Cyber Security News — Past 24 hours | 30.04.2021
Google Chrome V8 Bug Allows Remote Code-Execution
Google’s Chrome browser has several security vulnerabilities that could pave the way to multiple types of attacks, including a V8 bug that could allow remote code execution within a user’s browser.
The high-severity V8 issue is tracked as CVE-2021–21227, and was reported by Gengming Liu from Singular Security Lab. Google describes the bug as «insufficient data validation in V8» but is keeping other details close to its vest.
Thus, CVE-2021–21227 would need to be chained with another vulnerability in order to successfully wreak havoc on a target’s machine beyond the browser itself.
The researcher also noted that his discovery is related to prior, now-patched V8 vulnerabilities . The first allows a remote attacker to exploit heap corruption if a user visits, or is redirected to, a specially crafted web page. Meanwhile, according to another report, the implications of an attack using the bug depends on the privileges associated with the application: In the worst-case scenario, an attacker could view, change or delete data.
And, if someone has turned off sandboxing, all bets are off.
Google recently patched a zero-day in Chrome .
UK rail network Merseyrail hit by ransomware gang
UK rail network Merseyrail, which operates rail services across Merseyside, announced it was a victim of a cyber attack. A ransomware gang has also compromised the email system of the organization to inform employees and journalists about the attack.
The news was reported by BleepingComputer who received an email earlier from the account of Andy Heath, the Director of Merseyrail that also speculate. «We can confirm that Merseyrail was recently subject to a cyber-attack. A full investigation has been launched and is continuing. In the meantime, we have notified the relevant authorities,» Merseyrail told BleepingComputer. «It would be inappropriate for us to comment further while the investigation is underway,»
The same email was sent to several UK newspapers, and to the Merseyrail employees, likely to make pressure on the organization to pay the ransom. The message includes a link to an image showing an employee’s personal information as proof of the attack.
The attackers claim to have stolen employee and customer data before encrypting the systems of the company.
NTLM Relay Attack Exploits Windows RPC Flaws
Security researchers at SentinelLabs revealed the details of a newly identified NTLM relay attack that exploits a remote procedure call flaw to enable elevation of privilege.
This new vulnerability in RPC, which apparently impacts all versions of Windows, enables an attacker to escalate privileges from User to Domain Admin, all without requiring interaction from the user .
The researchers used a DCOM client that was instructed to connect to an RPC server, operation that involved two NTLM authentications, one without the sign flag being set, and also leveraged the fact that the DCOM activation service can be abused to trigger RPC authentication.
Methodology used by cybercriminals
Threat actors have a shell in Session 0 on the target machine, even with a low privileges account, user with high privileges logs in interactively, then the attacker triggers the DCOM activation service to impersonate the high-privileged user and then implements a man-in-the-middle to receive an authenticated call, the binding of the RPC under the attacker’s control takes place and then the victim machine makes an authenticated call, authentication is relayed to a privileged resource such as LDAP, SMB, HTTP or other, lastly the authentication is forwarded for privilege escalation.
Researchers at SentinelLabs also published proof-of-concept code to demonstrate how the exploit works, and revealed that, although Microsoft has acknowledged the vulnerability, a patch won’t be released.
Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware
Threat actors are increasingly adopting Excel 4.0 documents as an initial stage vector to distribute malware such as ZLoader and Quakbot, according to new research.
The findings come from an analysis of 160,000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious.
Microsoft warns in its support document that enabling all macros can cause «potentially dangerous code» to run.
The ever-evolving Quakbot , since its discovery in 2007, has remained a notorious banking trojan capable of stealing banking credentials and other financial information, while also gaining worm-like propagation features. Typically spread via weaponized Office documents, variants of QakBot have been able to deliver other malware payloads, log user keystrokes, and even create a backdoor to compromised machines.
Another sample included a Base64-encoded payload in one of the sheets, which then attempted to download additional malware from a sketchy URL.
«Even though backward compatibility is very important, some things should have a life expectancy and, from a security perspective, it would probably be best if they were deprecated at some point in time,» the researchers noted.
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Commiunity @ SLIIT