.”

Kismet was actually never acknowledged as a vulnerability in Apple’s systems, with Citizen Lab suggesting the underlying flaw, if it still exists, was rendered obsolete by the BlastDoor mitigation introduced with iOS 14. This tool sandboxes incoming iMessages to protect users from malicious texts.

It’s likely for this reason that NSO Group developed the ForcedEntry exploit, to circumvent Apple’s additional layer of protection.

The organisation has gained notoriety for its spyware tools, having previously developed the Pegasus spyware that was eventually used to target journalists and activists through a WhatsApp vulnerability.

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Atlassian Confluence is under attack

US officials have warned businesses that a vulnerability in the Atlassian Confluence workplace collaboration platform is being exploited on a massive scale.

Although Atlassian has issued a patch for the critical flaw tracked as CVE-2021-26084, researchers have detected mass scanning and exploit activity from hackers in a number of regions, including China and Brazil. Atlassian hasn’t revealed the exploit mechanism, although it’s described the flaw as a Confluence Server Websork OGNL injection.

The bug, rated 9.8 out of ten on the CVSS threat severity scale, lies in the Atlassian Confluence Server and Confluence Data Center products and can allow an unauthorised attacker to execute arbitrary code on either. Confluence Cloud, which is hosted on public cloud environments, isn’t affected.

Microsoft users targeted with malicious Office files

Hackers are exploiting a vulnerability in the browser engine that powers Internet Explorer to target Windows users with malicious Microsoft Office documents.

The flaw, tracked as CVE-2021-40444, is a remote code execution zero-day embedded in MSHTML, an engine also known as Trident, and is rated 8.8 out of ten on the CVSS threat severity scale. This bug is under limited and targeted exploitation, according to the firm.

Exploitation involves an attacker crafting a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. These are small programmes for Internet Explorer and other Windows apps used to add more functionality to the core software. Once an attacker’s written the malicious ActiveX control, they would then need to convince a victim to open the malicious file.

HAProxy susceptible to HTTP request smuggling attacks

A critical flaw in HAProxy, a widely-used open source load balancer and proxy server, can be exploited to smuggle HTTP requests. This might lead to hackers accessing sensitive data and launching a variety of attacks, according to researchers with JFrog Security.

This integer overflow vulnerability, tracked as CVE-2021-40346, exists in HAProxy 2.0 through 2.5 in the htx_add_header() component and can allow an attacker to tamper with the way a site processes a sequence of HTTP requests. This abuses parsing inconsistencies between how front-end and band-end servers process the HTTP requests.

The consequences of a successful attack include gaining access to sensitive data, executing unauthorised commands or modifying data, hijacking user sessions, and exploiting a reflected cross-site scripting (XSS) vulnerability without user interaction.

CISA warns that Zoho ManageEngine is being targeted

The US cybersecurity and infrastructure agency (CISA) has revealed that a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus is being exploited in the wild.

ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) system for Active Directory and cloud applications that allows IT admins to enforce two-factor authentication (2FA) across their systems.

Tracked as CVE-2021-40539, this vulnerability is described as an authentication bypass flaw that can lead to remote code execution. Zoho has described it as a “critical issue”, given that it allows attackers to gain unauthorised access to the product through REST API endpoints by sending a specially crafted request.

Customers can protect themselves against attacks by updating ADSelfService Plus to the latest build, 6114.

Microsoft has warned that cyber criminals are exploiting an Internet Explorer flaw to target victims with specially-crafted Microsoft Office documents.

The vulnerability tracked as CVE-2021-40444 is a remote code execution zero-day embedded in MSHTML, also known as the browser engine Trident that powers the now-retired Windows version of Internet Explorer.

It’s rated 8.8 out of ten on the CVSS scale and is under limited and targeted exploitation, according to a security alert released by the company.

Exploitation involves an attacker crafting a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.

ActiveX controls are small programmes, or add-ons, for Internet Explorer and other Windows applications used to build out feature sets and add more functionality.

Once the attacker has written the malicious ActiveX control, to successfully exploit this flaw they would need to convince a user to open the malicious file.

The vulnerability was first detected by Mandiant and EXPMON, with Microsoft refraining to disclose additional exploitation details as well as the identity of the victims exploited by the limited, targeted attacks.

EXPMON has described the exploit as “a highly sophisticated zero-day attack”, and has recommended that Microsoft Office users don’t open any files unless they trust the source.

The firm has reproduced the attack on the latest Office 2019 and Office 365 suites on Windows 10. The researchers also said this exploit uses “logical flaws” so the exploitation is perfectly reliable and dangerous.

Users whose accounts are configured to have fewer user rights on the system won’t be as badly affected as those who retain administrative privileges, however.

There are a couple of additional mitigations that Microsoft has advised users could prevent exploitation, including opening all documents from the internet in Protected View or through Application Guard. Both of these methods will prevent the current attack.

The firm has also recommended that users disable the installation of all ActiveX controls in Internet Explorer. This can be accomplished for all sites by updating the registry. Previously installed ActiveX controls will continue to run, but these don’t expose this vulnerability.

Users need to take care, though, as using the Registry Editor incorrectly might lead to serious problems that require users to reinstall their operating systems.

Hackers are exploiting a vulnerability in the on-premise Atlassian Confluence workplace collaboration platform on a massive scale, with businesses urged to patch their systems without delay.

US Cyber Command issued a public notice just before the weekend warning that mass exploitation of the remote code execution flaw tracked as CVE-2021-26084 is “ongoing and expected to accelerate”.

“Please patch immediately if you haven’t already,” the notice added. “This cannot wait until after the weekend.”

Confluence is a workplace collaboration platform that allows teams to work together remotely on projects or ideas.

The vulnerability, which is embedded in the Atlassian Confluence Server and Confluence Data Center products, can allow an unauthorised attacker to execute arbitrary code on either of the affected platforms.

Confluence Cloud, which is hosted on public cloud environments, isn’t affected by the flaw. Rather, the on-premises versions of the product are those susceptible to exploitation.

It’s rated 9.8 on the CVSS threat severity scale out of ten, suggesting it’s highly exploitable. The firm had never publicly revealed the precise exploit mechanisms, though, beyond describing the flaw as a Confluence Server Webwork OGNL injection. This was presumably to avoid fuelling any future attacks before businesses had a chance to apply the fix.

Atlassian disclosed this vulnerability a couple of weeks ago and urged businesses to patch their systems at the time. However, cyber criminals from around the world have since been detected as scanning for vulnerable systems and launching attacks.

The threat intelligence firm Bad Packets, for example, detected mass scanning and exploit activity from hosts in a number of regions including China and Brazil earlier last week.

