Microsoft issues 83 patches, one for actively exploited vulnerability
2021-01-13T19:40:58
ID MALWAREBYTES:C38FDAA2A9E5E349305313C6D17A0D3A Type malwarebytes Reporter Pieter Arntz Modified 2021-01-13T19:40:58
Description
Every second Tuesday of the month it's 'Patch Tuesday'. On Patch Tuesday Microsoft habitually issues a lot of patches for bugs and vulnerabilities in its software.
It's always important to patch, but the update that was released on January 12 is one to pay attention to. That's because it contains a patch for a vulnerability in Windows Defender that is already being exploited in the wild.
The vulnerability in Windows Defender
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list—a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).
The vulnerability in Windows Defender was registered as CVE-2021-1647—a Remote Code Execution (RCE) vulnerability—and was found in the Malware Protection Engine component (mpengine.dll). According to Microsoft:
> "While this issue is labeled as an elevation of privilege, it can also be exploited to disclose information. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory."
I don’t see an update for this vulnerability
If you are missing this fix in your list, it's possible that this bug has already been patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle. But you may want to check whether you are using a patched version.
What version of Windows Defender am I using?
The first patched version is 1.1.17700.4. If you want to make sure that you have a patched version of Windows Defender, here is how you can check this on a Windows 10 computer:
From the Windows Start Menu, search for Windows Security and click on the result that has the App text and the “white on blue” shield.
When Windows Security opens, click on the gear box icon with the Settings text at the bottom left of the Window.
When the Settings screen opens, click on the About link.
The Windows Security About page will now be open and will show the Antimalware Client Version (Microsoft Defender version), the Engine version (Scanning Engine), the Antivirus version (Virus definitions), and the Antispyware version (Spyware definitions).
The engine version is the one that matters here. It needs to be at 1.1.17700.4 or newer.
Finding the Windows Defender version
The rest of the Microsoft updates
The total package contained over 80 patches. Ten of them were classified as critical, which means that they could possibly be used in the future by cybercriminals to attack unpatched systems. And even the ones that are not rated as critical could put you at risk at some point. It's always important to apply all the patches as soon as you possibly can, especially when it concerns your operating system. So, please do go install these patches as soon as possible.
{"id": "MALWAREBYTES:C38FDAA2A9E5E349305313C6D17A0D3A", "type": "malwarebytes", "bulletinFamily": "blog", "title": "Microsoft issues 83 patches, one for actively exploited vulnerability", "description": "Every second Tuesday of the month it's 'Patch Tuesday'. On Patch Tuesday Microsoft habitually issues a lot of patches for bugs and vulnerabilities in its software.\n\nIt's always important to patch, but the update that was released on January 12 is one to pay attention to. That's because it contains a patch for a vulnerability in Windows Defender that is already being exploited in the wild.\n\n### The vulnerability in Windows Defender\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list\u2014a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe vulnerability in Windows Defender was registered as [CVE-2021-1647](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-1647>)\u2014a Remote Code Execution ([RCE](<https://blog.malwarebytes.com/glossary/remote-code-execution-rce-attack/>)) vulnerability\u2014and was found in the Malware Protection Engine component (mpengine.dll). According to Microsoft: \n\n> "While this issue is labeled as an elevation of privilege, it can also be exploited to disclose information. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory."\n\n### I don\u2019t see an update for this vulnerability\n\nIf you are missing this fix in your list, it's possible that this bug has already been patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle. But you may want to check whether you are using a patched version.\n\n### What version of Windows Defender am I using?\n\nThe first patched version is 1.1.17700.4. If you want to make sure that you have a patched version of Windows Defender, here is how you can check this on a Windows 10 computer:\n\n * From the Windows Start Menu, search for **Windows Security** and click on the result that has the **App** text and the \u201cwhite on blue\u201d shield.\n * When Windows Security opens, click on the gear box icon with the **Settings** text at the bottom left of the Window.\n * When the Settings screen opens, click on the **About** link.\n * The Windows Security About page will now be open and will show the Antimalware Client Version (Microsoft Defender version), the Engine version (Scanning Engine), the Antivirus version (Virus definitions), and the Antispyware version (Spyware definitions).\n * The **engine version** is the one that matters here. It needs to be at 1.1.17700.4 or newer.\nFinding the Windows Defender version\n\n### The rest of the Microsoft updates\n\nThe total package contained over 80 patches. Ten of them were classified as critical, which means that they could possibly be used in the future by cybercriminals to attack unpatched systems. And even the ones that are not rated as critical could put you at risk at some point. It's always important to apply all the patches as soon as you possibly can, especially when it concerns your operating system. So, please do go install these patches as soon as possible.\n\nStay safe, everyone!\n\nThe post [Microsoft issues 83 patches, one for actively exploited vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "published": "2021-01-13T19:40:58", "modified": "2021-01-13T19:40:58", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/", "reporter": "Pieter Arntz", "references": [], "cvelist": ["CVE-2021-1647"], "lastseen": "2021-01-15T10:26:58", "viewCount": 215, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-1647"]}, {"type": "attackerkb", "idList": ["AKB:06000FAE-591B-46C7-8573-3D63BDDD0D13"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_JAN_WIN_DEFENDER.NASL", "SMB_NT_MS21_JAN_FEP.NASL"]}, {"type": "cisa", "idList": ["CISA:F7C7CFE30EB8A6B7C1DCDEA50F649F74"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1647"]}, {"type": "thn", "idList": ["THN:9CF96D7230D0DBA395C1DEDA718226AD", "THN:970890B8E519A3BC5427798160F5F09C"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:BE902C7628D3F969596F8BE1DD0207C1", "RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3"]}, {"type": "threatpost", "idList": ["THREATPOST:FF67AF009F2F0031599099334F6CC306", "THREATPOST:B879E243998561911585BBD37B7F33E9"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04"]}, {"type": "krebs", "idList": ["KREBS:B3F20C0C41C613971FDADBAE93382CDF"]}], "modified": "2021-01-15T10:26:58", "rev": 2}, "score": {"value": 5.4, "vector": "NONE", "modified": "2021-01-15T10:26:58", "rev": 2}, "vulnersScore": 5.4}}
