CYBERSECURITY NEWS V. July – PrintNightmare update, Sequoia vulnerability, Saudi Aramco information leak

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

Apple fixed 'actively exploited' 0-day

Apple has released a patch for a zero-day vulnerability in iOS and macOS exploited in the wild.

CVE-2021-30807 is related to the IOMobileFramebuffer kernel extension, which allows developers to control how device memory interacts with the framebuffer. The vulnerability could be exploited to execute arbitrary code with kernel privileges on a vulnerable device. Kernel privileges give an attacker full control over a vulnerable device, be it an iPhone, iPad, laptop, or macOS computer.

The vulnerability affects all Macs, iPhone 6s and later, all iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). Apple recommends users to update to macOS Big Sur 11.5.1, iOS 14.7.1, and iPadOS 14.7.1 as soon as possible.

Cybercriminals attack Kubernetes clusters with Argo Workflows engine

At the end of July 2021, attacks on Kubernetes clusters using Argo Workflows were recorded.

Argo Workflows is an open-source containerized workflow engine that works with Kubernetes, allowing users to easily run parallel jobs from a central interface. Argo Workflows uses YAML files to define the type of work to be performed, with workflows either executed from a template or submitted directly using the Argo Workflows console.

In misconfigured containers, attackers can access the open Argo dashboard and deploy their malicious workflow. During one of the attacks, the hackers installed a container for mining the kannix / monero-miner cryptocurrency. The container uses XMRig software to mine Monero cryptocurrency, which is also used for cryptojacking operations.

Users are strongly encouraged to check their Argo Workflows installations for suspicious activity.

1 TB of data stolen from Saudi Aramco oil company

1 TB of data belonging to Saudi Aramco, Saudi Arabia's national oil company, was put up for sale by the ZeroX hack group. The initial price is $ 50 million. The attackers claim that the files were stolen by hacking into the company's network and servers sometime in 2020. Thus, the files in the dump are mostly dated 2020; although, there is information from as far back as 1993.

To grab the attention of potential buyers, ZeroX published some of Aramco's drawings and patent documents with edited personal data in June. They, a countdown of 662 hours (approximately 28 days) to the start of the sales was initiated on the leak's site. ZeroX says "662 hours" is a mystery that only Saudi Aramco would understand.

The hackers say their dump contains documents relating to the Saudi Aramco refineries located in several cities in Saudi Arabia. It also includes:

• Full information on 14,254 employees: name, photo, passport copy, email, phone number, residence permit (Iqama card) number, job title, ID numbers, family information, etc.
• Project specification for systems related to/including electrical/power, architectural, engineering, civil, construction management, environmental, machinery, vessels, telecom, etc.
• Internal analysis reports, agreements, letters, pricing sheets, etc.
• Network layout mapping out the IP addresses, Scada points, Wi-Fi access points, IP cameras, and IoT devices.
• List of Aramco's clients, along with invoices and contracts.

It’s not the first time Saudi Aramco has become a target of cyberattacks. In 2012, the company's network was attacked by a virus that deleted data from hard drives and displayed an image of a burning US flag on the company computer screens. As a result, the company was forced to temporarily shut down the entire network and destroy about 30 thousand computers.

Microsoft releases emergency Windows update to fix PrintNightmare

A vulnerability dubbed PrintNightmare was discovered in early July. Security researchers accidentally published an experimental exploit code (PoC) on GitHub, believing that Microsoft fixed it with an update on June 8, 2021. Using it, attackers could gain access to a system and execute arbitrary code with administrator rights. Realizing their mistake, the authors deleted the publication, but it was already distributed across other sources. The company has recognized the critical hazard level.

Much confusion has arisen around the PrintNightmare issue, as Microsoft initially combined two vulnerabilities under one identifier (CVE-2021-1675). But the official patch released in June only partially fixed the problem, leaving a critical RCE bug unpatched.