Atlassian previously addressed a serious vulnerability in its system that could allow hackers to compromise user accounts, and control several apps that users can access seamlessly through a single sign-on (SSO) feature.

This latest vulnerability in Confluence is just one of many serious vulnerabilities that have been exploited during 2021, with the rate of successfully abused zero-days surging over the last few months.

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Microsoft Exchange Server vulnerable to information disclosure bug

A now-patched flaw in Microsoft Exchange Server could be exploited by unauthenticated users to perform configuration actions on targeted mailboxes and leak personal data.

The vulnerability, tracked as CVE-2021-33766 and dubbed ProxyToken, lies in the platform's Delegated Authentication feature. This is a mechanism in which the front-end site passes authentication requests to the back-end system when it detects a SecurityToken cookie.

Because Microsoft Exchange must be configured to use this feature, the module that handles this often isn’t loaded, and attackers might take advantage of an effective bypass of the authentication check. This can be abused to disclose personal information, with an attacker, for example, able to copy all email addresses on a targeted account and forward these to an account they control.

Hackers exploit WebSVN flaw to launch malware

Cyber criminals are abusing a flaw in the open source web application for browsing source code, WebSVN, to deploy variants of the Mirai malware.

The critical command injection flaw tracked as CVE-2021-32305, discovered and patched earlier this year, is still being abused in unpatched versions of the application, according to researchers with Palo Alto Networks.

A proof-of-concept for exploitation was released in June, and a week later, cyber criminals seized on the vulnerability to deploy variants of the infamous Mirai distributed denial of service (DDoS) malware.

Hackers have abused this command injection flaw to download a shell script that infects a targeted system with the malware strain. From this point, they’ve used the initial attack as a platform from which to launch DDoS attacks.

AMD chips vulnerable to Meltdown-style attacks

All CPUs developed by AMD are susceptible to attacks that mirror the infamous Meltdown vulnerability identified a number of years ago that affected Intel CPUs.

Researchers at TU Dresden in Germany discovered a flaw tracked as CVE-2020-1296, which is described as “transient execution of non-canonical accesses”. When combined with specific software sequences, AMD CPUs "may transiently execute non-canonical loads and store using only the lower 48 address bits potentially resulting in data leakage”, according to the comapny.

The scientists who discovered the flaw also described the exploit mechanism as “very similar to Meltdown-type behaviour”.

This data leakage flaw can be exploited to access secrets stored on a computer, with all AMD CPUs affected.

‘Worst possible cloud flaw’ hits Microsoft Azure Cosmos DB

Microsoft has warned thousands of its Azure customers that hackers might have compromised their databases.

The vulnerability lies in Microsoft’s Azure Cosmos DB and allows intruders to read, alter, and delete information, according to the security researchers with Wiz.

Companies use Cosmos DB to manage massive amounts of data in real-time. The exploit, dubbed ChaosDB, was described as “the world cloud vulnerability you can imagine” with the researchers able to gain access to any customer database they wanted.

The ChaosDB exploit relies on the Jupyter Notebook feature that allows customers to visualise their data and create customised views, which was introduced to all Cosmos DBs in February. A series of misconfigurations means this feature opened up an attack vector that the researchers were able to exploit. Microsoft has turned off the feature for all accounts, and it’s now subject to a security redesign.

A now-patched vulnerability in Microsoft Exchange Server, dubbed ProxyToken, could be abused by an unauthenticated attacker to perform configuration actions on targeted mailboxes.

This latest flaw in the beleaguered platform is tracked as CVE-2021-33766 and is rated 7.3 out of ten on the threat severity scale, and might give rise to the disclosure of personal information if abused.

A hypothetical example of exploitation, according to researchers with the Zero Day Initiative, could lead to an attacker copying all email addresses on a targeted account and forwarding them to an account controlled by the attacker.

The flaw lies in the Delegated Authentication feature, a mechanism in which the front-end site passes authentication requests to the back-end system when it detects the presence of a SecurityToken cookie.

Because Microsoft Exchange needs to be specifically configured to use the feature and have the backend carry out checks, the module that handles this delegation isn’t loaded under a default configuration.

This leads to a bypass as the back-end fails to authenticate incoming requests based on the SecurityToken cookie. The back-end will be completely unaware that it needs to authenticate incoming requests, which means requests can sail through without being subject to authentication on either the front or back-end systems.

Microsoft patched this vulnerability as part of its Patch Tuesday round of fixes for July, with no evidence so far that hackers have exploited it.

Businesses will be put on high alert in light of the existence of another Microsoft Exchange Server flaw, however, following the supply-chain attack earlier in the year.

Hackers linked with the Chinese state exploited four flaws in the platform to launch a series of attacks against potentially hundreds of thousands of victims in March, according to security researchers.

The incident was one of many similar supply-chain attacks during 2021, including the infamous SolarWinds hack towards the end of last year.

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Chain-split flaw found in the Ethereum project

The maintainers of the Ethereum blockchain project are urging Go developers who are using “go-ethereum”, also known as Geth, to apply a fix to a severe vulnerability that can cause corruption in the service.

Geth is the official Golang implementation of the Ethereum protocol. It’s currently embedded with a flaw tracked as CVE-2021-39137 that can undermine the integrity of the blockchain and potentially lead to a massive outage.

The exact attack mechanism hasn’t yet been disclosed so node operators and downstream projects have enough time to apply the update, according to Ethereum’s team lead, Péter Szilágyi. However, generally speaking, the bug can cause a chain split, meaning vulnerable Geth instances would reject canonical chains.

Razer flaw allows Windows takeover through a mouse

A security researcher has discovered a flaw that lets anyone with Razer peripherals like a USB mouse gain administrative rights on a Windows machine.

The researcher, known as Jonhat, outlined on Twitter how plugging in a Razer USB peripheral lets users gain admin privileges. This is because of a quirk in the Windows Update tool that installs and runs the Razer Synapse software as a system-level user, by default.

During the installation process, the installer asks the user to choose a directory to install Synapse. Due to the fact it’s run as a system-level user, anyone can press Shift and right-click an empty area to open PowerShell with full admin privileges. Razer later contacted the researcher and said its security team is working on a fix as soon as possible.

Cisco patches critical flaw in APIC interface for switches

Cisco has issued a patch to fix a critical security flaw embedded in the Application Policy Infrastructure Controller (APIC) interface used in its Nexus 9000 Series switches.

APIC is a centralised controller that automates network provisioning and control based on application requirements and policies.

Tracked as CVE-2021-1577 and rated 9.1 out of ten on the CVSS threat severity scale, the bug is due to improper access control, which can allow a remote attacker to upload files. The flaw can be potentially abused to read or write arbitrary files onto a vulnerable system.