{"cve": [{"lastseen": "2021-02-02T07:55:04", "description": "Microsoft Defender Remote Code Execution Vulnerability", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1647", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2021-01-14T19:28:00", "cpe": ["cpe:/a:microsoft:security_essentials:-", "cpe:/a:microsoft:system_center_endpoint_protection:-", "cpe:/a:microsoft:system_center_endpoint_protection:2012", "cpe:/a:microsoft:windows_defender:-"], "id": "CVE-2021-1647", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1647", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:system_center_endpoint_protection:2012:-:*:*:*:*:*:*", "cpe:2.3:a:microsoft:security_essentials:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:system_center_endpoint_protection:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_defender:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:system_center_endpoint_protection:2012:r2:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-02-04T21:15:31", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "CVE-2021-1647 is a zero-day remote code execution vulnerability in the Malware Protection Engine component (mpengine.dll) of Microsoft\u2019s Defender anti-virus product. It was published as part of the January 2021 Patch Tuesday release, along with a disclosure from Microsoft acknowledging that the vulnerability had been exploited in the wild. More information: <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>\n\n \n**Recent assessments:** \n \n**cdelafuente-r7** at January 13, 2021 3:55pm UTC reported:\n\nNo useful information has been published so far and most of the speculations found online are based on the [CVSS 3.0](<https://www.first.org/cvss/v3-0/>) metrics found in the [advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>). That said, the attack vector seems to be [Local](<https://www.first.org/cvss/v3.0/specification-document#2-1-1-Attack-Vector-AV>) but can be exploited remotely, which means that some kind of malicious file needs to be placed locally to be scanned by Windows Defender and trigger the vulnerability. After talking about this with **@smcintyre-r7** and **@bwatters-r7**, we can imagine that `Remote` means this file needs to be sent remotely somehow, for example, using a file upload in a website or an email attachment via Exchange.\n\nSome considerations to keep in mind: Windows defender vulnerabilities get patched immediately and automatically, without user interactions. So, the exploitation window is very short. Finally, even if the exploitation succeeds, the evasion will be problematic, since the anti-virus will probably detect the attack.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 1**gwillcox-r7** at February 04, 2021 7:15pm UTC reported:\n\nNo useful information has been published so far and most of the speculations found online are based on the [CVSS 3.0](<https://www.first.org/cvss/v3-0/>) metrics found in the [advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>). That said, the attack vector seems to be [Local](<https://www.first.org/cvss/v3.0/specification-document#2-1-1-Attack-Vector-AV>) but can be exploited remotely, which means that some kind of malicious file needs to be placed locally to be scanned by Windows Defender and trigger the vulnerability. After talking about this with **@smcintyre-r7** and **@bwatters-r7**, we can imagine that `Remote` means this file needs to be sent remotely somehow, for example, using a file upload in a website or an email attachment via Exchange.\n\nSome considerations to keep in mind: Windows defender vulnerabilities get patched immediately and automatically, without user interactions. So, the exploitation window is very short. Finally, even if the exploitation succeeds, the evasion will be problematic, since the anti-virus will probably detect the attack.\n", "modified": "2021-01-16T00:00:00", "published": "2021-01-12T00:00:00", "id": "AKB:06000FAE-591B-46C7-8573-3D63BDDD0D13", "href": "https://attackerkb.com/topics/DzXZpEuBeP/cve-2021-1647-microsoft-windows-defender-zero-day-vulnerability", "type": "attackerkb", "title": "CVE-2021-1647 Microsoft Windows Defender Zero-Day Vulnerability", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-20T14:27:15", "description": "The Malware Protection Engine version of Forefront Endpoint Protection installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "Security Update for Forefront Endpoint Protection (January 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1647"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/a:microsoft:system_center_endpoint_protection"], "id": "SMB_NT_MS21_JAN_FEP.NASL", "href": "https://www.tenable.com/plugins/nessus/144886", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144886);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2021-1647\");\n\n script_name(english:\"Security Update for Forefront Endpoint Protection (January 2021)\");\n script_summary(english:\"Checks the Malware Engine version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An antimalware application installed on the remote host is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Malware Protection Engine version of Forefront Endpoint Protection installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?66e83fa0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable automatic updates to update the malware engine for the relevant antimalware applications. Refer to Knowledge Base\nArticle 2510781 for information on how to verify that MMPE has been updated.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1647\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:system_center_endpoint_protection\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"fep_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp = 'Forefront Endpoint Protection';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\n# Check if we got tyhe Malware Engine Version\nif (isnull(app_info['engine_version']))\n exit(0,'Unable to get the Malware Engine Version.');\n\nconstraints = [{'max_version': '1.1.17600.5', 'fixed_version':'1.1.17700.4'}];\n\nvcf::av_checks::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, check:'engine_version');\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T14:27:16", "description": "The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "Security Update for Windows Defender (January 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1647"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:windows_defender"], "id": "SMB_NT_MS21_JAN_WIN_DEFENDER.NASL", "href": "https://www.tenable.com/plugins/nessus/144876", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144876);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2021-1647\");\n\n script_name(english:\"Security Update for Windows Defender (January 2021)\");\n script_summary(english:\"Checks the Malware Engine version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An antimalware application installed on the remote host is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?66e83fa0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable automatic updates to update the malware engine for the relevant antimalware applications. Refer to Knowledge Base\nArticle 2510781 for information on how to verify that MMPE has been updated.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1647\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_defender\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_windows_defender_win_installed.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/svcs\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp = 'Windows Defender';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\n# Check if disabled\nif (!isnull(app_info['Disabled']))\n exit(0,'Windows Defender is disabled.');\n\n# Check if we got tyhe Malware Engine Version\nif (isnull(app_info['Engine Version']))\n exit(0,'Unable to get the Malware Engine Version.');\n\nconstraints = [{'max_version': '1.1.17600.5', 'fixed_version':'1.1.17700.4'}];\n\nvcf::av_checks::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, check:'Engine Version');\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-02-05T20:48:49", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "\n\n_This blog was co-authored by Caitlin Condon, VRM Security Research Manager, and Bob Rudis, Senior Director and Chief Security Data Scientist._\n\nOn Monday, Jan. 25, 2021, Google\u2019s Threat Analysis Group (TAG) [published a blog on a widespread social engineering campaign](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) that targeted security researchers working on vulnerability research and development. The campaign, which Google attributed to North Korean (DPRK) state-sponsored actors, has been active for several months and sought to compromise researchers using several methods.\n\nRapid7 is aware that many security researchers were targeted in this campaign, and information is still developing. While we currently have no evidence that we were compromised, we are continuing to investigate logs and examine our systems for any of the [IOCs listed in Google\u2019s analysis](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>). We will update this post with further information as it becomes available.\n\nOrganizations should take note that this was a highly sophisticated attack that was important enough to those who orchestrated it for them to burn an as-yet unknown exploit path on. This event is the latest in a chain of attacks\u2014e.g., those targeting SonicWall, VMware, Mimecast, Malwarebytes, Microsoft, Crowdstrike, and SolarWinds\u2014that demonstrates a significant increase in threat activity targeting cybersecurity firms with legitimately sophisticated campaigns. Scenarios like these should become standard components of tabletop exercises and active defense plans.