Сouple of massive updates, several f**k-ups with loud vulnerabilities and attacks

Several high-profile vulnerabilities in Windows and Apple were fixed this week. Epic confusion/substitution attacks and an interesting vulnerability with secret chats in Telegram. We've picked up the top news from the past week.

  • Vulnerabilities: releases from Microsoft and Apple + Telegram vulnerabilities;
  • Tools: Adversary testing;
  • News: Hacker poisoned water in an American city, amazing research, bad luck for CD Project Red, and cool chrome extension now unavailable :( ;
  • Research: mostly threat hunting.

Really short feedback -> here


Vulnerabilities

Microsoft Patch Tuesday — February 2021 Edition

Patches for a total of 56 new flaws have been issued, 11 of which are listed as critical. In the Microsoft release, CVE-2021-1732 was fixed, which existed in the Windows kernel and led to local privilege escalation. The vulnerability was 0-day and affected all the latest versions of Windows 10. It was its researchers who discovered CVE-2021-1732 in December 2020 and its active use by APT Bitter in targeted attacks. Also technical details of the error were given and PoC was given.

A few days later, researchers at SentinelOne reported that they had discovered a CVE-2021-24092 vulnerability in the Windows Defender antivirus solution that allowed a hacker to perform a local privilege escalation. The bug was contained in the BTR.sys driver, which is used during the removal of detected malware and its edits to the registry of the attacked system.
Researchers found vulnerable versions of the BTR.sys driver that date back to 2009. So the CVE-2021-24092 vulnerability has been valid for at least 12 years.

Apple has released a security patch for the 10-year-old macOS SUDO root privilege escalation vulnerability tracked as CVE-2021-3156 and also called "Baron Samedit". Released patches for macOS Big Sur, Catalina and Mojave that fix the bug.

Telegram secret chats

A vulnerability was found in the macOS version of the popular messaging app Telegram that compromises user privacy. The problem was discovered by security researcher Dhiraj Mishra in Telegram version 7.3. Its exploitation allowed access to self-destructing audio and video messages long after they disappeared from secret chats.


Tools

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

Crypto Cipher Encode Decode and Hash

ATTPwn is a computer security tool designed to emulate adversaries. The tool aims to bring emulation of a real threat into closer contact with implementations based on the techniques and tactics from the MITRE ATT&CK framework.


News

Popular Chrome extension The Great Suspender contained malware

The Great Suspender updated the extension to version 7.1.8, which includes scripts that monitor user behavior and execute arbitrary code received from a remote server. These suspicious changes were quickly discovered by Microsoft, after which the extension was removed from the Microsoft Edge Store, and then a new version 7.1.9 was released, this time without malware.
What happened now is anyone's guess, because last week Google just announced The Great Suspender malware without explaining why. It's unclear if Google found additional malicious scripts in the code or if it belatedly responded to what happened earlier and to the community's concerns.

Hacker poisoned the chemical composition of drinking water in a town

On Friday, an unknown attacker gained access to the control system of the Oldsmar water treatment facility in the U.S. state of Florida and altered the chemical composition of the water, raising sodium hydroxide (NaOH) levels to dangerous levels.

The attacker simply picked up the password to TeamViewer, which was on the machine controlling the water treatment system, and increased the concentration of caustic soda entering the water by more than 100 times.

CD Projekt RED company reported that it was attacked by hackers, during which attackers managed to encrypt data on its servers. The game maker posted on Twitter a ransom demand from the hackers. It is reported that the attackers made a complete copy of the source code of the games Cyberpunk 2077, The Witcher 3, Gwent and various documentation of the company.

Representatives of CD Projekt RED said that they do not intend to pay ransom and have already begun the process of data recovery. At the moment the company continues to investigate the attack.

Alex Birsan describes a new problem that is a variation of the supply chain attack called dependency confusion/substitution attack. The researcher has already received over $130,000 in bug bounty programs from various companies for discovering this method of attack. The fact is that using this problem, the specialist was able to upload his own code to the systems of Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, Uber, and other companies.

The security researcher noticed a reference to several internal packages, including analytics-paypal, in an article by a PayPal employee. So, he placed packages with the same name in his public repository to experiment.

This experiment showed that if a dependency package used by an application exists both in a publicly available open-source repository and in a private build, the public package eventually gets priority and will be used without any action by the developer. It also turned out that in the case of PyPI packages, the package with the higher version has priority no matter where it is located.

More epic details here


Research

Detecting evasive syscalls from user mode: https://winternl.com/detecting-manual-syscalls-from-user-mode

Google research reveals who’s targeted by email attacks - We found that multiple factors correlate with higher risk: where you live, what devices you use, and whether your information appeared in previous third-party data breaches. https://cloud.google.com/blog/products/workspace/how-gmail-helps-users-avoid-email-scams

Free Scenario Based DFIR cases

Hunting for CVE 2021-3156 with Auditd: https://www.archcloudlabs.com/projects/auditd-cve-2021-3156

Threat Hunting & Incident Investigation with Osquery: The objective of this repo is to share 100+ hunting queries (osquery) that will help cyber threat analysts (hunter/investigator) in their hunting or investigation exercises - for Linux & Windows. https://github.com/Kirtar22/ThreatHunting_with_Osquery


Really short feedback -> here
g or investigation exercises - for Linux & Windows. https://github.com/Kirtar22/ThreatHunting_with_Osquery


Really short feedback -> here