Atlassian warns of a critical Confluence flaw

Atlassian has disclosed a vulnerability in its Confluence Server and Confluence Data Center products that can allow an unauthenticated attacker to execute arbitrary code on either of the affected platforms.

Confluence is a workplace collaboration platform that allows a team to work together remotely on projects or ideas. Confluence Cloud, which is hosted on the public cloud, isn’t affected by the flaw, rather, it’s the on-premises versions of the product that are susceptible to exploitation.

The flaw is tracked as CVE-2021-26084 and is rated 9.8 out of ten on the CVSS threat severity scale. Atlassian hasn’t revealed precise exploit mechanisms, beyond describing the vulnerability as a Confluence Server Webwork OGNL injection.

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Blackberry ‘attempted to hide’ QNX flaws

Vulnerabilities in Blackberry’s QNX operating system (OS), known as BadAlloc, were allegedly kept secret for months, according to Politico. Tracked as CVE-2021-22516, they were only disclosed this week after having first been discovered four months ago. Two people speaking to the publication said that company had initially denied that BadAlloc affected its products at all, when speaking to cyber security officials, and later resisted making a public announcement.

The BadAlloc flaws are embedded in pre-2012 versions of the QNX Real Time Operating System (RTOS), still used by hundreds of millions of internet-enabled products. The list of affected products include cars made by Volkswagen and Ford, heavy machinery and hospital equipment, among other kinds of devices.

Hackers could exploit the flaw to trigger a denial of service (DoS) condition in the affected products or even gain control of highly sensitive systems by executing arbitrary code, according to the US Computer Emergency Readiness Team (US-CERT). Patches are now available for BadAlloc.

Cisco won’t patch critical VPN flaw

Cisco has said that it won’t patch a critical vulnerability in the universal plug-and-play (UPnP) service of several small business virtual private network (VPN) routers because these systems have reached end-of-life.

The zero-day vulnerability, tracked as CVE-2021-34730, is rated a near-maximum 9.8 out of ten on the CVSS threat severity scoring system, suggesting it’s highly exploitable and the effects are particularly severe.

Attackers can exploit the flaw to restart vulnerable devices or execute arbitrary code remotely, posing as the root user on the underlying operating system. The devices affected are the RV110W, RV130, RV130W and RV215W routers.

Because these devices are no longer supported, however, Cisco hasn’t released software updates that address the flaw, nor are there any workarounds that address it.

Microsoft discloses another Windows Print Spooler flaw

Microsoft recently published a security notice this week detailing yet another Print Spooler vulnerability, the latest in a string of flaws found in the Windows component throughout 2021.

Although the bug, tracked as CVE-2021-36958, was only disclosed this month, it was first discovered by researchers in December 2020, well before the controversies surrounding the PrintNightmare bug emerged.

An attacker who successfully exploits the flaw can run arbitrary code with system-level privileges, which would then allow them to install programmes as well as view, change or delete data. Hackers can also create new accounts with full user rights.

Although there are no indications the flaw has been exploited, Microsoft said that a functional exploit code is available.

Fortinet hits out at Rapid7 after firewall bug is disclosed early

After Rapid7 detailed a flaw in the operating system of Fortinet’s FortiWeb web application firewall, the firm publicly called out the researchers for disclosing the bug before the 90-day disclosure window had elapsed.

FortiWeb is designed to catch both known and unknown exploits targeting protected web applications. An OS command injection flaw in the management interface, tracked as CVE-2021-22123, can allow remote attackers to execute arbitrary commands on the system through the SAML server configuration page.

Following disclosure, Fortinet criticised Rapid7 for violating the terms of their disclosure agreement, according to ZDNet, with the bug revealed before they had an opportunity to develop a patch. Rapid7, however, said it contacted Fortinet several times to work on the issue but didn’t get a response, so followed its own disclosure policy.

Fortinet says version 6.4.1 of FortiWeb, which includes a fix, will be released by the end of August.

You’re unlikely to find a better precis of the ongoing cyber security struggle than DIVD researcher Victor Gevers' comments on how Kaseya handled its recent cyber attack: “They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Thousands of vulnerabilities are discovered each year, but hackers are only able to exploit a sliver of these. When these efforts are successful, however, the consequences are often devastating.

Hundreds of thousands of businesses are still reeling from the Microsoft Exchange Server and SolarWinds Orion Platform hacks, for instance. While some attacks are opportunistic, and rely on businesses failing to apply patches, many occur because hackers unearth and exploit previously unknown vulnerabilities. The number of zero-day attacks in 2021 has seen a frightening surge, with 37 recorded as of 2 August.

This is a record-breaking year for zero-day exploits

Data compiled by Google’s Project Zero, since it was founded in July 2014, reveals that 2021 is the biggest year on record for ‘in the wild’ zero-day exploits. It’s important to note that while there have been fewer vulnerabilities detected overall so far in 2021, as shown on the second tab, there have been far more exploits than in previous years.

Between 2015 and 2020, the count remained stable, with a dip to 12 in 2018 serving as an outlier. As of 3 May, however, the industry detected more exploits in 2021 than the entirety of last year, with the total count surging to 37 based on the latest data. While there are certainly more vulnerabilities reported than ever before, according to the crowd-sourced vulnerability database, VulDB, we can see there’s no real correlation between total vulnerabilities and in-the-wild exploits.

So what’s so special about 2021? One reason Project Zero researchers Maddie Stone and Clement Lecigne offer is better detection and disclosure policies. Both Apple and Android, for instance, recently began annotating flaws in security bulletins to include notes if there’s evidence a vulnerability may have been exploited. When vendors don’t include such notes, the only way we can learn of successful exploits is if the researchers who detect them publish this information themselves.

The growth of mobile platforms has led to more systems that hackers are capable of targeting

There’s also a possibility that attackers are relying more on zero-day exploits as security and patching policies tighten up. “The increase and maturation of security technologies and features mean that the same capability requires more [zero-day] vulnerabilities for the functional chains,” Stone and Lecigne write. “For example, as the Android application sandbox has been further locked down by limiting what syscalls an application can call, an additional [zero-day] is necessary to escape the sandbox.”

The growth of mobile platforms has also led to an increase in the number of products that hackers want capabilities for. There are also more commercial entities selling access to zero-days than in the 2010s, such as the recently exposed Candiru, which built a tool that exploited two Microsoft zero-days. Finally, with security postures maturing, attackers need to rely on zero-day exploits rather than less sophisticated means, such as convincing people to install malware. “Due to advancements in security, these actors now more often have to use [zero-day] exploits to accomplish their goals,” the researchers add.

