Last Week’s Security news: PrintNightmare patches and Metasploit, Kaseya CVEs, Morgan Stanley Accellion FTA, Cisco BPA and WSA, Philips Vue PACS, CISA RVAs, Lazarus job offers. Hello guys! The third episode of Last Week’s Security news, July 5 – July 11. There was a lot of news last week. Most of them was again about PrintNightmare and Kaseya.
The updates for PrintNightmare (CVE-2021-34527) were finally released mid-week. It became possible not only to disable the service, but also to update the hosts. This is especially important for desktops that need to print something. But the problem is that these patches can be bypassed. “If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft’s patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE”. Microsoft has updated their security update guide after that: “if you set this reg key to = 1 then the system is vulnerable by design”. It seems that solving this problem requires hardening and registry monitoring.
PrintNightmare exploitation just got easier. Rapid7 security researchers have added a new module for PrintNightmare to Metasploit. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as NT AUTHORITY\SYSTEM.
There was a lot of news regarding Kaseya, I would not say that in a week we learned something fundamentally new, but almost all guesses were confirmed. 7 CVEs that could be used in attacks became known (CVE-2021-30116, CVE-2021-30117, CVE-2021-30118, CVE-2021-30119, CVE-2021-30120, CVE-2021-30121, CVE-2021-30201). Huntress Security Researcher Caleb Stewart has successfully reproduced the Kaseya VSA exploits used to deploy REvil/Sodinokibi ransomware and released a POC demonstration video depicting an Authentication Bypass, an Arbitrary File Upload and Command Injection. Brian Krebs also wrote about a directory traversal vulnerability (CVE-2015-2862) on the Customer Portal portal.kaseya.net that has not been fixed since 2015. The portal “was deprecated but left up”. The Compromise Detection Tool has been made public. The ransomware operators have demanded $70m for a master decryption key. Some threat actors were targeting victims via email with fake patches that push Cobalt Strike payloads. Kaseya delays SaaS restore to Sunday July 11 and promises “exponentially more secure” product. And if you think that only Kaseya has such problems, you are wrong.
Continuing on the theme that the security problems of service providers are your problems. Morgan Stanley has confirmed a data breach in which attackers were able to access personal information belonging to customers by targeting a vulnerability in the Accellion FTA server. Attackers were able to access participant data, including name, last known address, birth date, Social Security number, and corporate company name. The server belonged to Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business. While Guidehouse patched the vulnerability within five days of its availability, the attacker was able to access the data around that time, officials said. The vendor discovered the attack in March 2021 and learned it affected Morgan Stanley in May. As you can see, 5 days for patching a critical vulnerability at the perimeter is unacceptable.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released an analysis detailing the findings from Risk and Vulnerability Assessments (RVAs) conducted during the 2020 fiscal year across industries. The officials’ analysis details a sample attack path an intruder could take to compromise an organization, with weaknesses that represent the ones CISA saw in RVAs over the past year. Quite interesting stuff, especially the infographics. For example, it was especially interesting to see statistics on Initial Access. Phishing links were most common and used to gain initial access in 49% of RVAs. Next were exploits of public-facing applications (11.8%), followed by phishing attachments (9.8%). Therefore, if you focus on anti-phishing and perimeter control, you are building your first line of defense correctly.
North Korean APT Lazarus Group impersonates Airbus, General Motors and Rheinmetall to lure Job-Seeking Engineers into downloading malware. This is stated in a report published by AT&T Alien Labs. The ultimate payload of the Rheinmetall document uses Mavinject.exe, a legitimate Windows component that has been used and abused before in malware activity, to perform arbitrary code injections inside any running process. The Airbus document macro executes the payload with an updated technique. The attackers are no longer using Mavinject, but directly executing the payload with explorer.exe, significantly modifying the resulting execution tree. So, when you suddenly see interesting job offers in your inbox, be careful.
A set of high-severity privilege-escalation vulnerabilities affecting Business Process Automation (BPA) application and Cisco’s Web Security Appliance (WSA) and could allow authenticated, remote attackers to access sensitive data or take over a targeted system. The fact that authentication is required makes it less interesting. In addition, these are apparently not the most popular Cisco products. But if you are using BPA or WSA, be aware.
Four security vulnerabilities (CVE-2020-7388, CVE-2020-7389, CVE-2020-7387, CVE-2020-7390) have been uncovered in the Sage X3 enterprise resource planning (ERP) product, two of which could be chained together as part of an attack sequence to enable hackers to execute malicious commands and take control of vulnerable systems. Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required.
Multiple security vulnerabilities have been disclosed in Philips Clinical Collaboration Platform Portal (Vue PACS). Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system. Еverything related to medicine requires the strictest certification. As you can see, it doesn’t help much.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: VMconf 22: Blindspots in the Knowledge Bases of Vulnerability Scanners | Alexander V. Leonov