Microsoft Warns of Cross-Account Takeover Bug in Azure Container Instances
Microsoft on Wednesday said it remediated a vulnerability in its Azure Container Instances (ACI) services that could have been exploited by a malicious actor “to access other customers’ information” in what the researcher described as the “first cross-account container takeover in the public cloud.”
An attacker exploiting the weakness could execute malicious commands on other users’ containers, steal customer secrets and images deployed to the platform. The Windows maker did not share any additional specifics related to the flaw, save that affected customers “revoke any privileged credentials that were deployed to the platform before August 31, 2021.”
Source: The hacker news / Bleeping computer / Dark reading / Threatpost / Securityweek
Link: https://thehackernews.com/2021/09/microsoft-warns-of-cross-account.html
Link: https://threatpost.com/azurescape-kubernetes-attack-container-cloud-compromise/169319/
Link: https://www.securityweek.com/microsoft-warns-information-leak-flaw-azure-container-instances
Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices
Network security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices.
“These credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor’s scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable,” the company said in a statement on Wednesday.
Source: The hacker news / Bleeping computer / Threatpost
Link: https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html
Link: https://threatpost.com/thousands-of-fortinet-vpn-account-credentials-leaked/169348/
CISA Warns of Actively Exploited Zoho ManageEngine ADSelfService Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a bulletin warning of a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus deployments that is currently being actively exploited in the wild.
The flaw, tracked as CVE-2021-40539, concerns a REST API authentication bypass that could lead to arbitrary remote code execution (RCE). ADSelfService Plus builds up to 6113 are impacted.
ManageEngine ADSelfService Plus is an integrated self-service password management and a single sign-on solution for Active Directory and cloud apps, enabling admins to enforce two-factor authentication for application logins and users to reset their passwords.
“CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system,” CISA said, urging companies to apply the latest security update to their ManageEngine servers and “ensure ADSelfService Plus is not directly accessible from the internet.”
Source: The hacker news / Bleeping computer / Threatpost / Securityweek / ManageEngine security advisory
Link: https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html
Link: https://threatpost.com/zoho-password-manager-zero-day-attack/169303/
Link: https://www.securityweek.com/zoho-confirms-zero-day-authentication-bypass-attacks
HAProxy Found Vulnerable to Critical HTTP Request Smuggling Attack
A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks.
Tracked as CVE-2021-40346, the Integer Overflow vulnerability has a severity rating of 8.6 on the CVSS scoring system and has been rectified in HAProxy versions 2.0.25, 2.2.17, 2.3.14 and 2.4.4.
HTTP Request Smuggling, as the name implies, is a web application attack that tampers the manner a website processes sequences of HTTP requests received from more than one user. Also called HTTP desynchronization, the technique takes advantage of parsing inconsistencies in how front-end servers and back-end servers process requests from the senders.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2021/09/haproxy-found-vulnerable-to-critical.html
Link: https://www.securityweek.com/haproxy-vulnerability-leads-http-request-smuggling
New 0-Day Attack Targeting Windows Users With Microsoft Office Documents
Microsoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that’s being used to hijack vulnerable Windows systems by leveraging weaponized Office documents.
Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.
“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,” the company said.
Source: The hacker news / Bleeping computer / Krebs on security / Threatpost / Securityweek / Microsoft security advisory
Link: https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html
Link: https://krebsonsecurity.com/2021/09/microsoft-attackers-exploiting-windows-zero-day-flaw/
Link: https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/
Link: https://www.securityweek.com/microsoft-office-zero-day-hit-targeted-attacks
Link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
Yandex Pummeled by Potent Meris DDoS Botnet
Record-breaking distributed denial of service attack targets Russia’s version of Google – Yandex. Technical details tied to a record-breaking distributed-denial-of-service (DDoS) attack against Russian internet behemoth Yandex are surfacing as the digital dust settles. A massive botnet, dubbed Mēris, is believed responsible, flooding Yandex with millions of HTTP requests for webpages at the same time.
This DDoS technique is called HTTP pipelining, where a browser requests a connection to a server and, without waiting for a response, sends multiple more requests. Those requests reportedly originated from networking gear made by MikroTik. Attackers, according to Qrator Labs, exploited a 2018 bug unpatched in more than 56,000 MikroTik hosts involved in the DDoS attack.
According to Qrator, the Mēris botnet delivered the largest attack against Yandex it has ever spotted (by traffic volume) – peaking at 21.8 million requests per second (RPS). By comparison, infrastructure and website security firm Cloudflare reported that the “largest ever” DDoS attack occurred on August 19, with 17.2 million RPS.
Source: Threatpost
Link: https://threatpost.com/yandex-meris-botnet/169368/
Linux Threat Report 2021 1H
Linux powers many cloud infrastructures today. However, it is not immune to threats and risks. We discuss several pressing security issues including malware and vulnerabilities that compromise Linux systems in the first half of 2021.
Source: Trendmicro
Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight
Ransomware actors are specializing, collaborating and assisting each other to conduct sophisticated attacks that are becoming increasingly difficult to prevent. Combating these groups effectively similarly requires a team approach — specialization, understanding tactics and techniques and how to counter them and cutting off activity at its source. Arguably, it has never been more imperative that cybersecurity specialists work together to counter a specific cyber threat.
Source: IBM Security intelligence
The Week in Ransomware – September 10th 2021 – REvil returns
This week marked the return of the notorious REvil ransomware group, who disappeared in July after conducting a massive attack using a Kaseya zero-day vulnerability. Their July attack affected over 1,500 businesses and drew the full attention of international law enforcement and the White House, who demanded that Russia do something about these attacks. Soon after, REvil shut down all of its servers and mysteriously disappeared.
That is until this week when REvil’s servers started back up, and a new sample of their ransomware was spotted on VirusTotal.
It is still too soon to tell if the ransomware gang is fully operational, but we will likely see new attacks shortly. In other news, a report was released this week outlining what a ransomware gang’s ideal target is for attacks, and the Ragnar Locker gang threatened to automatically release stolen data if victims contact negotiators or law enforcement.
Source: Bleeping computer / Dark reading
Threat Roundup for September 3 to September 10
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 3 and Sept. 10. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html