Cybersecurity Roundup #19
Let’s start again with the “Weekly roundup”: what happened this week?
According to recent research by cyber security firm Lacework, the cybercriminal collective known as Pysa, mainly engaged in double extortion ransomware attacks on Windows systems, is also starting to target Linux systems. In fact, Lacewood researchers have identified a new variant of backdoor ChaChi, mainly used by Pysa operators, developed to run on Linux systems. The malware was detected in an upload made on the well-known VirusTotal platform: it is not yet clear whether it has been used in real attacks.
A few weeks ago, experts from The Citizen Lab, a research group from the University of Toronto specialized in privacy, revealed the existence of a zero-click exploit (that does not require interactions by users) of iOS, which would have been exploited to violate the iPhone of various activists and political dissidents of Bahrain.
According to the analysis, the new exploit, called FORCEDENTRY, would have been attributed to NSO Group, a well-known Israeli company specializing in the sale of surveillance technologies known mainly for the creation of the spy software Pegasus, which also used this exploit to gain persistence on the devices it is implanted on.
A few hours after Apple released the updates necessary to remedy the vulnerability exploited by FORCEDENTRY, the researchers of The Citizen Lab have published a report in which they provide all the details on the vulnerability: the attack is exploited simply by sending an SMS to the victim, containing a GIF attachment but actually a malformed PDF.
The PDF crashes the IMTranscoderAgent module, which allows the execution of malicious code on the attacked device.
The OWASP Top 10 is a list, created in the mid-2000s by the Open Web Application Security Project, of the most dangerous web vulnerabilities,
Although not an official document, the list is often used in cybersecurity circles to assess the importance and severity of vulnerabilities in web-based apps: for example, bug bounty platforms use OWASP Top 10 to rank bugs that need to be corrected immediately or deserve higher monetary rewards.
The ranking was last updated in November 2017 but, last week, the OWASP team released a draft of its next list, which presents a substantial change: in fact, the vulnerability “A01: 2021-Broken Access” rises to first position Control “, which concerns the control of user permissions and authorizations, undermining the “A03: 2021-Injection” category that had occupied this position in the last 10 years.
As part of its Patch Tuesday monthly security updates, Microsoft fixed a collection of four vulnerabilities in Open Management Infrastructure (OMI), the Linux equivalent of Microsoft’s Windows Management Infrastructure (WMI), a service that collects data from local environments and synchronizes them with a central management server and which, unbeknownst to most Azure customers, Microsoft automatically installs on Linux-based Azure virtual machines.
The client runs with root privileges in order to integrate the virtual machine with centralized Microsoft management tools such as Open Management Suite (OMS), Azure Insights, Azure Automation, and others.
In a recently published research, security firm Cloud Wiz said it found a collection of four security flaws (collectively referred to as OMIGOD) in the OMI client that could allow threat actors to compromise Azure Linux VMs .
While Microsoft has released patches for these four vulnerabilities, Wiz researcher Nir Ohfeld has made it known that there is no automatic update mechanism built into the app, meaning all Azure Linux VMs remain vulnerable to attack unless that every user doesn’t manually update the client themselves, which probably won’t happen, mainly because users didn’t know the app was installed on their systems in the first place. Ohfeld therefore suggests to customers who wish to apply patches to download and install the OMI v126.96.36.199 client released last month on GitHub.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Coast Guard Cyber Command (CGCYBER) have issued a joint statement warning US public and private organizations against some exploitation campaigns of recent Zoho ManageEngine vulnerability (tracked by CVE-2021-40539) perpetrated by chinese-speaking state sponsored threat actors.
Security issue, detected in early August 2021 and promptly resolved by vendor, affects Zoho ManageEngine‘s ADSelfService Plus module and allows attackers to take control of vulnerable systems.
In the press release, the three US entities urge companies to install the updates as soon as possible needed to resolve the security issue.