14 Jan 2022

Week in review

Greetings,

There are happenings taking place that are giving many of us the sense of déjà vu or a feeling as though a prolonged situation seemingly has no end.

One such challenge is the constant presence and threat of Log4j. Labelled a ‘severe risk’ to the internet by some outlets, it continues to be utilised by parties that aim to exploit the vulnerabilities for their own gain. ZDNet recently reported on one that saw a cybercrime group attempting to deploy NightSky ransomware, highlighting the need to remain vigilant whilst these particularly problematic vulnerabilities remain.

Log4j was also a significant contributor to the increase in cyber-attacks in 2021. Tech Republic provides an insight into the industries and locations that were most affected last year, with some sectors and countries seeing a increase of over 50% from 2020.

Whilst it may seem that we’re experiencing Groundhog Day or some aspects of our lives are moving at a glacial pace, individuals and organisations shouldn’t look past the importance of taking stock of current processes and requirements and ask, “Can this be done better?”.

Business Reporter published an article earlier this week that looks at the significance of seeking out and embracing change, when and where appropriate. This is especially relevant in our modern world and, in an industry with one significant constant – change.


Microsoft: powerdir bug gives access to protected macOS user data
Date: 2022-01-10
Author: Bleeping Computer

Microsoft says threat actors could use a macOS vulnerability to bypass Transparency, Consent, and Control (TCC) technology to access users' protected data.
TCC is security tech designed to block apps from accessing sensitive user data by allowing macOS users to configure privacy settings for the apps installed on their systems and devices connected to their Macs, including cameras and microphones.
Apple fixed the vulnerability in security updates released last month, on December 13, 2021.

Microsoft: New critical Windows HTTP vulnerability is wormable
Date: 2022-01-11
Author: Bleeping Computer

Microsoft has patched a critical flaw tagged as wormable and found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022.
The bug, tracked as CVE-2022-21907 and patched during this month's Patch Tuesday, was discovered in the HTTP Protocol Stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) web server.

Report: Increased Log4J exploit attempts leads to all-time peak in weekly cyberattacks per org
Date: 2022-01-11
Author: ZDnet

Cybersecurity firm Check Point Research has released new data from 2021 showing that among their customers, there was a significant increase in overall cyberattacks per week on corporate networks compared to 2020.
Researchers attributed some of the increases, which were concentrated toward the end of the year, to the Log4J vulnerability discovered in December. Check Point said in a report that 2021 was a record-breaking year for cyberattacks and the Log4J vulnerability only made things worse.

Indian Patchwork hacking group infects itself with remote access Trojan
Date: 2022-01-11
Author: ZDNet

An Indian threat group's inner workings have been exposed after it accidentally infected its own development environment with a remote access Trojan (RAT).
Dubbed Patchwork by Malwarebytes and tracked under names including Hangover Group, Dropping Elephant, Chinastrats, and Monsoon, the Indian group has been on the scene since at least 2015 and is actively launching campaigns designed to deploy RATs for the purposes of data theft and other malicious activities.
In one of the latest attack waves connected to Patchwork, the group targeted individual faculty members from research institutions specializing in biomedical and molecular sciences.

Ransomware: Hackers are using Log4j flaw as part of their attacks, warns Microsoft
Date: 2022-01-11
Author: ZDNet

Microsoft has confirmed that suspected China-based cyber criminals are targeting the Log4j 'Log4Shell' flaw in VMware's Horizon product to install NightSky, a new ransomware strain that emerged on December 27.
The financially motivated ransomware attacks target CVE-2021-44228, the original Log4Shell flaw disclosed on December 9, and mark one new threat posed by the critical vulnerability that affects internet-facing software, systems and devices where vulnerable versions of the Java-based Log4j application error-logging component are present.

Who is the Network Access Broker ‘Wazawaka?’
Date: 2022-01-12
Author: Krebs on Security

In a great many ransomware attacks, the criminals who pillage the victim’s network are not the same crooks who gained the initial access to the victim organization. More commonly, the infected PC or stolen VPN credentials the gang used to break in were purchased from a cybercriminal middleman known as an initial access broker. This post examines some of the clues left behind by “Wazawaka,” the hacker handle chosen by a major access broker in the Russian-speaking cybercrime scene.


ESB-2022.0097 – ALERT HP-UX telnetd: Execute arbitrary code/commands – Remote/unauthenticated

Hewlett Packard Enterprise has issued an UN-OF point fix to address the Remote Execution of Arbitrary Code vulnerability in HP-UX telnetd.

ASB-2022.0002 – ALERT Microsoft Windows, Windows Server, Remote Desktop Client and HEVC Video Extensions: Multiple vulnerabilities

Microsoft's Patch Tuesday for January included fixes to resolve 87 vulnerabilities across various Microsoft products including Windows and Windows Server.

ESB-2022.0111 – Acrobat, Acrobat DC, Adobe Reader and Adobe Reader DC: Multiple vulnerabilities

Adobe's most recent security updates for Adobe Acrobat and Reader for Windows address multiple vulnerabilities. Adobe recommended its users to update their software installations to the latest versions.

ASB-2022.0005 – Microsoft Exchange Server: Execute arbitrary code/commands – Existing account

Microsoft's most recent security updates fix Remote Code Execution vulnerability in Microsoft Exchange Server 2013, 2016 and 2019.

ESB-2022.0107 – Citrix Workspace App: Root compromise – Existing account

A vulnerability in Citrix Workspace app for Linux could result in increased privilege level to root. Citrix recommends that the affected users upgrade to a fixed version as soon as possible.


Stay safe, stay patched and have a good weekend!

The AUSCERT team