Exploits are surging, but they’re less severe

As for measuring the impact these attacks have, we can see a decline in the severity of the consequences of exploitation. Irrespective of the number of detections, severity, measured by the common vulnerability scoring system (CVSS), has declined, despite an onslaught of headlines highlighting devastating attacks throughout 2021.

CVSS is a standardised metric the security industry uses to determine how dangerous any vulnerability is, using several factors to generate a score out of ten. The three main factors taken into account are the scope of an attack, what outcome any exploitation is likely to have, and how difficult an attack might be to execute.

Analysing the CVSS metric assigned to all 180 flaws exploited in the wild since July 2014, and plotting a rolling average of the last five exploited zero-days, we can see the severity of abused flaws is in a state of decline. This is also reflected in the average CVSS score of vulnerabilities exploited per calendar year.

This could be explained by the notion that software development, on the whole, is in a much healthier place than ever before. As Gartner’s research vice president for network security, Laurence Orans puts it, coding is better and the software development process has been strengthened over the last several years. Analysis of the severity of all vulnerabilities by VulDB shows this is true, but only to an extent. There has indeed been a steady decline in the severity of all vulnerabilities between 2016 and 2021, but it’s far less pronounced than the decline in the severity of exploits detected in the wild.

Jake Moore, a cyber security specialist with ESET, meanwhile, tells IT Pro this data suggstes security teams are slowly clawing back control over what has previously been considered a Wild West of the digital landscape. “Cyber security can’t be won overnight and it can even take years to minimise the lead cyber criminals have,” he says. “A multi-agency approach on tackling cybercrime with better staff awareness programs all help towards the end goal of reducing the impact of a cyber attack – but this takes time. Cyber criminals are always sharpening their tools and honing their craft, but let’s not forget the huge amount of work we are all doing to protect against these attacks. Over time, I would suggest this trend will continue until it reaches a plateauing score that delivers strong attacks, but where the majority of organisations are able to withstand the most common or even most severe.”

Microsoft is the most targeted vendor

Hackers have exploited more Microsoft flaws in the wild than they’ve targeted vulnerabilities in products developed by all other vendors combined, with 52% of the 180 exploited flaws embedded in Microsoft software. The next most-targeted vendor is Adobe, with 27 flaws.

A further breakdown shows that Windows is the most targeted product, with 43 zero-day exploit detections, followed by Internet Explorer (21) and Microsoft Office (13). There are a further eight flaws that fall under the Windows Kernel category. It chimes with findings by Recorded Future, published in February, which showed seven of the top 10 most commonly exploited flaws during 2020 were found in Microsoft products. This is in line with the previous year’s figures of eight in ten.

Moore says this is a phenomenon that mirrors the urban myth that Mac systems didn’t get computer viruses. Mac, he explains, has always had vulnerabilities, but cyber criminals target the masses and aim for what will be the most lucrative avenue. “The majority of businesses have used Windows for years,” he says. “It’s far more lucrative to target the mainstream operating system; a fact that remains the same today. This doesn’t necessarily make Microsoft products more vulnerable, it’s simply why they are targeted.”

Hackers will be extremely likely to attempt to exploit Microsoft's next OS when it's released in 2022

Orans agrees, suggesting the payoff in targeting Microsoft software, and Windows systems in particular, is much greater. “Because Microsoft, and Windows, are so pervasive, your chances of success are greater,” he says. “If you go after Linux systems, you get a smaller target. If you go after Apple, there’s a smaller target. The install base of Microsoft is greater than the other software vendors, whether it’s Apple or the Linux machines out there. The target is larger if you go after Microsoft.”

Memory remains the exploitation vehicle of choice

By some distance, memory issues tend to be at the heart of most zero-day exploits detected, with 127 of the 180 flaws tracked relating to memory corruption.

This parallels research Microsoft published in 2019, which revealed roughly 70% of all vulnerabilities it addresses are related to memory safety. These comprise buffer overflow, race condition, page fault, null pointer, stack exhaustion, heap exhaustion/corruption, use-after-free, and double-free bugs. They occur when software, accidentally or intentionally accesses system memory in a way that exceeds its allocated size and memory addresses.

Notably, it’s a statistic that’s hardly ever dropped over the last decade, Moore says, and is often because memory is a core functionality of a computer, storing vital and sensitive data, such as password information. “Windows was mostly written in C+ or C++, which are generally weaker memory programming languages,” he explains. “If there is a mistake in the code by a developer, a malicious actor could easily take advantage of this and target the host computer. Attackers target the weakest link and if the programming language of the memory itself remains the easiest point of entry, then we are going to see this attack vector continue to be targeted.”

Could more zero-day exploits be a good thing?

You might be forgiven for believing the security industry is losing the fight, given a series of massive cyber attacks that took place towards the end of 2020 and in the first half of 2021. It’s also particularly demoralising that REvil exploited one of these – the Kaseya VSA vulnerabilities – just days before the vendor was due to plug these holes.

Project Zero researchers Stone and Lecigne, however, suggest the recent surge in detections might actually serve as evidence that the security industry holds the upper hand. Attackers needing more [zero-day] exploits to maintain their capabilities is a good thing – and it reflects increased cost to the attackers from security measures that close known vulnerabilities,” they write. There’s a caveat, however, that the increasing demand for such capabilities, and the new commercial ecosystem, represents a fresh challenge for the security industry.

The Pegasus spyware, published by NSO Group, exemplifies this expanding commercial ecosystem

“Meanwhile,” they add, “improvements in detection and a growing culture of disclosure likely contribute to the significant uptick in [zero-days] detected in 2021 compared to 2020, but reflect more positive trends.

“Those of us working on protecting users from [zero-day] attacks have long suspected that overall, the industry detects only a small percentage of the zero-days actually being used. Increasing our detection of zero-day exploits is a good thing – it allows us to get those vulnerabilities fixed and protect users, and gives us a fuller picture of the exploitation that is actually happening so we can make more informed decisions on how to prevent and fight it.”

Moore echoes these sentiments, suggesting that hackers have always relied on zero-days as the best way to exploit a system, and the number of detections could quite possibly be irrelevant. “What is important is the amount of resources, time, and money that are invested in cyber security, which is improving overall,” he says. “We aren’t losing the fight in infosecurity, and defences are getting better. This helps force decision-makers become more aware and increase protection against more sophisticated attacks.”

The Five Eyes alliance has once again revealed its annual list of the most routinely exploited security vulnerabilities, with Log4Shell among the most abused weaknesses of the year.

