CYBERSECURITY NEWS V. 17.09 – BLURtooth vulnerability, Adobe patches, New victims of Netwalker

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates with comments from our experts

News for discussion

Bluetooth-enabled devices are susceptible to man-in-the-middle attacks

A Cross Transport Key Derivation flaw (CVE-2020-15802) in Bluetooth could allow man-in-the-middle attacks. For a successful attack, the attacker should be within the range of the vulnerable Bluetooth device. All devices using Bluetooth versions 4.0 to 5.0 are vulnerable. No patches are available at this time. The only way to protect yourself is to control the environment in which Bluetooth devices are paired.

hexway commentary:

We at hexway like Bluetooth attacks, and especially we like Bluetooth attacks that have practical applications (for example, during a RED Team). BLURtooth is hardly like that. Is there a vulnerability? Yes, there is a bug. Is this attack dangerous for ordinary people? well, nooo. The attacker should manage to intervene in the pairing process between devices in order to carry out the attack.
Summary. Excellent academic reseach? Yes! Is the world a little safer? Well, of course! Will real attackers use this? Nope. This is probably why vendors are in no hurry with fixes 🙂

News FYI

Adobe patches critical vulnerabilities in Experience Manager, InDesign, and Framemaker

Adobe has fixed 18 flaws in the latest updates. The patches affect InDesign, Framemaker, and Experience Manager and fix flaws that could lead to arbitrary JavaScript execution in the browser or disclosure of confidential information due to unnecessary privileges. Two critical vulnerabilities (CVE-2020-9726 and CVE-2020-9725) in Adobe Framemaker for Windows versions 2019.0.6 and earlier leading to arbitrary code execution are fixed. Five critical flaws allowing arbitrary code execution in the context of the current user were fixed in Adobe InDesign for Windows and macOS. These flaws (CVE-2020-9727, CVE-2020-9728, CVE-2020-9729, CVE-2020-9730, CVE-2020-9731) affect versions 15.1.1 and earlier. In Experience Manager, 11 bugs were fixed, 5 of which (CVE-2020-9732, CVE-2020-9742, CVE-2020-9741, CVE-2020-9740 и CVE-2020-9734) are critical and result in arbitrary JavaScript execution in the browser.

Weave Scope used in attacks against Docker and Kubernetes infrastructures

Weave Scope is an open-source visualization and monitoring software that allows users to observe running processes and container network connections in cloud environments. The program allows administrators to run shells in clusters as root and does not require authentication by default. Attackers could gain access to all information about the victim's server environment, as well as the ability to control installed applications. Once inside, hackers create a new privileged container that runs a clean Ubuntu. They configure the container to connect its file system to the file system of the victim server and gain access to files on the server. Then they instruct the container to download and launch cryptocurrency miners. Finally, try to elevate their privileges and ultimately install Weave Scope.

Intel fixes a critical bug that allows privilege escalation

Intel has fixed the CVE-2020-8758 critical privilege escalation vulnerability, which is rated at 9.8 out of 10 on the CVSS scale. The vulnerability is related to the Active Management Technology (AMT) part of the Intel vPro platform, which is used for remote out-of-band PC management. The vulnerability is caused by incorrect buffer limits in the networking subsystem. All versions of Intel AMT and Intel ISM before 11.8.79, 11.12.79, 11.22.79, 12.0.68, and 14.0.39 are vulnerable. Intel is not aware of any exploits in the wild and advises users to patch.

New victims of Netwalker

Three large organizations fell victim to Netwalker ransomware this week: K-Electric, the only electricity supplier in Karachi, Pakistan; Equinix, a large data center and colocation provider with over 50 locations worldwide, and Immigration Agency of Argentina (Dirección Nacional de Migraciones). Netwalker ransomware is a relatively new version of the ransomware family. It is distributed via phishing emails using VBScript and, if the infection is successful, spreads on the victim's Windows network. It shuts down Windows services and processes and encrypts files on all available drives. For decryption, the attackers demand a multi-million-dollar ransom. For example, Dirección Nacional de Migraciones has to pay $ 4 million, and K-Electric $ 3,850,000. If the ransom is not paid within a week, it will increase to $ 7.7 million. The ransom for Equinix is 4.5 million dollars, and the attackers threaten to double it.