Please see Security Advisories for the week ending November 26, 2021
- VMware Releases Security Updates for vCenter and Cloud Formation
- ISA Releases Capacity Enhancement Guides to Enhance Mobile Device Cybersecurity for Consumers and Organizations
- APT Exploitation of ManageEngine ADSelfService Plus Vulnerability
VMware Releases Security Updates
VMware has released security updates to address multiple vulnerabilities in vCenter Server and Cloud Foundation.
The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
A remote attacker can exploit this vulnerability to obtain access to sensitive information.
CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0027 and apply the necessary updates.
For a brief overview:
For a more technical overview:
ISA Releases Capacity Enhancement Guides to Enhance Mobile Device Cybersecurity for Consumers and Organizations
CISA has released a guide on improving mobile security.
Mobile security is often overlooked, and threat actors can target mobile devices to extract information.
Attacks may target mobile devices.
- Update platform. Enable automatic operating system updates to enhance privacy/security and fix flaws.
- Update apps. Enable automatic app updates to ensure you are using the most current security technologies.
- Enable device authentication. Set strong login passwords/PINs and use biometric authentication.
- Enable two-factor authentication. Enable two-factor authentication for apps or websites that support it.Use curated app stores. Disable third-party app stores, which can be vectors for the spread of malware.
- Delete unneeded apps. Periodically review and delete apps that are unused or no longer needed.
- Minimize PII in all apps. Limit personally identifiable information (PII) stored in apps.
- Grant least-privilege access to all apps. Set the privileges on your installed apps to minimize access to PII.
- Review location settings. Only allow an app to access your location when the app is in use.
- Disable unneeded network radios (BT, NFC, Wi-Fi, GPS). Every connection is a potential point of attack.
- Avoid public Wi-Fi. Cybercriminals can use public Wi-Fi networks, which are often unsecured, for attacks.
- Install security software. Security software (e.g., mobile threat defense) protects against malware.
- Use only trusted chargers and cables. A malicious charger or PC can load malware onto smartphones that may circumvent protections and take control of them. A phone infected with malware can also pose a threat to external systems such as personal computers.
- Enable lost device function. Configure settings to automatically wipe the device’s data after a certain number of incorrect login attempts (e.g., 10), and enable the option to remotely wipe the device.
- BEWARE OF PHISHING ATTEMPTS
Please review the below links for more information:
APT Exploitation of ManageEngine ADSelfService Plus Vulnerability
The FBI, CISA, and Coast Guard Cyber Command (CGCYBER) have updated the advisory published on September 16, 2021, which details active active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus.
Threat actors are using a suite of tools in this campaign:
- Dropper: a dropper trojan that drops Godzilla webshell on a system
- Godzilla: a Chinese language web shell
- NGLite: a backdoor trojan written in Go
- KdcSponge: a tool that targets undocumented APIs in Microsoft’s implementation of Kerberos for credential exfiltration
Attackers can exploit these vulnerabilities to take over the affected system.
Review the IoCs: https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/