Please see Security Advisories for the week ending April 16, 2021
- FBI Issues Alert on Mamba Ransomware
- Zero-Day Exploit for Google Chrome and Microsoft Edge
- New Palo Alto Networks Security Advisories
- Google Releases Security Updates for Chrome
- Microsoft April 2021 Security Updates to Mitigate Newly Disclosed Microsoft Exchange Vulnerabilities
- Updates on Microsoft Exchange Server Vulnerabilities
FBI Issues Alert on Mamba Ransomware
The FBI has issued a warning about Mamba Ransomware that uses weaponized versions of legitimate, open-source encryption software DiskCryptor.
Mamba attacks begin with access to a system using exposed RDP ports or other unsecured methods of remote access. The attack then extracts a set of files and installs DiskCryptor and begins encrypting the system.
If DiskCryptor finishes running, it will lock out the system and demand ransom for the decryption key. If detected at an early stage, it is possible to get the password in the “myConf.txt” file.
If an organization does not use DiskCryptor, it should be added to the blacklist. Other mitigations include network segmentation, requiring admin credentials to install software, disable unused RDP ports and monitor RDP logs, and using secure networks and VPNs.
Zero-Day Exploit for Google Chrome and Microsoft Edge
A security researcher has released a zero-day remote code execution vulnerability (1195777) on Twitter that works on the current version of Google Chrome, Microsoft Edge, and likely other Chromium-based browsers. A zero-day vulnerability is a security bug that has been publicly disclosed but has not been patched in the released version of the affected software.
The PoC posted by the security researcher is also uploaded onto GitHub. It contains the PoC code as well as a video demonstrating the Remote Code Execution exploitation on Google Chrome version 89.0.4389.128. The zero-day Remote Code Execution vulnerabilities cannot escape from Chromium’s sandbox security feature, which is used to prevent exploits from executing code or accessing files on host computers. An attacker will need to chain this vulnerability with the sandbox escape exploit for it to succeed.
If an attacker is able successfully exploit this vulnerability either by chaining with sandbox escape exploit or because sandbox mode was disabled, then it could allow them to take control of the affected system.
At the time of writing this there has been no patch released yet for this vulnerability. This vulnerability in its default state cannot harm users. It is recommended to update Google Chrome and Microsoft Edge as soon as updates are made available. Additional information can be found in the link below.
For a brief overview:
New Palo Alto Networks Security Advisories
Palo Alto Networks have released 4 security advisories that covers vulnerabilities for PAN-OS, GlobalProtect App, and Bridgecrew Checkov.
PAN-OS: Vulnerabilities were found which include secrets in system logs and admin secrets in web server logs.
GlobalProtect: A Denial-of-Service vulnerability in the Windows App was found.
BridgeCrew Checkov: An arbitrary code execution was found when processing a malicious terraform file.
PAN-OS: Cleartext sensitive information can be found in system logs and web server logs.
GlobalProtect: An attacker can send specifically crafted input to the app that causes a Windows Blue Screen of Death.
BridgeCrew Checkov: An attacker can run malicious code through a terraform file.
Please update the above products to the latest versions.
For a more detailed description:
Google Releases Security Updates for Chrome
Google has updated the stable channel for Chrome to 90.0.4430.72 for Windows, Mac, and Linux. This new version also introduces a new design feature that attempts to establish web connections using HTTPS by default instead of HTTP, making the new version of the channel secure by design.
The previous version contains 37 verified security vulnerabilities that could allow an attacker to compromise a system and take remote control of it. Google is currently keeping details of the vulnerabilities under restricted access until users have had sufficient opportunity to acquire the update.
The vulnerabilities addressed in this update could be exploited by an attacker to take control of an affected system.
CISA encourages administrators and users to review Google’s release about the update.
Credit goes to those users who filed reports for these vulnerabilities as they were found, as well as the security researchers who helped prevent these vulnerabilities from reaching the stable channel.
For a brief desctription:
Apply Microsoft April 2021 Security Updates to Mitigate Newly Disclosed Microsoft Exchange Vulnerabilities
Microsoft has released security updates in the April 2021 patch that addresses vulnerabilities for Exchange Server 2016 and other Microsoft products.
This update addresses a large amount of security vulnerabilities in Exchange Server 2016 and other Microsoft products.
Attackers that exploit these vulnerabilities can gain access and maintain persistence on the target host.
Apply the latest Microsoft updates for all Microsoft products.
For a more detailed description:
Updates on Microsoft Exchange Server Vulnerabilities
Cybersecurity and Infrastructure Security Agency has added two new Malware Analysis Reports to alert AA21-062A, Microsoft Exchange Server Vulnerabilities.
Successful exploitation of these vulnerabilities allows an attacker to run arbitrary code on vulnerable Exchange Servers, enabling the attacker persistent system access, as well as access to mailboxes and files on the server, as well as credentials stored on the system. Successful exploitation may also enable the attacker to compromise trust and identity in a vulnerable network.
CISA recommends administrators and users to review the following resources for remediation and mitigation plans:
Mitigate Exchange Server Vulnerabilities
Remediating Microsoft Exchange Vulnerabilities