\n\n## North Korean-attributed social engineering campaign\n\nGoogle discovered that the DPRK threat actors had built credibility by establishing a vulnerability research blog and several Twitter profiles to interact with potential targets. They published videos of their alleged exploits, including a YouTube video of a fake proof-of-concept (PoC) exploit for CVE-2021-1647\u2014a [high-profile Windows Defender zero-day vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647>) that garnered attention from both security researchers and the media. The DPRK actors also published \u201cguest\u201d research (likely plagiarized from other researchers) on their blog to further build their reputation.\n\nThe malicious actors then used two methods to social engineer targets into accepting malware or visiting a malicious website. [According to Google](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>):\n\n * After establishing initial communications, **the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project.** Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional pre-compiled library (DLL) that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled command and control (C2) domains.\nVisual Studio Build Events command executed when building the provided VS Project files. Image provided by Google.\n\n * In addition to targeting users via social engineering, Google also observed several cases where researchers have been compromised after visiting the actors\u2019 blog. In each of these cases, the researchers followed a link on Twitter to a write-up hosted on `blog[.]br0vvnn[.]io`, and shortly thereafter, a malicious service was installed on the researcher\u2019s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. **At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.** As of Jan. 26, 2021, Google was unable to confirm the mechanism of compromise.\n\nThe blog the DPRK threat actors used to execute this zero-day drive-by attack was posted on Reddit as long as three months ago. The actors also used a range of social media and communications platforms to interact with targets\u2014including Telegram, Keybase, Twitter, LinkedIn, and Discord. As of Jan. 26, 2021, many of these profiles have been suspended or deactivated.\n\n## Rapid7 customers\n\nGoogle\u2019s threat intelligence includes information on IOCs, command-and-control domains, actor-controlled social media accounts, and compromised domains used as part of the campaign. Rapid7's MDR team is deploying IOCs and behavior-based detections. These detections will also be available to InsightIDR customers later today. We will update this blog post with further information as it becomes available.\n\n## Defender guidance\n\nTAG noted in their blog post that **they have so far only seen actors targeting Windows systems.** As of the evening of Jan. 25, 2021, researchers across many companies [confirmed on Twitter](<https://twitter.com/richinseattle/status/1353864756109578241>) that they had interacted with the DPRK actors and/or visited the malicious blog. Organizations that believe their researchers or other employees may have been targeted should conduct internal investigations to determine whether indicators of compromise are present on their networks.\n\nAt a minimum, responders should:\n\n * Ensure members of all security teams are aware of this campaign and encourage individuals to report if they believe they were targeted by these actors.\n * Search web traffic, firewall, and DNS logs for evidence of contacts to the domains and URLs provided by Google in their post.\n * According to [Rapid7 Labs\u2019 forward DNS archive](<https://opendata.rapid7.com>), the `br0vvnn[.]io` apex domain has had two discovered fully qualified domain names (FQDNs)\u2014`api[.]br0vvnn[.]io` and `blog[.]br0vvnn[.]io`\u2014over the past four months with IP addresses `192[.]169[.]6[.]31` and `192[.]52[.]167[.]169`, respectively. Contacts to those IPs should also be investigated in historical access records.\n * Check for evidence of the provided hashes on all systems, starting with those operated and accessed by members of security teams.\n\nMoving forward, organizations and individuals should heed Google\u2019s advice that _\u201cif you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.\u201d_\n\n## Updates\n\n2021-02-05 \u2022 As Rapid7 is a cybersecurity vendor with many security researchers on staff, we began an internal investigation immediately after this campaign was disclosed to determine if there was any impact to us or our researchers. We have completed our investigation and have found no evidence of compromise. If or when new information arises, we will perform additional investigations and provide further updates at that time.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "modified": "2021-01-26T15:01:33", "published": "2021-01-26T15:01:33", "id": "RAPID7BLOG:BE902C7628D3F969596F8BE1DD0207C1", "href": "https://blog.rapid7.com/2021/01/26/state-sponsored-threat-actors-target-security-researchers/", "type": "rapid7blog", "title": "State-Sponsored Threat Actors Target Security Researchers", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T00:48:37", "bulletinFamily": "info", "cvelist": ["CVE-2020-26870", "CVE-2021-1636", "CVE-2021-1637", "CVE-2021-1638", "CVE-2021-1641", "CVE-2021-1642", "CVE-2021-1643", "CVE-2021-1644", "CVE-2021-1645", "CVE-2021-1646", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1651", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1662", "CVE-2021-1663", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1669", "CVE-2021-1670", "CVE-2021-1671", "CVE-2021-1672", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1677", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1680", "CVE-2021-1681", "CVE-2021-1682", "CVE-2021-1683", "CVE-2021-1684", "CVE-2021-1685", "CVE-2021-1686", "CVE-2021-1687", "CVE-2021-1688", "CVE-2021-1689", "CVE-2021-1690", "CVE-2021-1691", "CVE-2021-1692", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1697", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1703", "CVE-2021-1704", "CVE-2021-1705", "CVE-2021-1706", "CVE-2021-1707", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710", "CVE-2021-1711", "CVE-2021-1712", "CVE-2021-1713", "CVE-2021-1714", "CVE-2021-1715", "CVE-2021-1716", "CVE-2021-1717", "CVE-2021-1718", "CVE-2021-1719", "CVE-2021-1723", "CVE-2021-1725"], "description": "\n\nWe arrive at the first Patch Tuesday of 2021 ([2021-Jan](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan>)) with 83 vulnerabilities across our standard spread of products. Windows Operating System vulnerabilities dominated this month's advisories, followed by Microsoft Office (which includes the SharePoint family of products), and lastly some from less frequent products such as Microsoft System Center and Microsoft SQL Server.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 65 \nESU | 35 \nMicrosoft Office | 11 \nDeveloper Tools | 5 \nSQL Server | 1 \nApps | 1 \nSystem Center | 1 \nAzure | 1 \nBrowser | 1 \n \n### [Microsoft Defender Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>) (CVE-2021-1647)\n\nCVE-2021-1647 is marked as a CVSS 7.8, actively exploited, remote code execution vulnerability through the Microsoft Malware Protection Engine (mpengine.dll) between version 1.1.17600.5 up to 1.1.17700.4. \n\nAs a default, Microsoft's affected antimalware software will automatically keep the Microsoft Malware Protection Engine up to date. What this means, however, is that no further action is needed to resolve this vulnerability unless non-standard configurations are used. \n\nThis vulnerability affects Windows Defender or the supported Endpoint Protection pieces of the System Center family of products (2012, 2012 R2, and namesake version: Microsoft System Center Endpoint Protection).\n\n### Patching Windows Operating Systems Next\n\nAnother confirmation of the standard advice of prioritizing Operating System patches whenever possible is that 11 of the 13 top CVSS-scoring (CVSSv3 8.8) vulnerabilities addressed in this month's Patch Tuesday would be immediately covered through these means. As an interesting observation, the Windows Remote Procedure Call Runtime component appears to have been given extra scrutiny this month. This RPC Runtime component accounts for the 9 of the 13 top CVSS scoring vulnerabilities along with half of all the 10 Critical Remote Code Execution vulnerabilities being addressed.\n\n### More Work to be Done\n\nLastly, some minor calls to note that this Patch Tuesday includes SQL Server as that is an atypical family covered during Patch Tuesdays and, arguably more notable, is a reminder that [Adobe Flash has officially reached end-of-life](<https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support>) and would've been actively removed from all browsers via Windows Update (already).\n\n## Summary Tables\n\nHere are this month's patched vulnerabilities split by the product family.\n\n## Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1677](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1677>) | Azure Active Directory Pod Identity Spoofing Vulnerability | No | No | 5.5 | Yes \n \n## Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1705](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1705>) | Microsoft Edge (HTML-based) Memory Corruption Vulnerability | No | No | 4.2 | No \n \n## Developer Tools Vulnerabilities\n\ncve | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2020-26870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870>) | Visual Studio Remote Code Execution Vulnerability | No | No | 7 | Yes \n[CVE-2021-1725](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1725>) | Bot Framework SDK Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1723](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1723>) | ASP.NET Core and Visual Studio Denial of Service Vulnerability | No | No | 7.5 | No \n \n## Developer Tools Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1651](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1651>) | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1680](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1680>) | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1715](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1715>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1716](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1716>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1641](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1641>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | No \n[CVE-2021-1717](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1717>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | No \n[CVE-2021-1718](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1718>) | Microsoft SharePoint Server Tampering Vulnerability | No | No | 8 | No \n[CVE-2021-1707](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1707>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-1712](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1712>) | Microsoft SharePoint Elevation of Privilege Vulnerability | No | No | 8 | No \n[CVE-2021-1719](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1719>) | Microsoft SharePoint Elevation of Privilege Vulnerability | No | No | 8 | No \n[CVE-2021-1711](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1711>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1713](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1713>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1714](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1714>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## SQL Server Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1636](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1636>) | Microsoft SQL Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1647](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1647>) | Microsoft Defender Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n \n## Windows Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1681](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1681>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1686](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1686>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1687](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1687>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1690](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1690>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1646](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1646>) | Windows WLAN Service Elevation of Privilege Vulnerability | No | No | 6.6 | No \n[CVE-2021-1650](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1650>) | Windows Runtime C++ Template Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1663](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1663>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1670](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1670>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1672](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1672>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1689](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1689>) | Windows Multipoint Management Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1682](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1682>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-1697](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1697>) | Windows InstallService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1662](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1662>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1703](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1703>) | Windows Event Logging Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1645](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1645>) | Windows Docker Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-1637](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1637>) | Windows DNS Query Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1638](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1638>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 7.7 | No \n[CVE-2021-1683](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1683>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 5 | No \n[CVE-2021-1684](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1684>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 5 | No \n[CVE-2021-1642](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1642>) | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1685](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1685>) | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1648](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1648>) | Microsoft splwow64 Elevation of Privilege Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2021-1710](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1710>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1691](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1691>) | Hyper-V Denial of Service Vulnerability | No | No | 7.7 | No \n[CVE-2021-1692](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1692>) | Hyper-V Denial of Service Vulnerability | No | No | 7.7 | No \n[CVE-2021-1643](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1643>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1644](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1644>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## Windows Apps Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1669](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1669>) | Windows Remote Desktop Security Feature Bypass Vulnerability | No | No | 8.8 | Yes \n \n## Windows ESU Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1709](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1709>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-1694](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1694>) | Windows Update Stack Elevation of Privilege Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-1702](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1702>) | Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1674](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1674>) | Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability | No | No | 8.8 | No \n[CVE-2021-1695](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1695>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1676](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1676>) | Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1706](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1706>) | Windows