The intelligence alliance comprising the UK, US, Australia, Canada, and New Zealand revealed that the most exploited security weaknesses affected a range of products across both public and private sectors.

Internet-facing systems such as email and virtual private networks (VPNs) were targeted particularly heavily, with threat actors routinely exploiting publicly-known and unpatched years-old vulnerabilities.

Flaws in Microsoft Exchange also dominated the list with three vulnerabilities culminating in the ProxyShell weakness, four vulnerabilities culminating in the ProxyLogon weakness, and the ZeroLogon vulnerability all featuring on the top 15 list.

The advisories are published annually and are intended to provide organisations with the information needed to effectively prioritise their mitigation strategies.

“The NCSC and our allies are committed to raising awareness of vulnerabilities and presenting actionable solutions to mitigate them, “ said Lindy Cameron, CEO at NCSC. “This advisory places the power in the hands of network defenders to fix the most common cyber weaknesses in the public and private sector ecosystem.”

“Working with our international partners, we will continue to raise awareness of the threats posed by those who seek to harm us.”

Three of the top 15 vulnerabilities were also included in last year’s top 15, indicating that organisations are failing to patch publicly known, dangerous security weaknesses.

Five Eyes also said in its joint advisory that proof-of-concept code was typically published within two weeks of the public disclosure of the top vulnerabilities. Such quick distribution of exploitation methodology facilitated a broader range of threat actors to capitalise on the weakness, it said.

Patch now: The 30 most-exploited security vulnerabilities

Log4Shell - CVE-2021-44228 - many systems: A flaw in an Apache Java library that can be found in most organisations’ environments around the world. It has been given a 10/10 severity score and a litany of exploit attempts have been made since its December discovery.

ProxyShell - CVE-2021-34523, CVE-2021-34473, CVE-2021-31207: Microsoft Exchange Server: A privilege escalation flaw that could lead to code execution with a 9.8 severity rating, the ProxyShell vulnerability required a three-vulnerability attack chain in order to exploit and led to a score of different attacks, including some by nation-state actors.

ProxyLogon - CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, CVE-2021-26855 - Microsoft Exchange Server: ProxyLogon was another serious flaw with a multiple-vulnerability attack chain. Like ProxyShell, it was used to launch an array of attacks throughout 2021 including ransomware and other malware such as SquirrelWaffle. ProxyLogon allowed attacker to execute arbitrary code remotely with little technical expertise, according to Microsoft’ advisories.

Zoho - CVE-2021-40539 - ManageEngine ADSelfService Plus: An authentication bypass flaw in Zoho’s password management and single sign-on (SSO) product that could lead to the discovery of domain accounts and the archiving of files.

Atlassian - CVE-2021-26084 - Confluence Server and Data Center: A 9.8-rated code execution flaw which 'massively' exploited in 2021.

VMware - CVE-2021-21972 - vSphere Client, ESXi: A remote code execution vulnerability exists in a VMware vCenter Server plugin that was given a 9.8 severity rating.

Microsoft - CVE-2020-0688 - Microsoft Exchange: A remote code execution vulnerability was found in the Microsoft Exchange software and can be exploited when the application fails to properly handle objects in memory.

ZeroLogon - CVE-2020-1472 - Netlogon Remote Protocol: This elevation of privilege vulnerability exists when a hacker establishes a vulnerable Netlogon secure channel connection to a domain controller. Attackers who exploit the flaw can run a specially crafted application on a device on the network.

Ivanti - CVE 2019-11510 - Pulse Connect Secure: Hackers exploited the popular SSL VPN platform used by large organisations and governments to gain access to vulnerable networks. The flaw was even used in Sodinokibi ransomware attacks.

Fortinet - CVE 2018-13379 - FortiOS: A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 - File Transfer Appliance (FTA): In February last year, Accellion patched four flaws in its FTA tool after detecting that fewer than customers were targeted earlier in the year. Cyber security agencies around the world later warned, however, that hackers had continued to exploit the vulnerabilities to target multiple layers of government in the US.

VMware - CVE-2021-21985 - vCenter Server: VMware warned customers in May this year that ransomware gangs were primed to exploit vulnerabilities in the vSphere Client to launch attacks. The flaw involves a lack of input validation in the Virtual SAN Health Check plugin, which is enabled by default in the system.

Ivanti - CVE-2021-22893 - Pulse Secure: At least two major hacking groups deployed a dozen malware families to exploit flaws in Pulse Connect Secure’s suite of VPNs to spy on the US defence sector in 2021. The NCSC issued guidance for businesses in May 2021 to update their Pulse Connect Secure systems to version 9.1R.11.4.

Citrix - CVE-2019-19781 - various products: Several organisations were targeted in early January through a flaw in Application Delivery Controller (ADC), Citrix Gateway and Citrix SD-WAN that allowed hackers to perform arbitrary code execution on a network.

Telerik - CVE 2019-18935 - Telerik UI for ASP.NET AJAX: Hackers have been exploiting an RCE flaw in this widely used suite of UI components for web applications since December 2019. The vulnerability insecurely deserialises JSON objects in a way that results in RCE of the software’s underlying host.

Microsoft - CVE-2017-11882 - Microsoft Office: Discovered in 2017, this is an RCEbug that exists when the software fails to properly handle objects in memory. If a user is logged in with admin rights, an attacker could take control of the affected system.

Sitecore - CVE-2021-42237 - Sitecore XP: A small number of specific software releases were vulnerable to an insecure deserialisation attack through which an attacker could achieve RCE with no authentication.

ForgeRock - ​​CVE-2021-35464 - ForgeRock AM Server: A Java deserilisation vulnerability was found in the jato.pageSession parameter that could lead to unauthenticated RCE by sending a specially crafted request to the server.

SonicWall - CVE-2021-20038 - various products: SonicWall published a string of patches for vulnerabilities affecting Secure Mobile Access products with this one in particular, an unauthenticated RCE flaw caused by a stack-based buffer overflow, being the most severe of the lot with a score of 9.8.

Microsoft - CVE-2021-40444 - MSHTML: An RCE in Microsoft’s old browser engine, used in the Internet Explorer days, was targeted using specially crafted Office documents. Attackers achieved RCE if they could convince the user to open the malicious document.

Microsoft - CVE-2021-34527 - Windows Print Spooler: Attackers could run arbitrary code with system-level privileges if this vulnerability was exploited. The vulnerability occurred with the Windows Print Spooler service improperly performed privileged file operations.

Linux - CVE-2021-3156 - sudo, various products: The sudo program in Linux, which allows users to run applications with the security privileges of another user, was fund to have a heap-based buffer overflow flaw that could lead to privilege escalation.

