Top Middle East Cyber Threats – 1 Mar 2021
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Critical Remote Code Execution Vulnerability in VMware vCenter Server – CVE-2021-21972
On February 24, VMware reported the critical remote code execution (RCE) vulnerability in VCenter Server virtual infrastructure management platform tracked as CVE-2021-21972. As the VCenter Server is a centralized VMware management utility, this vulnerability is categorized as “Critical” with a CVSS score of 9.8. The issue impacts vCenter Server plugin for vROPs which is available in all default installations. The vROPs should not have to be present to have this endpoint available. Workaround details under KB82374 that addresses this vulnerability affecting compromised products has been released for vSphere versions prior to 7.0 U1c, 6.7 U3l and 6.5 U3n.
The official notification VMSA-2021-0002 also addresses a second HTML client bug tracked as CVE-2021-21973. VMware explains: “A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure.”
In its ESXi hypervisor, VMware has fixed an 8.8-rated flaw tracked as CVE-2021-21974 which indicates: “A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow problem resulting in remote code execution in the OpenSLP service.” For administrators running vSphere 6.5 and up, or Cloud Foundation 3 or higher, VMware detailed specifics on how to fix this issue. VMware recently recommended in its vSphere Security Configuration Guides to disable OpenSLP if it is not in use.
RECOMMENDATIONS
- Review the official notification (VMSA-2021-0002) and apply necessary patches as soon as possible.
Babuk Ransomware
Security researches have discovered a new ransomware threat aliased as Babuk ransomware. The modus operandi is known as the “Big-Game hunting strategy”. The attackers behind Babuk ransomware have also followed the same tactics as other ransomware groups and have leaked the stolen data.
This ransomware comes as a 32-bit executable compiled in Visual C/C++ and has a small size of 30kb. Reports confirm that this ransomware is neither protected nor obscured and is likely to be perceived as version 1. By promoting its activities on an English-speaking website, the actors behind Babuk first gained prominence. This was initially a little out of the usual, as most big ransomware families advertise and interact prominently on Russian-speaking forums, although it was not long before researchers found Babuk activity on them too.
Researchers also observed a new comment from the Babuk authors in a recent post, which indicates that they have prepared a Unix ransomware variant for targeting NAS, ESXi servers and other Unix system. The source code as well as the artefacts dropped, including the ransom notes, are indeed comparable to what was previously observed in Vasa Locker’s activities.
Using a concrete encryption algorithm, the report notes that actors have little ransomware coding expertise in addition to a possible Vasa Locker association.
RECOMMENDATIONS
- Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plugins, and document readers. Kindly refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
- Update VPNs, network infrastructure systems and devices with the latest software fixes and security configurations that are used to remotely access work environments.
- Ensure that the systems are correctly configured and that the security features are enabled. Disable ports and protocols that are not used for business purposes (e.g., Remote Desktop Protocol [RDP] – Transmission Control Protocol [TCP] Port 3389).
- Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
- Use MFA (multi-factor authentication) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.
- Block the indicators of compromise within respective security controls organization wide.
PoC Exploit Released by Google Project Zero for Windows 10 Graphics RCE Vulnerability – CVE-2021-24093
Security Researchers from Google Project Zero recently shared a technical analysis as well as proof-of-concept (PoC) exploit code for this critical severity remote code execution (RCE) vulnerability affecting the Windows graphics component. The vulnerability CVE-2021-24093 was discovered in Microsoft DirectWrite, a high-quality text rendering of the Windows API, and Microsoft released security updates to fix this vulnerability on all vulnerable platforms. Current estimate is that several Windows 10 and Windows Server updates up to version 20H2 are affected by the security flaw.
Browsers use the DirectWrite API for font rendering, a security vulnerability that can be used by attackers to cause a memory corruption state which can enable attackers to remotely execute arbitrary code on target systems. Attackers can exploit CVE-2021-24093 by tricking victims into visiting websites with maliciously crafted TrueType fonts that cause a heap-based buffer overflow in the fsg ExecuteGlyph API feature.
RECOMMENDATIONS:
- Review the official notification to ensure that the appropriate updates are implemented.
References:
