CYBERSECURITY NEWS V. April – Facebook Data Leak, RotaJakiro, Microsoft Updates


hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

Information of 533 million Facebook users published

At the beginning of April, the data of 533 313 128 Facebook users were found on a hacker forum. This dump includes phone numbers, names, Facebook IDs, email addresses, location, gender, date of birth, work, and other data. The database contains the data of users from 106 countries, including more than 32 million from the USA, 11 million from the UK, and almost 10 million from Russia. The scale of the leak suggests that roughly one in five Facebook users have been leaked. Interestingly, the leak contains the phone numbers of three Facebook founders: Mark Zuckerberg, Chris Hughes, and Dustin Moskowitz, who were the fourth, fifth, and sixth members of Facebook.

Commenting on the leak, the Facebook representatives noted the data was stolen even before September 2019, but only now was released on the web. Back in 2019, cybercriminals exploited the Add Friend vulnerability to access phone numbers. This bug has been fixed for a long time.

Even though the data is from 2019, phone numbers and email addresses usually do not change for many years, which means that the database is still of considerable value to attackers. It can be used to send spam, automatic calls, threats, for blackmailing and harassment, and so on.

Cisco Fixed Remote Code Execution Vulnerability

Cisco has released security updates to address a critical pre-authentication remote code execution (RCE) vulnerability affecting vManage Software's SD-WAN remote management component.

The company patched two other high-severity vulnerabilities in User Management (CVE-2021-1137) and System File Transfer (CVE-2021-1480) of the same product, allowing attackers to elevate privileges. Successful exploitation of these two vulnerabilities could allow attackers to gain root privileges on the underlying operating system.

Critical security flaw identified by CVE-2021-1479 received a severity rating of 9.8 out of 10. This allows unauthenticated remote attackers to initiate buffer overflows on vulnerable devices in low-complexity attacks that do not require user intervention.

The vulnerabilities affect Cisco SD-WAN vManage versions 20.4 and earlier.

Microsoft April Update Fixes 114 Vulnerabilities

Microsoft has released updates as part of Patch Tuesday. This time, the software giant has released fixes for 114 vulnerabilities that cover different products of the company, including Windows, Edge, Exchange Server, Azure, Office, etc. Updates KB5001330 or KB5001337, depending on the version of Windows 10, are highly recommended for installation. At least 4 serious vulnerabilities have already been exploited.

The current patch contains fixes for two new remote code execution vulnerabilities in Exchange Server - CVE-2021-28480 and CVE-2021-28481. Both issues received a high severity rating because an attacker does not need to contact the potential victim to exploit them.

The update fixes an annoying problem with printers, performance issues, a "broken" search in File Explorer, five zero-day security vulnerabilities, and 102 simpler vulnerabilities, of which 19 are marked "critical" and 89 "important".

Microsoft has released a large number of fixes for all supported versions of the Windows 10 software platform. Additionally, the April security patch removes the old version of the Edge Legacy browser from the operating system and installs a new Chromium-based Edge instead.

After installing the updates, it also became known that the fixes caused problematic gameplay on devices with NVIDIA video cards. NVIDIA representatives advised uninstalling the April update under ID KB5001330. However, it is this patch that eliminates a total of more than a hundred vulnerabilities, so experts advise not to remove the update. Microsoft has promised to release a new cumulative update in the coming days.

SonicWall ES fixes three 0-day vulnerabilities

SonicWall has announced a hotfix release to address three critical zero-day vulnerabilities in SonicWall ES. It is reported that the vulnerabilities are already actively exploited by cybercriminals to hack corporate networks and install backdoors. Attacks using these security issues were recorded back in March 2021.

Vulnerabilities affect SonicWall Email Security (SonicWall ES), an email security solution that companies use in the cloud or on-premises to scan email traffic: CVE-2021-20021 (CVSS 9.4, authentication bypass), CVE -2021-20023 (CVSS 6.7, local file read), and CVE-2021-20022 (CVSS 6.7, modifying local files or loading web shells used as a backdoor).

The attackers exploited the three vulnerabilities in various combinations. Typically, the attacks were aimed at gaining access to the SonicWall ES device to create a new administrator account or steal the passwords of existing users. Attackers also extracted files from SonicWall ES devices that contained detailed information about existing accounts, including Active Directory credentials.

RotaJakiro, new malware for Linux

A new Linux malware, named RotaJakiro was discovered at the end of March 2021. RotaJakiro went unnoticed for three years. Malicious software could have been installed by attackers through exploiting unpatched vulnerabilities in a system or guessing weak passwords.

RotaJakiro refers to the use of different masking techniques when running as an unprivileged user and as root. To hide its presence, the backdoor used the processes systemd-daemon, session-dbus, and gvfsd-helper, which at first glance seem legitimate and do not arouse suspicion. 12 basic functions were integrated into the backdoor, which allowed loading and executing plugins with advanced functionality, transferring device data, intercepting confidential data, and managing local files.

To hide the results of its activities, several encryption algorithms were employed. For example, AES was used to encrypt its resources, and to hide the communication channel with the control server. To receive control commands, the malware accessed 4 domains through the network port 443 (the communication channel used its protocol, not HTTPS and TLS).

FBI Shares 4 Million Emotet Email Addresses With Have I Been Pwned

This January, Europol, the FBI, and law enforcement agencies around the world carried out a large-scale coordinated operation to eliminate the Emotet botnet, preparations for which lasted two years.

Law enforcers managed to seize control of the Emotet infrastructure, disrupting its work. As a result, the criminals were no longer able to use the hacked machines, and the malware stopped spreading to new targets. When the Emotet C&C servers were taken over by the German Federal Criminal Police Office, it was used to deploy a special update to all infected hosts. An update for Emotet, created by German specialists, was distributed to all infected systems in the form of a 32-bit file EmotetLoader.dll. It contained a "time bomb" that led to the removal of Emotet from all infected machines on April 25, 2021, at 12:00 local time.

However, in addition to user computers, Emotet also hacked into a large number of mailboxes and then used them for its operations. In this regard, the FBI representatives decided to provide users with a way to check if they have suffered from Emotet. Experts from the FBI and the Dutch National High Technical Crimes Unit shared 4,324,770 email addresses used by Emotet with the well-known leak aggregator Have I Been Pwned. 

red team

Try Hive now

online demo
red team