To clarify the misunderstanding, Microsoft assigned the second error a separate identifier CVE-2021-34527 and confirmed that the issue allows remote execution of arbitrary code with SYSTEM privileges. Thus, attackers could install programs, view, modify, and delete data, and create new accounts.

The vulnerable code is present in all versions of Windows. The company recommends that users apply all available security updates. Currently, patches are available for all versions of Windows, including Windows 7:

Windows 10 21H1 (KB5004945)

Windows 10 20H1 (KB5004945)

Windows 10 2004 (KB5004945)

Windows 10 1909 (KB5004946)

Windows 10 1809 and Windows Server 2019 (KB5004947)

Windows 10 1803 (KB5004949)

Windows 10 1607 and Windows Server 2016 (KB5004948)

Windows 10 1507 (KB5004950)

Windows Server 2012 (KB5004956 / KB5004960)

Windows 8.1 and Windows Server 2012 R2 (KB5004954 / KB5004958)

Windows 7 SP1 and Windows Server 2008 R2 SP1 (KB5004953 / KB5004951)

Windows Server 2008 SP2 (KB5004955 / KB5004959).

Microsoft has published unscheduled patches for PrintNightmare, but the fixes are still incomplete as the vulnerability can be exploited locally to gain SYSTEM privileges.

As it turns out now, the problem is more serious than Microsoft thought. By modifying exploits and testing the patch, the researchers found that it can be bypassed completely and exploited the vulnerability not only for local privilege escalation but also for remote execution of arbitrary code. There have also been reports that update KB5004945, intended to address PrintNightmare, has disabled some Zebra and Dymo printers.

Microsoft says it is already investigating experts' findings.

HelloKitty Cryptographer Attacks Vulnerable SonicWall Devices

Organizations using SRA and SMA 100 series products with outdated firmware are at imminent risk of a ransomware attack. Attackers target Secure Mobile Access (SMA) 100 and Secure Remote Access (SRA) devices that have reached the End of Life (EOL) by exploiting the CVE-2019-7481 vulnerability.

HelloKity ransomware has been active since November 2020 and is mainly known for its attack on CD Projekt Red, where hackers claimed to have stolen the source code of Cyberpunk 2077, Witcher 3, Gwent, and other games.

New vulnerability gives root access to most Linux systems

The vulnerability CVE-2021-33909 is named Sequoia. The bug was discovered at the level of a local filesystem component, which interacts with local files and is used to manage them. Exploiting the vulnerability, an unprivileged local user can run code with superuser rights.

The vulnerability cannot be exploited for remote attacks, but if an attacker has already infiltrated the system, Sequoia could be an ideal solution for second-tier payloads.

The patches for CVE-2021-33909 were released by the developers of many distributions since the Linux kernel development team found out about the bug in early June and the problem was fixed in the 5.13.4 kernel.

It is also worth mentioning that another Linux vulnerability was disclosed, denial of service (CVE-2021-33910). This vulnerability can be exploited by unprivileged attackers for DoS attacks and triggering kernel panic.

Hackers disguised as online aerobics instructor forced defense companies to download malware

Hackers from the TA456 group were using the image of Marcella Flores, an aerobics instructor, on social networks for more than 18 months to infiltrate the computers of contractors working in the US aerospace defense industry. Back in 2019, the hackers created fake female accounts on Facebook and Instagram. They had spent about two years establishing contacts, and only at the beginning of 2021 did they start trying to introduce malware. A link to OneDrive was attached in the phishing campaign, which contained survey documents related to diet and a video file. Thus, by opening the attachments, the victims launched malware on their computers. This malware can perform reconnaissance on an infected computer, extract confidential information, and then hide its tracks. The attack affected 200 military personnel and companies from the defense and aerospace sectors in the United States, the United Kingdom, and Europe.

The stolen logins and passwords can help attackers with further spy campaigns. Probably, they are looking for an opportunity to move further along the supply chain and gain access to networks of defense and aerospace enterprises.