CYBERSECURITY NEWS V. 02.02 – Apple patches 3 exploited iOS 0-days, 10-year-old bug gives root access on Linux systems


hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

10-year-old bug gives root access on Linux systems

A vulnerability affecting the Linux ecosystem was fixed in Sudo, an app that allows administrators to give root access to users.

The CVE-2021-3156 vulnerability, known as Baron Samedit, was discovered by Qualys.

To date, the vulnerability was fixed in Sudo 1.9.5p2. The bug could be exploited by a user who is not included in the sudoers list and does not know the root password.

According to Qualys, the bug appeared in the Sudo code back in July 2011 and is present in all versions of the utility released since then. The Qualys team was able to develop and study exploits for Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2).

Google Chrome closed 7 more ports to protect against NAT Slipstreaming attacks

Last fall, Samy Kamkar, a well-known information security researcher, described the NAT Slipstreaming attack. It allows to bypass firewalls and connect to internal networks turning Google Chrome into a proxy for attackers. To implement such an attack, they just had to lure the user to a malicious site, where JavaScript established a connection with the victim's device directly, bypassing protection.

Now Kamkar, with the support of Armis experts Ben Seri and Gregory Vishnipolsky, has described another version of this attack (called NAT Slipstreaming 2.0). NAT Slipstreaming (2.0) option expands a potential attacker's capabilities by allowing Internet access to all network devices behind NAT or firewalls. The basic scheme of the attack has been preserved; the only significant difference is the use of the H.323 VoIP protocol of SIP. This allows JavaScript to send multiple FETCH requests to the dummy server on port 1720 (browsers do not block it). Since H.323 enables call forwarding, the attacker can manipulate the server's responses to force NAT to open access to any IP address on the internal network and the desired port.

The NAT Slipstreaming 2.0 attack is especially dangerous for devices whose admin interface is weakly protected or does not require authentication, like office printers, industrial controllers, and IP cameras.

Google announced that Chrome will also block HTTP, HTTPS, and FTP access to TCP ports 69, 137, 161, 1719, 1720, 1723, and 6566 to protect against NAT Slipstreaming 2.0.

The developers of Firefox, Edge, and Safari 14.0.3 have also protected their browsers from NAT Slipstreaming. While Edge is likely to use the same ports as Chrome, it is unknown which ports were blocked in Safari and Firefox.

Fonix ransomware operators stop their activity

Fonix ransomware operators announced that they had ceased their activity and published a decryption key that allows attack victims to recover their files for free.

The Fonix group (also known as Xinof and FonixCrypter) launched cyberattacks in June 2020, but now a Twitter user posing as the ransomware administrator announced the closure of the project:

"I'm one fonix team admins.

you know about fonix team but we have concluded.

we should use our abilities in positive ways and help others.

Also rans0mware source is completely deleted, but some of the team members disagree with closure of the project, like telegram channel admin who trying to scam people in telegram channel by selling fake source and data.

Anyway now main admin has decided to put all previous work aside and decrypt all infected systems at no cost.

And the decryption key will be available to the public.

The final statement of the team will be announced soon.


In another publication, the group's representative shared a link to a RAR archive named "Fonix_decrypter.rar" containing both the decryptor and the master decryption key.

Master decryption keys work only with certain versions of Fonix ransomware.

Apple patches three actively exploited iOS zero-days

Apple released fixes for three iOS vulnerabilities that could be exploited in conjunction with watering hole attacks. Such attacks involve infecting the victim's device with malware via compromised sites. Apple does not specify the scale of the attacks or the operators behind them.

All three vulnerabilities (CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871) were discovered by an anonymous security researcher. They are fixed in iOS 14.4 and iPadOS 14.4 for iPhone 6s and newer, iPad Air 2 and newer, iPad mini 4 and later, and iPod touch 7th generation. Patches have also been released for Apple TV 4K and Apple TV HD.

Through these vulnerabilities, malware could escalate its privileges and execute arbitrary commands to control the device.

South African revenue service releases browser with Flash support

South African Revenue Service (SARS) has released its browser with the sole purpose of reenabling Adobe Flash Player support.

Official support for Flash Player was terminated on December 31, 2020. A self-destruction mechanism was built into the software code in advance, so starting from January 12, 2021, Adobe forcibly blocks the launch of any Flash content.

On January 12, the South African Internal Revenue Service announced on Twitter that the Flash time-bomb affected its operations, making it impossible to files taxes through their web portal (where forms are provided as Flash widgets).

The SARS eFiling Browser can be downloaded from the official website. The novelty is based on the Chromium engine and has only two functions. The first is to support Flash, and the second is to provide access to the tax filing portal.

However, the SARS eFiling Browser only works on Windows. macOS, Linux, and mobile users still cannot access online tax forms.

red team

Try Hive now

online demo
red team