Cyber Security News — Past 24 hours | 20.07.2021
16-Year-Old Security Bug Affects Millions of HP, Samsung, Xerox Printers
Details have emerged about a high severity security vulnerability affecting a software driver used in HP, Xerox, and Samsung printers that has remained undetected since 2005.
Tracked as CVE-2021–3438 , the issue concerns a buffer overflow in a print driver installer package named «SSPORT.SYS» that can enable remote privilege and arbitrary code execution.
Stack Overflow Teams
«A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege,» according to an advisory published in May.
The issue was reported to HP by threat intelligence researchers from SentinelLabs on February 18, 2021, following which remedies have been published for the affected printers as of May 19, 2021.
«The vulnerable function inside the driver accepts data sent from User Mode via IOCTL without validating the size parameter,» SentinelOne researcher Asaf Amir said in a report shared with The Hacker News.
Interestingly, it appears that HP copied the driver’s functionality from a near-identical Windows driver sample published by Microsoft, although the sample project in itself doesn’t contain the vulnerability.
This is not the first time security flaws have been discovered in old software drivers.
This New Malware Hides Itself Among Windows Defender Exclusions to Evade Detection
Cybersecurity researchers on Tuesday lifted the lid on a previously undocumented malware strain dubbed «MosaicLoader» that singles out individuals searching for cracked software as part of a global campaign.
«The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service,» Bitdefender researchers said in a report shared with The Hacker News. «The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links».
Stack Overflow Teams
Upon a successful infection, the initial Delphi-based dropper — which masquerades as a software installer — acts as an entry point to fetch next-stage payloads from a remote server and also add local exclusions in Windows Defender for the two downloaded executables in an attempt to thwart antivirus scanning.
One of the binaries, «appsetup.exe,» is conceived to achieve persistence on the system, whereas the second executable, «prun.exe,» functions as a downloader for a sprayer module that can retrieve and deploy a variety of threats from a list of URLs, ranging from cookie stealers to cryptocurrency miners, and even more advanced implants like Glupteba.
Given MosaicLoader’s wide-ranging capabilities, compromised systems can be co-opted into a botnet that the threat actor can then exploit to propagate multiple and evolving sets of sophisticated malware, including both publicly available and customized malware, to obtain, expand, and maintain unauthorized access to victim computers and networks.
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT