Posts

Google fixes sixth Chrome zero-day exploited in the wild this year

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.


Google Chrome

Google has released Chrome 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities, with one zero-day vulnerability exploited in the wild and tracked as CVE-2021-30551.

Google Chrome 91.0.4472.101 has started rolling out worldwide and will become available to all users over the next few days.

Google Chrome will automatically attempt to upgrade the browser the next time you launch the program, but you can perform a manual update by going to Settings > Help > ‘About Google Chrome

Google updated to version 91.0.4472.10
Google updated to version 91.0.4472.10

Six Chrome zero-days exploited in the wild in 2021

Few details regarding today’s fixed zero-day vulnerability are currently available other than that it is a type confusion bug in V8, Google’s open-source and C++ WebAssembly and JavaScript engine.

The vulnerability was discovered by Sergei Glazunov of Google Project Zero and is being tracked as CVE-2021-30551.

Google states that they are “aware that an exploit for CVE-2021-30551 exists in the wild.”

Shane Huntley, Director of Google’s Threat Analysis Group, says that this zero-day was utilized by the same threat actors using the Windows CVE-2021-33742 zero-day fixed yesterday by Microsoft.

Today’s update fixes Google Chrome’s sixth zero-day exploited in attacks this year, with the other five listed below:

  • CVE-2021-21148 – February 4th, 2021
  • CVE-2021-21166 – March 2nd, 2021
  • CVE-2021-21193 – March 12th, 2021
  • CVE-2021-21220 – April 13th, 2021
  • CVE-2021-21224 – April 20th, 2021 

In addition to these vulnerabilities, news broke yesterday of a threat actor group known as Puzzlemaker that is chaining together Google Chrome zero-day bugs to escape the browser’s sandbox and install malware in Windows.

“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” the researchers said.

Microsoft…

Source…

Cisco fixes 6-month-old AnyConnect VPN zero-day with exploit code

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.


Cisco fixes 6-month-old AnyConnect VPN zero-day with exploit code

Cisco has fixed a six-month-old zero-day vulnerability found in the Cisco AnyConnect Secure Mobility Client VPN software, with publicly available proof-of-concept exploit code.

The company’s AnyConnect Secure Mobility Client allows working on corporate devices connected to a secure Virtual Private Network (VPN) through Secure Sockets Layer (SSL) and IPsec IKEv2 using VPN clients available for all major desktop and mobile platforms.

Cisco disclosed the zero-day bug tracked as CVE-2020-3556 in November 2020 without releasing security updates but provided mitigation measures to decrease the attack surface.

While the Cisco Product Security Incident Response Team (PSIRT) said that CVE-2020-355 proof-of-concept exploit code is available, it also added that there is no evidence of attackers exploiting it in the wild.

The vulnerability is now addressed n Cisco AnyConnect Secure Mobility Client Software releases 4.10.00093 and later.

These new versions also introduce new settings to help individually allow/disallow scripts, help, resources, or localization updates in the local policy, settings that are strongly recommended for increased protection.

Default configurations not vulnerable to attacks

This high severity vulnerability was found in Cisco AnyConnect Client’s interprocess communication (IPC) channel, and it may allow authenticated and local attackers to execute malicious scripts via a targeted user.

CVE-2020-3556 affects all Windows, Linux, and macOS client versions with vulnerable configurations; however, mobile iOS and Android clients are not impacted.

“A vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled,” Cisco explains in the security advisory. “Auto Update is enabled by default, and Enable Scripting is disabled by default.”

As further disclosed by the company, successful exploitation also requires active AnyConnect sessions and valid credentials on the targeted device.

Cisco added that the vulnerability:

  • Is not exploitable on laptops used by a single user, but instead requires valid logins for multiple users on the end-user device.
  • Is not remotely exploitable, as it requires local credentials on the end-user…

Source…

Shlayer Malware Exploited macOS Zero-Day To Bypass Apple Security


Apple has recently released macOS Big Sur 11.3. This update addresses numerous security flaws including a zero-day under attack. As revealed, this zero-day attracted Shlayer malware to target vulnerable macOS devices via Gatekeeper bypass.

Shlayer Malware Exploiting macOS Zero-day

Apple security firm Jamf Protect has shared details of a serious macOS zero-day that a Shlayer malware variant actively exploits.

The vulnerability first caught the attention of researcher Cedric Owens who then reported it to Apple. It was a serious security issue that allowed an adversary with a malicious app to bypass Apple’s security check Gatekeeper.

Elaborating further on this issue, Patrick Wardle explained that a logic issue existed in the way macOS evaluates an app. Due to the bug, the system even allowed unsigned apps to run uninhibited. As stated,

Any script-based application that does not contain an Info.plist file will be misclassified as “not a bundle” and thus will be allowed to execute with no alerts nor prompts.

Wardle has shared how an app could exploit this flaw in his blog post.

Following this discovery, Wardle reached out to Jamf Protect that detected active exploitation of the bug by a Shlayer variant.

Shlayer first caught attention in June 2020 when researchers noticed it actively targeting macOS devices. The malware would easily bypass Apple’s underlying security mechanisms, such as Gatekeeper, Notarization, and File Quarantine.

And now, Jamf detected a Shlayer variant already designed in a way to exploit this logic issue CVE-2021-30657. Thus, the malware now requires no user interaction (such as the right-click limitation of the previous variant) to execute. All it takes is to trick a user into downloading the malicious file on the device and attempting to install it.

The attackers are currently distributing this malware via hacked and phishing websites appearing in Google SERPs.

Another Gatekeeper Also Fixed With Other Bugs

In addition to the above, one more Gatekeeper bypass bug has also received a fix with macOS Big Sur 11.3.

This vulnerability caught the attention of F-Secure researcher Rasmus Sten who then reported it to Apple.

Elaborating on this flaw in a blog…

Source…

Hackers used SonicWall zero-day flaw to plant ransomware


Security

Image: Pixabay

Ransomware group UNC2447 used an SQL injection bug to attack US and European orgs

Print

PrintPrint

Pro

Read More: security SonicWall

Security researchers have discovered a new strain of ransomware designed to exploit a SonicWall VPN zero-day vulnerability before a patch was available.

According to researchers at Mandiant, the flaw exists in SonicWall’s SMA-100 series of VPN products. Hackers, who Mandiant dubbed UNC2447, targeted organizations in Europe and North America with a new ransomware known as FiveHands, a rewritten version of the DeathRansom ransomware.

Hackers deployed the malware as early as January this year along with Sombrat malware at multiple victims that were extorted. Researchers noted that in one of the ransomware intrusions, the same Warprism and Beacon malware samples previously attributed to UNC2447 were observed. Researchers are certain that the same hacking group used Ragnar Locker ransomware in the past.

 
advertisement


 

“Based on technical and temporal observations of HelloKitty and FiveHands deployments, Mandiant suspects that HelloKitty may have been used by an overall affiliate program from May 2020 through December 2020, and FiveHands since approximately January 2021,” the researchers said.

Researchers said FiveHands is…

Source…