Checkbox Survey - CVE-2021-27852 - Checkbox Survey: This severe (9.8/10) vulnerability found in CheckboxWeb.dll allowed an unauthenticated attacker to execute code on a victim’s machine from anywhere in the world. This issue affected all version of Checkbox Survey prior to version 7.

SonicWall - CVE-2021-20016 - SSLVPN SMA100: An unauthenticated remote attacker could exploit this vulnerability by performing a special SQL query in order to access login credentials and other session-related information.

Microsoft - CVE-2021-1675 - Windows Print Spooler: An RCE was found that allowed an attacker to execute arbitrary code by exploiting a flaw in the way the component failed to restrict access to certain functionality.

QNAP - CVE-2020-2509 - QTS and QTS Hero: A 9.8-rated vulnerability, it allowed attackers to execute arbitrary commands in a compromised application.

Cisco - CVE-2018-0171 - IOS and IOS XE: Around 250,000 Cisco network switches running either IOS or IOS XE software were vulnerable to an attack that could lead to RCE or the triggering of a denial-of-service condition.

Microsoft - CVE-2017-0199 - various products: The high-complexity vulnerability could have led to RCE due to the way Office and WordPad parse specially crafted files. Successful exploitation could lead to an attacker taking full control of a system.

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Any user can gain admin rights on Windows

A local elevation of privilege flaw is embedded in Windows 11 and Windows 10 that can allow users with low privileges to access sensitive Registry database files, according to BleepingComputer.

Researcher Jonas Lykkegaard discovered that Windows Registry files associated with the Security Account Manager (SAM), and all other Registry databases, can be read by anyone in the ‘Users’ group with low privileges on a device. This might be exploited by a cyber criminal with limited privileges to extract hashed passwords for all accounts and use those hashes in pass-the-hash attacks to gain elevated privileges.

Microsoft has acknowledged the flaw and is tracking it as CVE-2021-36934. No patch is currently available, although Microsoft has outlined a workaround in a security advisory.

PrintSpooler embedded with two more flaws

Microsoft is urging users to disable the PrintSpooler service entirely to safeguard against fresh vulnerabilities discovered in the beleaguered Windows component.

Although Microsoft patched the infamous PrintNightmare vulnerability last week, the developer acknowledged another flaw just days later, which is being tracked as CVE-2021-034481. This elevation of privilege vulnerability can be exploited to allow an attacker to run arbitrary code with system privileges.

This is in addition to researchers discovering a fourth potential PrintSpooler flaw within a matter of weeks, which centres on the fact that the point and print feature allows non-admin users to install printer drivers. Security researcher Benjamin Delpy has also demonstrated a proof-of-concept for successful exploitation of the flaw.

Cloudflare vulnerability might have led to supply-chain attacks

A flaw in the CDNJS library update server, managed by Cloudflare and used by 12.7% of all sites on the internet, might have been abused to execute arbitrary commands and seize control of the CDNJS.

This is an open source software content delivery network that hosts thousands of JavaScript and CSS libraries that sites can adopt to embed features and tools. However, a vulnerability in the update server may have allowed hackers to execute arbitrary commands and infiltrate the CDNJS catalogue, according to security researcher Ryotak.

Compromising CDNJS may have, in turn, led to a series of supply-chain attacks, particularly due to the propensity of the update server to automatically push updates by running scripts on the server to download files from coding repositories.

After Cloudflare was made aware of the flaw on 6 April, it applied a complete fix on 3 June.

Google fixes yet another exploited Chrome zero-day

Google issued an emergency update for a vulnerability embedded in the open source V8 JavaScript engine in Chrome. This is yet another zero-day vulnerability that hackers have exploited in the wild.

The firm has declined to reveal the precise nature of the vulnerability tracked as CVE-2021-30563 until it’s comfortable that a majority of users have installed the update, although it’s rated as highly severe in Google’s security advisory.

This is the eighth vulnerability in Google Chrome to be exploited since the start of 2021, and one that has been patched alongside seven other flaws in the web browser. Users are urged to update to version 91.0.4472.164 for Windows, Mac, and Linux as soon as possible.

Fortinet fixes critical RCE flaw in its software

Fortinet has warned its customers of a critical vulnerability in its software that hackers might be able to exploit to gain full control over targeted devices if the ‘fgfmsd’ daemon is enabled.

This use-after-free vulnerability, present in FortiManager nad FortiAnalyzer, may lead to remote code execution attacks if exploited, the company confirmed in a security advisory. The flaw, tracked as CVE-2021-32589, was first discovered by Cyrille Chatras of Orange Group, and is rated 7.7 out of ten on the CVSS threat severity scale.

FortiManager is a tool that allows customers to centrally manage their Fortinet devices, while FortiAnalyzer is a security analysis tool that provides insights into security threats and offers mitigation steps. The firm has advised customers that disabling the ‘fgfmsd’ daemon serves as a workaround, although updating their software to the latest versions is preferable.

Millions of printers haunted by 16-year-old vulnerability

Researchers have disclosed a previously undiscovered critical vulnerability in the drivers for millions of printers manufactured by HP, Xerox, and Samsung that might allow hackers to seize control of vulnerable devices.

The highly severe heap buffer overflow vulnerability, tracked as CVE-2021-3438, has been embedded in drivers for printers made since 2005, according to Sentinal Labs. The researchers identified that the vulnerable drivers came preloaded on devices, or were silently downloaded when a user installed a legitimate software bundle.

Because this driver is often installed without the knowledge of users, and because it's loaded by Windows on every boot, it makes the driver the perfect candidate for hackers to target. Exploiting this driver flaw could lead to an unprivileged user gaining system privileges, with potential abuses including bypassing security products.

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Hackers targeting SolarWinds’ Serv-U suite

SolarWinds has warned that cyber criminals are targeting a vulnerability in its Serv-U Managed File Transfer (MFT), Serv-U Secure File Transfer Protocol (FTP), and Serv-U Gateway products, following an advisory from Microsoft.

The firm has released a hotfix to address CVE-2021-35211, which hackers have exploited to run arbitrary code with privileges on targeted systems. The flaw exists in the latest Serv-U version 15.2.3 HF1, released on 5 May 2021, and all prior versions, with customers urged to upgrade immediately to version 15.3.2 HF2.

No other SolarWinds product is affected by this vulnerability, with Microsoft attributing exploitation attempts to DEV-0322, a group based in China, which is attempting to infiltrate US defence and software companies.

Microsoft has a another go at fixing PrintNightmare

The Windows developer has issued 117 fixes as part of its latest wave of Patch Tuesday updates, including a second attempt to patch CVE-2021-34527 - also referred to as PrintNightmare.

