Review of the current news by CERT-W – September 2020
Indicators of the month
CMA CGM announces that it has been affected by a ransomware attack, which disabled its reservation system and affected some of its Chinese offices. The RagnarLocker gang reportedly asked the company to contact them within two days “via a live chat and pay for a special decryption key”. In a statement, the company said it had shut all external accesses to their network and computer applications as a precautionary measure and that the group’s information system was gradually resuming.
Top exploit – Microsoft warns of attackers now exploiting “Zerologon” flaw
Microsoft’s Security Intelligence team says it’s monitoring new attacks that employ public exploits of the recently patched CVE-2020-1472 Netlogon EoP vulnerability, aka Zerologon. The vulnerability carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System as it lets anyone with a network toehold obtain domain-controller password.
Microsoft earlier this month exposed a 6.5TB Elastic server to the world that included search terms, location coordinates, device ID data, and a partial list of which URLs were visited. According to a report from cyber-security outfit WizCase, the server was password-protected until around 10 September, when “the authentication was removed”.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a malware analysis report (MAR) that includes technical details about web shells employed by Iranian hackers. According to the CISA’s report, Iranian hackers from an unnamed APT group are employing several known web shells, in attacks on IT, government, healthcare, financial, and insurance organizations across the United States. The malware used by the threat actors includes the ChunkyTuna, Tiny, and China Chopper web shells.
U.S. authorities today announced criminal charges and financial sanctions against two Russian men accused of stealing nearly $17 million worth of virtual currencies in a series of phishing attacks throughout 2017 and 2018 that spoofed websites for some of the most popular cryptocurrency exchanges.
Google’s release of Chrome 85.0.4183.121 for Windows, Mac and Linux fixed 10 vulnerabilities. The successful exploitation of the most severe of these could allow an attacker to execute arbitrary code in the context of the browser, according to Google. Google Chrome versions prior to 85.0.4183.121 are affected.
CVSS score: 10.0 CRITICAL
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
CVSS score: 8.8 HIGH
A remote code execution vulnerability exists in the way that Microsoft COM for Windows handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system.
*The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft’s OLE (compound documents), ActiveX (Internet-enabled components), as well as others.
CVSS score: 7.5 HIGH
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current.