LUAFV Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1661](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1661>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1704](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1704>) | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1696](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1696>) | Windows Graphics Component Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1708>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 5.7 | Yes \n[CVE-2021-1657](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1657>) | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1679](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1679>) | Windows CryptoAPI Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-1652](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1652>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1653](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1653>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1654](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1654>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1655](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1655>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1659](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1659>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1688>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1693](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1693>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1699](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1699>) | Windows (modem.sys) Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1656](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1656>) | TPM Device Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1658](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1658>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1660](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1660>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1666](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1666>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1667](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1667>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1673](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1673>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1664](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1664>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1671](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1671>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1700>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1701>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1678](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1678>) | NTLM Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-1668](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1668>) | Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1665](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1665>) | GDI+ Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1649](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1649>) | Active Template Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Summary Graphs\n\n\n\n________Note: Graph data is reflective of data presented by Microsoft's CVRF at the time of writing.________", "modified": "2021-01-12T23:59:00", "published": "2021-01-12T23:59:00", "id": "RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3", "href": "https://blog.rapid7.com/2021/01/12/patch-tuesday-january-2021/", "type": "rapid7blog", "title": "Patch Tuesday - January 2021", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-01-26T16:35:34", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "Hackers linked to [North Korea](<https://threatpost.com/north-korea-spy-reporters-feds-warn/160622/>) are targeting security researchers with an elaborate social-engineering campaign that sets up trusted relationships with them \u2014 and then infects their organizations\u2019 systems with custom backdoor malware.\n\nThat\u2019s according to [Google\u2019s Threat Analysis Group (TAG),](<https://twitter.com/ShaneHuntley/status/1353856344655204352>) which issued a warning late Monday about a campaign it has tracked over the last several months that uses various means to interact with and attack professionals working on vulnerability research and development at multiple organizations.\n\nThe effort includes attackers going so far as to set up their own research blog, multiple Twitter profiles and other social-media accounts in order to look like legitimate security researchers themselves, according to a [blog post](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) by TAG\u2019s Adam Weidermann. Hackers first establish communications with researchers in a way that looks like they are credibly working on similar projects, then they ask them to collaborate, and eventually infect victims\u2019 machines.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe infections are propagated either through a malicious backdoor in a Visual Studio Project or via an infected website, he wrote. And moreover, those infected were running fully patched and up-to-date Windows 10 and Chrome browser versions \u2014 a signal that hackers likely are using zero-day vulnerabilities in the campaign, the researcher concluded.\n\nTAG attributed the threat actors to \u201ca government-backed entity based in North Korea.\u201d\n\n\u201cThey\u2019ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control,\u201d according to the post. \u201cTheir blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including \u2018guest\u2019 posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.\u201d\n\nIn addition to Twitter, threat actors also used other platforms, including LinkedIn, Telegram, [Discord](<https://threatpost.com/discord-stealing-malware-npm-packages/163265/>), Keybase and email to communicate with potential targets, Weidermann said. So far it seems that only security researchers working on Windows machines have been targeted.\n\n## **Making Connections**\n\nAttackers initiate contact by asking a researcher if he or she wants to collaborate on vulnerability research together. Threat actors appear to be credible researchers in their own right because they have already posted videos of exploits they\u2019ve worked on, including faking the success of a working exploit for an existing and recently patched [Windows Defender vulnerability](<https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/>), [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>), on YouTube.\n\nThe vulnerability received notoriety as one that has been exploited for the past three months and leveraged by hackers as part of the massive [SolarWinds attack](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>).\n\n\u201cIn the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake,\u201d Weidermann explained.\n\nIf an unsuspecting targeted researcher agrees to collaborate, attackers then provide the researcher with a Visual Studio Project infected with malicious code. Several targets [took to Twitter](<https://twitter.com/search?q=blog.br0vvnn.io&src=typed_query>) to describe their experiences.\n\n> I got targeted by Zhang Guo and sent me the blog post link hxxps://blog.br0vvnn[.]io/pages/blogpost.aspx?id=1&q=1 <https://t.co/QR5rUYDHrh>\n> \n> \u2014 lockedbyte (@lockedbyte) [January 26, 2021](<https://twitter.com/lockedbyte/status/1353995532180615174?ref_src=twsrc%5Etfw>)\n\n\u201cWithin the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,\u201d Weidermann wrote. \u201cThe DLL is custom malware that would immediately begin communicating with actor-controlled command-and-control (C2) domains.\u201d\n\nVictims also can be infected by following a Twitter link hosted on blog.br0vvnn[.]io to visit a threat actor\u2019s blog, according to TAG. Accessing the link installs a malicious service on the researcher\u2019s system that executes an in-memory backdoor that establishes a connection to an actor-owned C2 server, researchers discovered.\n\nThe TAG team so far could not confirm the mechanism of compromise, asking for help from the greater security community to identify and submit information through the [Chrome Vulnerability Reward Program](<https://www.google.com/about/appsecurity/chrome-rewards/>).\n\nResearchers also did not specifically say what the likely motive was for the attacks; however, presumably the threat actors aim to uncover and steal vulnerabilities to use in North Korean advanced persistent threat (APT) campaigns.\n\nWeidermann\u2019s post includes a list of known accounts being used in the campaign, and he advised researchers who may have communicated with any of the accounts or visited related sites to review their systems for compromise.\n\n\u201cWe hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,\u201d Weidermann wrote.\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-01-26T14:49:03", "published": "2021-01-26T14:49:03", "id": "THREATPOST:FF67AF009F2F0031599099334F6CC306", "href": "https://threatpost.com/north-korea-security-researchers-0-day/163333/", "type": "threatpost", "title": "North Korea Targets Security Researchers in Elaborate 0-Day Campaign", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-13T05:41:44", "bulletinFamily": "info", "cvelist": ["CVE-2020-1643", "CVE-2020-1668", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1658", "CVE-2021-1660", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1673", "CVE-2021-1705"], "description": "Microsoft addressed 10 critical bugs, one under active exploit and another publicly known, in its [January Patch Tuesday roundup of fixes](<https://msrc.microsoft.com/update-guide>). In total it patched 83 vulnerabilities.\n\nThe most serious bug is a flaw in Microsoft\u2019s Defender anti-malware software that allows remote attackers to infect targeted systems with executable code. Security experts are warning that Windows users who have not connected to internet recently and received an auto-update, should patch now.\n\n\u201cThis bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed. However, if your systems are not connected to the internet, you\u2019ll need to manually apply the patch,\u201d wrote Dustin Childs, Trend Micro\u2019s Zero Day Initiative (ZDI) security manager. \n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers believe the vulnerability, [tracked as CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>), has been exploited for the past three months and was leveraged by hackers as part of the massive [SolarWinds attack](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>). Last month, Microsoft said state-sponsored hackers had compromised its internal network and leveraged additional Microsoft products to conduct further attacks.\n\nAffected versions of Microsoft Malware Protection Engine range from 1.1.17600.5 to 1.1.17700.4 running on Windows 10, Windows 7 and 2004 Windows Server, [according t](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)o the security bulletin.\n\n## **Publicly Known Bug Fixed Twice **\n\nMicrosoft patched a second vulnerability, that researchers believe was also being exploited in the wild, tracked as [CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>). The flaw is classified as an elevation-of-privilege bug and impacts the Windows [print driver process SPLWOW64.exe](<https://goliathtechnologies.com/troubleshoot-resolve-citrix-splwow64-exe-issues-p>).\n\nThe bug first discovered by Google and patched. But ZDI believes that patch was insufficient and opened the door to further attacks. Childs said that ZDI re-discovered the flaw a second time, which Microsoft is patched again Tuesday.\n\n\u201cThe previous patch introduced a function to check an input string pointer, but in doing so, it introduced an Out-of-Bounds (OOB) Read condition. Additional bugs are also covered by this patch, including an untrusted pointer deref,\u201d Childs wrote in a prepared [Patch Tuesday analysis](<https://www.zerodayinitiative.com/blog/2021/1/12/the-january-2021-security-update-review>).\n\n## **Additional Critical Bugs **\n\nEight additional bugs rated critical were also part of Microsoft\u2019s Tuesday vulnerability fixes.\n\nThese included a remote code-execution bug in Microsoft\u2019s Edge web browser. The vulnerability (CVE-2021-1705) is memory-related and tied to a the way the browser improperly access objects in memory.\n\n\u201cSuccessful exploitation of the vulnerability could enable an attacker to gain the same privileges as the current user,\u201d wrote Justin Knapp, senior product marketing manager with Automox, in prepared analysis. \u201cIf the current user is logged on with admin rights, an attacker could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website.\u201d\n\nAdditional critical bugs were tied to Windows Graphics Device Interface (CVE-2021-1665), HEVC Video Extensions (CVE-2020-1643), and the Microsoft DTV-DVD Video Decoder (CVE-2020-1668).\n\nFive January Patch Tuesday flaws (CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667 and CVE-2021-1673) were each remote procedure call bugs. As the name suggests, the vulnerability exists in Windows Remote Procedure Call authentication process. If exploited, an attacker could gain elevation of privileges, run a specially crafted application and take complete control of the targeted system.\n\n\u201cWith the SolarWinds breach still fresh from December and the scope of impact growing by the day, there\u2019s a reaffirmed urgency for organizations to implement best practices for even the most basic security habits,\u201d Knapp wrote. \u201cWhether it\u2019s patching zero-day vulnerabilities within a 24-hour window or implementing strong password protocols, the need for security diligence has never been more evident.\u201d\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a _[_limited-engagement and LIVE Threatpost webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: _[**_Register Now_**](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ and reserve a spot for this exclusive Threatpost _[_Supply-Chain Security webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ \u2013 Jan. 20, 2 p.m. ET._\n", "modified": "2021-01-12T21:45:23", "published": "2021-01-12T21:45:23", "id": "THREATPOST:B879E243998561911585BBD37B7F33E9", "href": "https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/", "type": "threatpost", "title": "Critical Microsoft Defender Bug Actively Exploited; Patch Tuesday Offers 83 Fixes", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}}], "cisa": [{"lastseen": "2021-02-24T18:06:37", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "Microsoft has released a security advisory to address a remote code execution vulnerability,[ CVE-2021-1647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647>), in Microsoft Defender. A remote attacker can exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.\n\nCISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1647 and apply the necessary updates. \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/01/14/rce-vulnerability-affecting-microsoft-defender>); we'd welcome your feedback.\n", "modified": "2021-01-14T00:00:00", "published": "2021-01-14T00:00:00", "id": "CISA:F7C7CFE30EB8A6B7C1DCDEA50F649F74", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/01/14/rce-vulnerability-affecting-microsoft-defender", "type": "cisa", "title": "RCE Vulnerability Affecting Microsoft Defender ", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2021-01-29T10:26:41", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "[](<https://thehackernews.com/images/-iuZmw75wd8g/YA-j-PbeyrI/AAAAAAAABlE/RgTbZC607W00K50gmsHyQ2wxzElQjkCMwCLcBGAsYHQ/s0/north-korean-hackers.jpg>)\n\nGoogle on Monday disclosed details about an ongoing campaign carried out by a government-backed threat actor from North Korea that has targeted security researchers working on vulnerability research and development.\n\nThe internet giant's Threat Analysis Group (TAG) said the adversary created a research blog and multiple profiles on various social media platforms such as Twitter, Twitter, LinkedIn, Telegram, Discord, and Keybase in a bid to communicate with the researchers and build trust.\n\nThe goal, it appears, is to steal exploits developed by the researchers for possibly undisclosed vulnerabilities, thereby allowing them to stage further attacks on vulnerable targets of their choice.\n\n[](<https://go.thn.li/password-auditor> \"password auditor\" )\n\n\"Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including 'guest' posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers,\" [said](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) TAG researcher Adam Weidemann.\n\nThe attackers created as many as 10 fake Twitter personas and five LinkedIn profiles, which they used to engage with the researchers, share videos of exploits, retweet other attacker-controlled accounts, and share links to their purported research blog.\n\nIn one instance, the actor used Twitter to share a YouTube video of what it claimed to be an exploit for a recently patched Windows Defender flaw ([CVE-2021-1647](<https://thehackernews.com/2021/01/microsoft-issues-patches-for-defender.html>)), when in reality, the exploit turned out to be fake.\n\n[](<https://thehackernews.com/images/-z357EvP7xhQ/YA-h_c5mACI/AAAAAAAABk4/Rfunq4GEsRYSpfML7a1rW1uzau-Y92QCQCLcBGAsYHQ/s0/twitter.jpg>)\n\nThe North Korean hackers are also said to have used a \"novel social engineering method\" to hit security researchers by asking them if they would like to collaborate on vulnerability research together and then provide the targeted individual with a Visual Studio Project.\n\nThis Visual Studio Project, besides containing the source code for exploiting the vulnerability, included a custom malware that establishes communication with a remote command-and-control (C2) server to execute arbitrary commands on the compromised system.\n\nKaspersky researcher Costin Raiu, in a [tweet](<https://twitter.com/craiu/status/1353964086455902208>), noted the malware delivered via the project shared code-level similarities with [Manuscrypt](<https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer>) (aka FAILCHILL or Volgmer), a previously known Windows backdoor deployed by the Lazarus Group.\n\nWhat's more, TAG said it observed several cases where researchers were infected after visiting the research blog, following which a malicious service was installed on the machine, and an in-memory backdoor would begin beaconing to a C2 server.\n\n[](<https://thehackernews.com/images/-5WNEGS3rJFg/YA-ht9CNs1I/AAAAAAAABkw/Q6gouDrb7eg3yZSUK7zlsoHZh-S_1heVACLcBGAsYHQ/s0/security-reseachers.jpg>)\n\nWith the victim systems running fully patched and up-to-date versions of Windows 10 and Chrome web browser, the exact mechanism of compromise remains unknown. But it's suspected that the threat actor likely leveraged zero-day vulnerabilities in Windows 10 and Chrome to deploy the malware.\n\n\"If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,\" Weidemann said.\n\n### UPDATE (28 Jan, 2021): Microsoft releases more information on this campaign\n\nIn a separate analysis, Microsoft corroborated the findings, attributing the attacks to a threat actor it calls ZINC, also known as Lazarus Group or Hidden Cobra.\n\nThe Windows maker said the campaign took roots in mid-2020 when the adversary \"started building a reputation in the security research community on Twitter by retweeting high quality security content and posting about exploit research from an actor-controlled blog.\"\n\nMicrosoft's analysis of the malicious DLL (dubbed \"Comebacker\") has also revealed the group's attempts to evade detection via static indicators of compromise (IoCs) by frequently changing file names, file paths, and exported functions. \"We were first alerted to the attack when Microsoft Defender for Endpoint detected the Comebacker DLL attempting to perform process privilege escalation,\" the company [said](<https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/>).\n\nThat's not all. With some researchers infected simply by visiting the website on fully patched systems running Windows 10 and Chrome browser, the company suspects a Chrome exploit chain leveraging zero-day or patch gap exploits was hosted on the blog, leading to the compromise.\n\n\"A blog post titled _DOS2RCE: A New Technique To Exploit V8 NULL Pointer Dereference Bug_, was shared by the actor on October 14, 2020 from Twitter,\" the researchers said. \"From October 19-21, 2020, some researchers, who hadn't been contacted or sent any files by ZINC profiles, clicked the links while using the Chrome browser, resulting in known ZINC malware on their machines soon after.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-01-29T09:15:54", "published": "2021-01-26T05:10:00", "id": "THN:970890B8E519A3BC5427798160F5F09C", "href": "https://thehackernews.com/2021/01/n-korean-hackers-targeting-security.html", "type": "thn", "title": "N. Korean Hackers Targeting Security Experts to Steal Undisclosed Researches", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-13T06:30:13", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1674", "CVE-2021-1705"], "description": "[](<https://thehackernews.com/images/-cZjUACk7bgA/X_5-UYTlv-I/AAAAAAAABec/V3IW_ZyIh9k3keOxtl2lI0PDNAaEMTRQACLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nFor the first patch Tuesday of 2021, Microsoft released [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan>) addressing a total of 83 flaws spanning as many as 11 products and services, including an actively exploited zero-day vulnerability.\n\nThe latest security patches cover Microsoft Windows, Edge browser, ChakraCore, Office and Microsoft Office Services, and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Of these 83 bugs, 10 are listed as Critical, and 73 are listed as Important in severity.\n\nThe most severe of the issues is a remote code execution (RCE) flaw in Microsoft Defender ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) that could allow attackers to infect targeted systems with arbitrary code.\n\nMicrosoft Malware Protection Engine (mpengine.dll) provides the scanning, detection, and cleaning capabilities for Microsoft Defender antivirus and antispyware software. The last version of the software affected by the flaw is 1.1.17600.5, before it was addressed in version 1.1.17700.4.\n\nThe bug is also known to have been actively exploited in the wild, although details are scarce on how widespread the attacks are or how this is being exploited. It's also a zero-click flaw in that the vulnerable system can be exploited without any interaction from the user.\n\nMicrosoft said that despite active exploitation, the technique is not functional in all situations and that the exploit is still considered to be at a proof-of-concept level, with substantial modifications required for it to work effectively.\n\nWhat's more, the flaw may already be resolved as part of automatic updates to the Malware Protection Engine \u2014 which it typically releases once a month or as when required to safeguard against newly discovered threats \u2014 unless the systems are not connected to the Internet.\n\n\"For organizations that are configured for automatic updating, no actions should be required, but one of the first actions a threat actor or malware will try to attempt is to disrupt threat protection on a system so definition and engine updates are blocked,\" said Chris Goettl, senior director of product management and security at Ivanti.\n\nTuesday's patch also rectifies a privilege escalation flaw ([CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>)) introduced by a previous patch in the GDI Print / Print Spooler API (\"splwow64.exe\") that was [disclosed by Google Project Zero](<https://thehackernews.com/2020/12/google-discloses-poorly-patched-now.html>) last month after Microsoft failed to rectify it within 90 days of responsible disclosure on September 24.\n\nOther vulnerabilities fixed by Microsoft include a memory corruption flaws in Microsoft Edge browser ([CVE-2021-1705](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1705>)), a Windows Remote Desktop Protocol Core Security feature bypass flaw ([CVE-2021-1674](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1674>), CVSS score 8.8), and five critical RCE flaws in Remote Procedure Call Runtime.\n\nTo install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update, or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-01-13T05:01:20", "published": "2021-01-13T05:01:00", "id": "THN:9CF96D7230D0DBA395C1DEDA718226AD", "href": "https://thehackernews.com/2021/01/microsoft-issues-patches-for-defender.html", "type": "thn", "title": "Microsoft Issues Patches for Defender Zero-Day and 82 Other Windows Flaws", "cvss": {"score": 0.0, "vector": "NONE"}}], "mscve": [{"lastseen": "2021-01-16T03:31:04", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1647"], "description": "\n", "edition": 4, "modified": "2021-01-15T08:00:00", "id": "MS:CVE-2021-1647", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1647", "published": "2021-01-15T08:00:00", "title": "Microsoft Defender Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-01-15T00:26:33", "bulletinFamily": "blog", "cvelist": ["CVE-2020-17087", "CVE-2021-1647", "CVE-2021-1648"], "description": "This month\u2019s Microsoft Patch Tuesday addresses 83 vulnerabilities. The 10 Critical vulnerabilities cover Windows codecs, Office, HEVC video extensions, RPC runtime, and several other workstation vulnerabilities. Adobe released patches today for Photoshop, Campaign Classic, InCopy, Illustrator, Captivate, Bridge and Animate.\n\n### Workstation Patches\n\nOffice and Edge vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used to access email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n### Microsoft Defender RCE Zero Day\n\nMicrosoft patches Defender Remote Code Execution vulnerability ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) in today's patch release for Microsoft Malware Protection Engine. Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized.\n\n### splwow64 Elevation of Privilege\n\nWhile Microsoft labeled this issue ([CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>)) as an elevation-of-privilege vulnerability, it can also be exploited to disclose information, specifically uninitialized memory. Microsoft stated the vulnerability has not been exploited in the wild, although details are available publicly.\n\n### Windows Kernel Local Elevation of Privilege\n\nMicrosoft updated [CVE-2020-17087](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17087>) for Windows Server 2012 in today's Patch Tuesday, and users are recommended to apply today's patches for Windows Server 2012.\n\nWe appreciate Microsoft's acknowledgement of our co-ordinated disclosure of the underlying regression in the Windows Server 2012 version of this security update.\n\n### Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in [Adobe Photoshop](<https://helpx.adobe.com/security/products/photoshop/apsb21-01.html>), [Illustrator](<https://helpx.adobe.com/security/products/photoshop/apsb21-02.html>), [Animate](<https://helpx.adobe.com/security/products/photoshop/apsb21-03.html>), [Campaign](<https://helpx.adobe.com/security/products/photoshop/apsb21-04.html>), [InCopy,](<https://helpx.adobe.com/security/products/photoshop/apsb21-05.html>) [Captivate](<https://helpx.adobe.com/security/products/photoshop/apsb21-06.html>) and [Bridge](<https://helpx.adobe.com/security/products/photoshop/apsb21-07.html>). The patches for Adobe Campaign are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while the remaining patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).\n\nWhile none of the vulnerabilities disclosed in Adobe\u2019s release are known to be actively attacked today, all patches should be prioritized on systems with these products installed.\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "modified": "2021-01-12T20:01:43", "published": "2021-01-12T20:01:43", "id": "QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "January 2021 Patch Tuesday \u2013 83 Vulnerabilities, 10 Critical, One Zero Day, Adobe", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2021-01-13T02:27:43", "bulletinFamily": "blog", "cvelist": ["CVE-2018-8514", "CVE-2019-1409", "CVE-2019-1458", "CVE-2020-1660", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1660", "CVE-2021-1709"], "description": "**Microsoft** today released updates to plug more than 80 security holes in its **Windows** operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft's most-dire "critical" rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users.\n\n\n\nMost concerning of this month's batch is probably a critical bug ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) in Microsoft's default anti-malware suite -- **Windows Defender** -- that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it's not entirely clear how this is being exploited.\n\nBut **Kevin Breen**, director of research at **Immersive Labs**, says depending on the vector the flaw could be trivial to exploit.\n\n"It could be as simple as sending a file," he said. "The user doesn't need to interact with anything, as Defender will access it as soon as it is placed on the system."\n\nFortunately, this bug is probably already patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle.\n\nBreen called attention to another critical vulnerability this month -- [CVE-2020-1660](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1660>) -- which is a remote code execution flaw in nearly every version of Windows that earned a [CVSS score](<https://www.first.org/cvss/>) of 8.8 (10 is the most dangerous).\n\n"They classify this vulnerability as 'low' in complexity, meaning an attack could be easy to reproduce," Breen said. "However, they also note that it\u2019s 'less likely' to be exploited, which seems counterintuitive. Without full context of this vulnerability, we have to rely on Microsoft to make the decision for us."\n\nCVE-2020-1660 is actually just one of five bugs in a core Microsoft service called **Remote Procedure Call** (RPC), which is responsible for a lot of heavy lifting in Windows. Some of the more memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities.\n\n**Allan Liska**, senior security architect at **Recorded Future**, said while it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC -- [CVE-2019-1409](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1409>) and [CVE-2018-8514](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8514>) -- were not widely exploited.\n\nThe remaining 70 or so flaws patched this month earned Microsoft's less-dire "important" ratings, which is not to say they're much less of a security concern. Case in point: [CVE-2021-1709](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1709>), which is an "elevation of privilege" flaw in Windows 8 through 10 and Windows Server 2008 through 2019.\n\n"Unfortunately, this type of vulnerability is often quickly exploited by attackers," Liska said. "For example, [CVE-2019-1458](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1458>) was announced on December 10th of 2019, and by December 19th an attacker was seen selling an exploit for the vulnerability on underground markets. So, while CVE-2021-1709 is only rated as [an information exposure flaw] by Microsoft it should be prioritized for patching."\n\n**Trend Micro's ZDI Initiative** pointed out another flaw marked "important" -- [CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>), an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI prior to today.\n\n"It was also discovered by Google likely because this patch corrects a bug introduced by a previous patch," ZDI's **Dustin Childs** said. "The previous CVE was being exploited in the wild, so it\u2019s within reason to think this CVE will be actively exploited as well.\u201d\n\nSeparately, Adobe released security updates to tackle at least eight vulnerabilities [across a range of products](<https://blogs.adobe.com/psirt/?p=1960>), including **Adobe Photoshop** and **Illustrator**. There are no **Flash Player** updates because Adobe retired the browser plugin in December (hallelujah!), and Microsoft's update cycle from last month removed the program from Microsoft's browsers.\n\nWindows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you have ample opportunity to back up your files and/or system, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nPlease back up your system before applying any of these updates. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. You never know when a patch roll-up will bork your system or possibly damage important files. For those seeking more flexible and full-featured backup options (including incremental backups), [Acronis](<https://www.acronis.com/en-us/products/true-image/>) and [Macrium](<https://www.macrium.com/>) are two that I've used previously and are worth a look.\n\nThat said, there don't appear to be any major issues cropping up yet with this month's update batch. But before you apply updates consider paying a visit to [AskWoody.com](<https://www.askwoody.com/category/microsoft-windows-patches-security/>), which usually has the skinny on any reports about problematic patches.\n\nAs always, if you experience glitches or issues installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.", "modified": "2021-01-13T01:32:20", "published": "2021-01-13T01:32:20", "id": "KREBS:B3F20C0C41C613971FDADBAE93382CDF", "href": "https://krebsonsecurity.com/2021/01/microsoft-patch-tuesday-january-2021-edition/", "type": "krebs", "title": "Microsoft Patch Tuesday, January 2021 Edition", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}