This second attempt comes after initial efforts fell short, and a security researcher demonstrated that exploitation of the Print Spooler component was still possible so long as the targeted device had enabled the feature ‘point and print’.

This latest wave of updates also includes patches for three additional zero-day bugs that have been exploited, among nine zero-day flaws overall. Of the 117, 13 are rated as critical, while 103 are rated as important.

Chained Schneider Electric bugs could lead to remote hacking

Researchers have found a vulnerability in Schneider Electric process logic controllers (PLCs) that could allow hackers to gain complete control of vulnerable systems by bypassing security controls.

Dubbed ModiPwn and tracked as CVE-2021-22779, Armis researchers found that this flaw, embedded in Modicon M580 and M340 controllers, could allow remote attackers to run code natively on the PLCs, modifying their functionality.

Schneider Electric had implemented layers of security in its controllers to prevent abuse of undocumented Modbus commands. The flaw can be exploited, however, to bypass this implementation. Hackers can exploit it to read the password hash from the PLC’s memory and use it to skip authentication. They could then upload a new project file that doesn’t have a password, which downgrades the device’s security, removing application password functionality and allowing a chained attack.

The company is working on a patch to address ModiPwn, and has published a set of mitigations that users can implement in the meantime.

Kaseya patches VSA flaws exploited to conduct ransomware attack

Software firm Kaseya has issued patches for three vulnerabilities that hackers abused to execute a devasting ransomware attack in early July.

An emergency update for the cloud-based IT management and remote monitoring platform VSA addressed three bugs tracked as CVE-2021-30116, CVE-2021-30119, and CVE-3031-30120. These concern credentials leakage and a business logic flaw, a cross-site scripting (XSS) vulnerability, and a two-factor authentication (2FA) bypass, respectively.

They’ve been patched alongside four other flaws that were identified by the security firm DIVD in April this year, with the two companies working together to issue fixes, only for REvil operators to beat them to the punch and launch their attack.

The attack saw hackers abuse the flaws to target VSA and launch ransomware attacks against the company, as well as a handful of on-premise customers. Because VSA is used by a number of Managed Service Providers (MSPs), the compromised internet-facing VSA servers also served as an entry point to target their customers, with 1,500 businesses thought to have been affected overall.

SonicWall warns users to turn off EOL hardware ahead of ‘imminent ransomware campaign’

Networking device manufacturer SonicWall has warned its customers about an imminent ransomware campaign using stolen credentials targeting its end-of-life devices and units running outdated firmware.

There’s an imminent threat against unpatched Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) devices, the company confirmed in an email to customers, especially those still using end-of-life (EOL) 8.x firmware.

Customers using outdated SRA hardware should also disconnect these devices immediately and reset passwords, including SRA 4600/1600, SRA 4200/1200 and SSL-VPN 200/2000/400. SMA 400/200, meanwhile, is still supported in a limited retirement mode, with customers urged to update to the latest firmware versions.

Should customers not mitigate the risks or update their systems immediately, it’s extremely likely their devices will be targeted in the “imminent” ransomware campaign, of which specific details haven’t been provided.

Microsoft has made renewed efforts to fix the notorious Print Spooler remote code execution vulnerability in its latest wave of Patch Tuesday updates after the first attempt only provided a partial fix.

Emergency efforts to fix the vulnerability tracked as CVE-2021-34527 last week fell short after researchers discovered that it could still be exploited if targeted machines have the ‘point and print’ feature enabled.

This vulnerability is among 117 flaws to have been patched in the latest wave of Patch Tuesday updates, and among four now-patched flaws that are under attack. The other three are CVE-2021-31979 and CVE-2021-33771, which are both privilege escalation flaws in the Windows Kernel, and CVE-2021-34448, which is a scripting engine memory corruption flaw.

Of the 117, 13 are rated as critical, while 103 are rated important. In addition to the four previously mentioned, there are five more zero-day vulnerabilities that Microsoft has fixed, which haven’t yet been targeted.

The renewed efforts to fix PrintNightmare is welcome news for businesses anxious about being targeted, particularly given the shambolic nature in which it was disclosed and the way that Microsoft had initially failed to fix it.

Earlier this month, researchers with Sangfor inadvertently published an exploit for the previously unknown flaw, now commonly referred to as PrintNightmare, in an unfortunate case of mistaken identity.

Microsoft had previously fixed a Print Spooler privilege escalation flaw in an early June wave of Patch Tuesday updates, tracked as CVE-2021-1675. The firm subsequently upgraded this from privilege escalation to remote code execution on 23 June.

The researchers, who were separately probing Print Spooler bugs, then released the proof-of-concept exploitation for a remote code execution flaw - believing it to be the same one that Microsoft had patched. It was, however, the exploit for an entirely different flaw that hadn’t been disclosed.

Although the researchers swiftly took down their work, the exploit code was downloaded and republished elsewhere, with attackers then using it to target systems in recorded attacks, according to Microsoft.

Microsoft then attempted to fix the flaw last week, although researcher Benjamin Delpy found he could still demonstrate exploitation on a Windows Server 2019 deployment with point and print enabled.

This is a tool that makes it easier for users within a network to obtain the printer drivers and queue documents to print. Although it isn’t directly related to the flaw, Microsoft acknowledged that the technology “weakens the local security posture in such a way that exploitation will be possible”.

Hackers are triggering a vulnerability in the Serv-U Managed File Transfer (MFT) and Serv-U Secure File Transfer Protocol (FTP) products to attack SolarWinds customers.

SolarWinds has released a hotfix to patch the remote code execution vulnerability - tracked as CVE-2021-35211 - after Microsoft researchers reported that it was involved in ongoing attacks against customers.

The company, which was at the centre of one of the biggest attacks in recent memory towards the end of last year, has urged its Serv-U customers to patch their systems immediately in order to benefit from the fix.

Serv-U is a suite of tools, maintained by SolarWinds, that allows customers to securely transfer files remotely across the web. Alongside Managed File Transfer and Secure FTP, the suite includes Serv-U Gateway, which adds a layer of security to file transfers.

Hackers can exploit the vulnerability to run arbitrary code with privileges on targeted systems, before installing programmes, altering or deleting data, and running programmes. The vulnerability exists in the latest Serv-U version 15.2.3 HF1, released on 5 May 2021, and all prior versions, with customers encouraged to update to Serv-U version 15.2.3 HF2.

No other SolarWinds products have been affected by this vulnerability, the company claims, with Microsoft providing evidence of limited, targeted customer impact by a single entity.

SolarWinds doesn’t have an estimate for how many customers have been affected, however, and it’s unaware of the identity of the current victims.

The company has stressed this is a new vulnerability and not related to the supply chain attack that affected approximately 100 victims, at least. Investigations into that attack revealed that the hackers responsible had first infiltrated the company’s networks in September 2019, before injecting test code and beginning trial runs.

SolarWinds had previously blamed an intern for setting a weak ‘solarwinds123’ password, which was publicly accessible on GitHub for more than a year, on a company server, which allowed hackers a route into the company’s networks.

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

REvil exploits Kaseya flaw to target customers

The REvil ransomware operators are demanding $70 million after compromising Kaseya’s VSA IT management and remote monitoring product and infecting its customers and partners. Huntress Labs estimates that more than 1,000 businesses have been hit.

The cyber gang exploited a zero-day flaw to remotely access internet-facing VSA servers. Given the software is used by many Managed Service Providers (MSPs), this route also gave them a pathway into their customers. The firm was targeted because a key feature in VSA is to push software and automated IT tasks on request, without checks.

The vulnerability, tracked as CVE-2021-30116, was discovered by researchers with DIVD CSIRT as part of a wider research project. The firm was actually working with Kaseya on a patch only for REvil to exploit the vulnerability before it could be issued.

Cyber agencies warn against global ‘brute force’ campaign

US and UK cyber security agencies have warned businesses that the Russian intelligence agency (GRU) is orchestrating password-spraying attacks on a massive scale, while also exploiting Kubernetes clusters to compromise cloud environments.

One of the units, known as ATP2, masquerading under the guise of Fancy Bear, is accused of a widespread and distributed brute force campaign against hundreds of government entities and private sector companies. These include military organisations as well as political consultants, and critical infrastructure companies.

The attacks have been ongoing since mid-2019, and also involve the exploitation of a range of vulnerabilities including CVE-2020-0688, embedded in Microsoft Exchange servers.

Kaspersky Password Manager passwords can be cracked ‘in seconds’

Kaspersky Password Manager (KPM) was embedded with a vulnerability that meant hackers could game its method for generating unique passwords and crack them using brute force techniques without much difficulty.

The mechanism KPM used to generate random passwords is complex, but effectively means letters such as q, z and x are more likely to appear than common vowels. Once any letter is generated, however, it skews the probability of other letters appearing in the same string. The only source of entropy, meanwhile, is time, which means that if every KPM user generated a password at the precise same time, they would see the same string.

This method was implemented to trick standard cracking tools, according to Ledger Donjon researcher Jean-Baptiste Bédrune. Hackers, therefore, would need to wait a long time before they encounter a KPM password when attempting to crack a password. If, however, an attacker knows the password was generated using KPM, they can adapt their tool to the method KPM uses and determine the likely password within seconds.

Kaspersky recognised this as a vulnerability and assigned it CVE-2020-27020. It was first reported in 2019 and has now been patched on Windows, iOS, and Android.

PrintNightmare emergency patch can be bypassed

Microsoft’s emergency, out-of-band fix for the Print Spooler remote code execution (RCE) flaw, for which an exploit code was leaked last week, is incomplete and leaves some Windows users open to attack.

Microsoft patched CVE-2021-34527 with an emergency update on Tuesday - days after researchers published an exploit code for the previously undisclosed bug in a case of mistaken identity. Researcher Benjamin Delpy, however, found he could demonstrate successful exploitation on a Windows Server 2019 deployment with the patch installed, and the ‘point and print’ feature enabled.

This is a tool that makes it much easier for users within a network to obtain printer drivers, and queue documents to print. Microsoft acknowledged in its security alert that the feature isn’t directly related to the flaw, but could still weaken a user’s security posture to the extent the bug would be exploitable. Despite the patch, hackers can still target systems with point and print enabled.

Multiple flaws found in Sage X3

Sage has fixed four vulnerabilities embedded in its enterprise resource planning (ERP) platform Sage X3, including two protocol-related issues involving remote administration of Sage X3, and two web app flaws.

The flaws are tracked as CVE-2020-7387 through to CVE-2020-7390, with the most severe rated a perfect ten out of ten on the CVSS threat severity scale, meaning it’s particularly devastating and straightforward to exploit. This critical bug is described as an “unauthenticated command execution bypass by spoofing in AdxAdmin” and has been patched alongside the other three bugs in version Sage X3 Version 9, Sage X3 HR & Payroll Version 9, Sage X3 Version 11, and Sage X3 Version 12. Version 10 was never released.

Rapid7 researchers, who discovered the flaws, claim that Sage X3 installations should never be exposed directly to the internet, and should instead be made available using a secure VPN connection. Doing so effectively mitigates all four vulnerabilities.

An emergency patch released to address the PrintNightmare remote code execution (RCE) vulnerability in Windows is said to have been unsuccessful, with hackers still being able to infect targeted devices, researchers have warned.

Microsoft released the patch this Tuesday outside of its routine Patch Tuesday wave of updates given the severity of the PrintNightmare vulnerability, as well as the fact that exploit code has been circulating online. The flaw has been assigned CVE-2021-34527 and a CVSS threat severity score of 8.8 out of ten.

However, Researcher Benjamin Delpy found that he could still demonstrate successful exploitation on a Windows Server 2019 deployment with the patch installed, and the ‘point and print’ feature enabled.

Point and print is a tool that makes it easier for users within a network to obtain the printer drivers, and queue documents to print.

Microsoft acknowledged in its security alert that the feature isn’t directly related to the flaw, but that the technology “weakens the local security posture in such a way that exploitation will be possible”.

The patch purporting to fix CVE-2021-34527 seemingly hasn’t addressed this particular shortcoming, Delpy’s demonstration shows, with hackers potentially able to bypass the fix and attack victim’s machines, if they have point and print enabled.

The threat stemmed from a vulnerability in the Print Spooler component in Windows systems, which allows print functionality remotely within local networks. Microsoft patched a similar Print Spooler flaw on 8 June, which was initially deemed to be a privilege escalation bug but the company then upgraded weeks later to an RCE vulnerability.

Following that 8 June patch, researchers with Sangfor published what they believed to be a proof-of-concept exploitation for the same Print Spooler RCE flaw, however, it was later discovered to be an entirely different flaw that hadn’t been previously disclosed.

Although the researchers promptly removed their work, the gaffe led to the exploit code being downloaded and republished elsewhere, with Microsoft confirming a few days later that hackers had exploited the flaw.

Microsoft previously recommended that businesses disable the Print Spooler service or inbound remote printing through their group policy - until a patch became available. The first mitigation deactivates the ability to print locally or remotely, while the second one blocks the remote attack vector by preventing inbound remote printing operations. Local printing would still be possible, though.