13 November 2020

CYBERSECURITY NEWS V. 13.11 – Adobe patches, Apple 0-day vulnerabilities, New ransomware Pay2Key

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates with comments from our experts

News for discussion

Emergency patches for Adobe Acrobat and Adobe Reader

Adobe has released updates for Adobe Acrobat and Adobe Reader products. The company has patched 14 vulnerabilities in Acrobat DC for Windows and macOS, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017, and Acrobat Reader 2017. Four critical bugs (CVE-2020-24435, CVE-2020-24436, CVE-2020-24430, and CVE-2020-24437) are related to heap buffer overflow, out-of-bounds writing, and use-after-free problem. All of these vulnerabilities can be exploited to execute arbitrary code. However, Adobe says it is not aware of any attacks exploiting these vulnerabilities.

hexway commentary:

As any news about critical vulnerabilities in popular products, this case has to make us ask ourselves: Am I using this product? If so, then I'll go and install the latest updates. We highly recommend doing that since cybercriminals could very often exploit vulnerabilities in Adobe Acrobat and Adobe Reader by sending malicious emails to penetrate the holy of holies of any company – its internal network.

News FYI

Apple patches three zero-day vulnerabilities in iOS and macOS

Apple introduced iOS 14.2, where they fixed three zero-day vulnerabilities that had been actively exploited by hackers. The Google Project Zero team discovered the vulnerabilities. Google has yet to publish the details, but the attacks are similar to the recently disclosed zero-day vulnerabilities in Windows and Chrome. CVE-2020-27930 is an RCE in the iOS FontParser component; CVE-2020-27932, an iOS kernel privilege escalation vulnerability, allows attackers to run malicious code with kernel-level privileges; finally, CVE-2020-27950 is an iOS kernel memory leak. All three bugs were likely used together, allowing attackers to hack iPhones remotely.

New ransomware Pay2Key encrypts corporate networks in under an hour

The new Pay2Key ransomware targets organizations in Israel and Brazil. Attackers use the Remote Desktop Protocol (RDP) to gain access to victims' computers. Once they have infiltrated a victim's networks, they quickly begin encrypting the systems and spreading the ransomware across the entire network, which takes less than an hour. Having penetrated the local network, hackers install a proxy server on one of the devices to ensure communication with the C&C server. The payload (Cobalt.Client.exe) is launched remotely with the PsExec utility. Once encryption is complete, ransom notes remain in the compromised systems. The ransom usually amounts to 7-9 bitcoins. Pay2Key is written in C ++ and has no analogs. It encrypts files with an AES key and uses RSA keys to communicate with the C&C server. A free decryptor for files encrypted with Pay2Key is not available yet.

RansomExx now encrypts Linux systems

RansomEXX is a relatively new ransomware strain first discovered in June. It poses a particular threat because it is human-operated. These attacks are often much more dangerous than the automated ones: cybercriminals, as a rule, use completely legitimate means to move inside the attacked network, thereby remaining unnoticed by standard protective equipment. The Linux version of the ransomware is an ELF executable file called "svc-new". It generates a 256-bit key to encrypt all files on the server using the AES block cipher in ECB mode when launched. In turn, the AES key is encrypted with an RSA-4096 public key embedded in the malware code; then, it is added to all encrypted files.

Data of 34 million users stolen from 17 companies on sale

The Cybercrime Forum sells a database of 34 million user entries. The seller claims to have stolen it from 17 different companies. The details of these attacks are still unknown. The database contains emails, passwords, phone numbers, usernames, credit card data, and IP addresses. All these records were obtained in 2020. The largest leak occurred at Geekie.com.br, where 8,100,000 records were stolen. The most famous affected company is the Singapore-based RedMart (1,100,000 entries). Notably, none of the 17 companies have previously reported any security issues or data breaches. As of today, only RedMart is investigating the leak.

Try Hexway online

Related posts