CYBERSECURITY NEWS V. May – Cyberattack on the Colonial Pipeline, Qualcomm vulnerability, Apple‌ fixes 0-days in macOS

News FYI

Cyberattack on the Colonial Pipeline

In mid-May 2021, Colonial Pipeline, the largest pipeline operator in the United States, was hit by a DarkSide ransomware attack. The cyberattack caused problems with the supply of gasoline, diesel fuel, aviation fuel, and other refined products, and the emergency mode was introduced in a number of states.

The Colonial Pipeline will temporarily suspend its operations. The company was forced to pay a ransom of $ 4.4 million in bitcoins. The company received a tool to decrypt data, but it worked so slowly that the company's specialists were forced to continue the previously started recovery from backups.

The FBI has confirmed that the DarkSide ransomware operators are behind the attack on the Colonial Pipeline. The attack had attracted the attention of experts, intelligence agencies, and media from all over the world, and after a few days the hackers rushed to release a statement. While the press attempted to attribute the attack to Russian government hackers, a "press release" posted on the DarkSide website on May 10 stated that the group was apolitical and pursued exclusively its own goals. Also, the hackers seemed to be unhappy with the chaos provoked by their actions.

Bluetooth vulnerabilities allow attackers to spoof legitimate devices

New vulnerabilities have been discovered in the Bluetooth Core and Mesh specifications that allow a man-in-the-middle (MitM) attack. Bluetooth Core and Mesh are Bluetooth specifications that define the standard that allows multiple devices to be paired simultaneously in a peer-to-peer network.

A Bluetooth Impersonation AttackS (BIAS) attack allows an attacker to establish a secure connection with an attacked device without the need to know or authenticate the long-term key exchanged by victims, bypassing the device's authentication mechanism.

It is reported that the AOSP developers are already working on fixes for vulnerabilities CVE-2020-26555 and CVE-2020-26558 affecting Android devices. The patches should be included in the next Android security update.

Cisco is also working to fix CVE-2020-26555 and CVE-2020-26558 affecting its products. The company tracks these vulnerabilities as PSIRT-0503777710.

As for CVE-2020-26558, the attacker had to be within the range of two paired Bluetooth devices and authenticate one of the devices on his own device. However, this attack does not successfully establish a connection between devices, which prevents a full-fledged MitM attack.

Apple‌ fixes 0-day vulnerabilities in macOS

Apple has released security updates for iOS, macOS, tvOS, watchOS, and Safari web browser that fix a number of vulnerabilities, including the actively exploited zero-day vulnerability (CVE-2021-30713) in macOS Big Sur.

The vulnerability was actively exploited by operators of the XCSSET malware, which has been distributed since August 2020 through modified Xcode IDE projects in GitHub repositories. The program creates malicious packages in legitimate applications installed on the target system. The exploitation of the vulnerability allows an attacker to gain full access to a disk, screen recording, or other permissions without requiring user consent.

Two other actively exploited issues (CVE-2021-30663 and CVE-2021-30665) in the WebKit browser engine affecting Safari, Apple TV 4K, and Apple TV HD have also been fixed.

Qualcomm vulnerability affects nearly 40% of smartphones

More than a third of all smartphones in the world have been affected by a new vulnerability in Qualcomm's Mobile Station Modem (MSM). This bug gives attackers access to call history, SMS messages and allows them to eavesdrop on conversations.

A vulnerability was discovered in Qualcomm MSM Interface (QMI), a protocol that allows SoCs to communicate with a smartphone's operating system, and was identified as CVE-2020-11292. Specially modified Type-Length-Value (TLV) packets received by the MSM through the QMI interface can trigger a memory corruption error (buffer overflow), which ultimately allows attackers to execute their code on the device.

The exploitation of the vulnerability is not possible if you hide the malformed TLV package inside third-party applications running in the OS (especially on Android), if the MSM component is protected by SELinux. However, it is noted that the TLV packet can be transmitted via cellular communication or multimedia content sent to the device. When unpacked, such a package can reach the vulnerable QMI.

Despite the fact that about 40% of all smartphones in the world use Qualcomm MSM chips, only about 30% of them are vulnerable to attacks.

Check Point notified Qualcomm engineers about the problem last year, and in December 2020, the company released a patch for MSM that was distributed to smartphone manufacturers. However, it is currently unknown which companies have already patched their products and which have not.

Four vulnerabilities exploited in the wild now fixed in Android

According to Google Project Zero, four zero-day vulnerabilities in Android had been exploited by hackers before they were patched earlier this month.

The now updated version of the bulletin states that four issues "may be subject to limited targeted exploitation." Google does not provide any details about these attacks, only the CVE identifiers for four vulnerabilities are known: CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664. All of these bugs are related to GPU firmware, with two bugs affecting the Arm Mali GPU driver and the other two affecting the Qualcomm GPU component. Qualcomm and Arm have already published additional information on each vulnerability, as well as security advisories.

Critical vulnerability found in vCenter Server

VMware developers urge vCenter users to immediately update their software to the latest versions, where dangerous vulnerabilities were recently fixed. One of the problems is an RCE and is estimated at 9.8 points out of 10 possible on the CVSS scale.

The vulnerability is tracked as CVE-2021-21985 and affects vCenter Server 6.5, 6.7 and 7.0. It can be remotely exploited by unauthorized attackers in low-complexity attacks that do not require user interaction.

The problem relates to a vulnerability in the default Virtual SAN Health Check plug-in included in vCenter. An attacker can use this bug to run whatever they want on a vulnerable host (provided they can access port 443).

There are currently over 5,600 vCenter machines available on the network. Most are located in large data centers where terabytes of confidential information are potentially stored.

Also this month, the company patched another authentication vulnerability identified as CVE-2021-21986 that affected the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plugins. This bug is rated 6.5 on the CVSS v3 scale and allows an attacker to perform actions with plugins without authentication.