Cyber Security News — Past 24 hours | 07.05.2021
Cisco fixes critical flaws in SD-WAN vManage and HyperFlex HX software
Cisco has addressed critical vulnerabilities affecting SD-WAN vManage and HyperFlex HX software that could allow creating admin accounts and executing commands as root.
Cisco SD-WAN vManage Software flaws could be exploited by an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information. Some of the above vulnerabilities only affect software operating in a cluster, in order to verify whether the software is operating in cluster mode, users should check the Cisco SD-WAN vManage web-based management interface Administration > Cluster Management view.
The IT giant also addressed critical Command Injection vulnerabilities, tracked as CVE-2021–1497 and CVE-2021–1498, in the web-based management interface of Cisco HyperFlex HX.
In April, Cisco has addressed multiple vulnerabilities in Cisco SD-WAN vManage Software that could be exploited by an unauthenticated, remote attacker to execute arbitrary code or by an authenticated, local attacker to gain escalated privileges on vulnerable systems.
The most severe vulnerability is a critical pre-authentication remote code execution issue, tracked as CVE-2021–1479, that affects the remote management component of its SD-WAN vManage Software
A taste of the latest release of QakBot
The malware QakBot, also known as Qbot, Pinkslipbot, and Quakbot is a banking trojan that has been made headlines since 2007. This piece of malware is focused on stealing banking credentials and victim’s secrets using different techniques tactics and procedures which have evolved over the years, including its delivery mechanisms, C2 techniques, and anti-analysis and reversing features.
In recent reports, it could be used to drop other malware such as ProLock and Egregor ransomware. At the moment, and after the Emotet takedown, QakBot becoming one the most prominent and observed threats allowing criminals to gain a foothold on internal networks. In the next workflow, we can learn how the QakBot infection chain works.
The 2nd stage — in a form of a DLL with random extension — is loaded into the memory using the DLL injection technique via rundll32.exe Windows utility. After that, the final payload is loaded in memory and the malicious activity is then initiated. The malware is equipped with a list of hardcoded IP addresses from its botnet, and it receives commands and updates from the C2 server, including the deployment of additional payloads like ransomware.
New Study Warns of Security Threats Linked to Recycled Phone Numbers
A new academic study has highlighted a number of privacy and security pitfalls associated with recycling mobile phone numbers that could be abused to stage a variety of exploits, including account takeovers, conduct phishing and spam attacks, and even prevent victims from signing up for online services.
According to the Federal Communications Commission , an estimated 35 million phone numbers are disconnected each year in the U.S.
But this can also pose serious dangers when an attacker does a reverse lookup by randomly entering such numbers in the online interfaces offered by the two carriers, and upon encountering a recycled number, buy them and successfully log in to the victim account to which the number is linked.
“Attacker obtains a number, signs up for an online service that requires a phone number, and releases the number,” the researchers said. “When a victim obtains the number and tries to sign up for the same service, they will be denied due to an existing account. The attacker can contact the victim through SMS and demand payment to free up the number on the platform.”
N3TW0RM Ransomware: Emerges in Wave of Cyberattacks in Israel
In a surge of cyberattacks that began last week, a new ransomware group known as ‘N3TW0RM’ is targeting Israeli companies.
N3TW0RM, like other ransomware gangs, has set up a data leak platform where they threaten to release stolen files to threaten victims into paying a ransom. At least four Israeli companies and one nonprofit organization were successfully breached in this wave of attacks, according to Israeli news outlet Haaretz.
As per the WhatsApp message circulated by Israeli cybersecurity researchers, the N3TW0RM ransomware shares several characteristics with the Pay2Key attacks that took place in November 2020 and February 2021.
Pay2Key has been linked to the Fox Kitten hacking group, an Iranian nation-state hacking group whose mission was to disrupt and damage Israeli interests rather than collect a ransom payment. The N3TW0RM threat actors install a programme on a victim’s server that will listen for connections from the workstations, thus according to samples of the ransomware seen by BleepingComputer and conversations with Nachmias.
The threat actors then use PAExec to deploy and execute the’slave.exe’ client executable on every device that the ransomware will encrypt, according to Nachmias.
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT