Cyber Pulse: Edition 158 | 23 July 2021

Wiper malware targeting Japanese PCs discovered ahead of Tokyo Olympics opening

A Japanese security firm said it discovered an Olympics-themed malware sample that contains functionality to wipe files on infected systems and appears to be targeted at Japanese PCs. The wiper’s discovery on Wednesday came two days ahead of the opening ceremony for the 2021 Tokyo Olympics, scheduled to take place Friday 23 July. Discovered and analysed by Japanese security firm Mitsui Bussan Secure Directions (MBSD), the wiper doesn’t just delete all of a computer’s data, instead it searches only for certain file types located in the user’s personal Windows folder, located at “C:/Users/<username>/“.

Microsoft Office files are targeted for deletion, but also TXT, LOG, and CSV files, which can sometimes store logs, databases or password information. The wiper’s discovery came a day after the US Federal Bureau of Investigation had sent out a private industry alert [PDF] to US companies about the possibility that threat actors might target the Tokyo Olympics this year.

MITRE announces first evaluations of cybersecurity tools for industrial control systems

MITRE tested products using the Triton malware, which was used to attack the industrial systems of companies in Saudi Arabia. MITRE Engenuity announced on Monday the results of its first-ever ATT&CK Evaluations for Industrial Control Systems (ICS). Researchers with MITRE used the Triton malware to test the detection ability of five different cybersecurity products from ICS vendors. The results of the exam can be found here. Industrial control systems are used by many of the world's most critical infrastructures, including energy transmission and distribution plants, oil refineries, wastewater treatment facilities and more. MITRE Evaluations created a curated knowledge base of adversary tactics, techniques and procedures based on known threats to industrial control systems and used it to test products from Armis, Claroty, Microsoft, Dragos and the Institute for Information Industry.

Otis Alexander, leader of the ATT&CK Evaluations for ICS, said they chose to emulate the Triton malware because it targets safety systems, which "prevent some of the worst consequences from happening when something goes wrong in an industrial control setting. The amount of publicly reported data from the attacks and the devastating impact of the malware help ensure this is a robust emulation. We hope the evaluations can help organizations find security tools that are best suited to their individual needs," Alexander said. 

According to MITRE, there are multiple ways ICS attacks can be detected and a number of different products that can handle the task. The study was part of a larger effort to help cybersecurity teams understand their tools and improve their work. 

IoT attacks on the rise

While the entire world shifted to remote working, most IoT devices were left connected to corporate networks. Now, these devices had unpatched bugs, which served as a gateway for threat actors to break into. A recent survey conducted by ZScaler provides detailed insights into the current state of IoT security. On analysing 575 million device transactions, along with 300,000 IoT-specific malware attacks blocked, the following numbers were crunched:

IoT malware has witnessed a rise of 700% as compared to the pre-pandemic numbers. Gafgyt and Mirai accounted for 97% of the malware. Manufacturing, retail and wholesale, technology, and healthcare sectors accounted for 98% of victims. Among the transactions observed, 65% of those fell into the categories: set-top boxes (29%), smart TVs (20%), and smartwatches (15%). In a 15-day timeframe, 18,000 unique hosts and almost 900 unique payload deliveries were observed. Most attacks originated in the US, China and India, and mainly targeted Ireland, China and the US. Moreover, 76% of the entire transactions occurred over plaintext channels, while only 24% occurred over secure channels.

As the number of IoT devices grows with every passing day, the number of threat actors targeting them is rising too. Hence, it is crucial that cybersecurity defences are implemented effectively to keep the doors to confidential data closed away from attackers.

New Windows flaws give attackers highest system privileges

Microsoft's Windows 10 and the upcoming Windows 11 versions have been found vulnerable to a new local privilege escalation vulnerability that permits users with low-level permissions to access Windows system files, in turn, enabling them to unmask the operating system installation password and even decrypt private keys. The vulnerability has been nicknamed "SeriousSAM." Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY registry hive files, CERT Coordination Center (CERT/CC) said in a vulnerability note published Monday. This can allow for local privilege escalation (LPE). Microsoft, which is tracking the vulnerability under the identifier CVE-2021-36934, acknowledged the issue, but has yet to roll out a patch, or provide a timeline for when the fix will be made available.

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database, the Windows makers noted. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then: install programs; view, change or delete data; or create new accounts with full user rights. Successful exploitation of the flaw, however, necessitates that the attacker already has a foothold and is in possession of the ability to execute code on the victim system. The latest disclosure also marks the third publicly disclosed unpatched bug in Windows since the release of Patch Tuesday updates on 13 July. Besides CVE-2021-36934, two more weaknesses affecting the Print Spooler component have also been discovered, prompting Microsoft to urge all users to stop and disable the service to protect systems against exploitation.

Trending Common Vulnerabilities and Exposures (CVEs)

An analysis of criminal forums revealed information regarding top trending Common Vulnerabilities and Exposures (CVEs) among cybercriminals. According to researchers, criminal discussions in underground forums reveal information about the most talked-about CVEs. The top six, also the most famous among cybercriminals, CVEs are CVE-2020-1472 (aka ZeroLogon), CVE-2020-0796 (aka SMBGhost), CVE-2019-19781, CVE-2019-0708 (aka BlueKeep), CVE-2017-11882 and CVE-2017-0199.

According to the report from Cognyte, most of the discovered CVEs were exploited by nation-state hackers and cybercriminals; for example, ransomware gangs and global attack campaigns aimed at different industries. The researchers discovered that ZeroLogon, SMBGhost and BlueKeep were among the most talked-about vulnerabilities among cybercriminals between January 2020 and March 2021. Moreover, a nine-year-old CVE-2012-0158 was exploited during the onset of the Covid-19 pandemic, which manifests that organisations are still lagging behind in taking these threats seriously. The recent analysis provides another great insight into cybercriminals’ interest in the CVEs. This information could help organisations to identify flaws exploited in the wild and help security professionals address the potential weaknesses by applying appropriate security patches.

Dell patches critical vulnerabilities in OpenManage Enterprise

Patches released this week by Dell for its OpenManage Enterprise product address multiple critical-severity vulnerabilities. A systems management and monitoring application, Dell OpenManage Enterprise provides administrators with a comprehensive view of Dell EMC servers, network switches and storage in their environment. The most severe of these issues is CVE-2021-21564 (CVSS score of 9.8), an improper authentication vulnerability that could allow a remote attacker to “hijack an elevated session or perform unauthorized actions by sending malformed data.” Exploitation of the vulnerability does not require authentication. Another critical vulnerability that Dell patched in OpenManage Enterprise is CVE-2021-21585 (CVSS score of 9.1), an OS command injection bug in RACADM and IPMI tools that could allow a remote, authenticated malicious user that already has high privileges to execute arbitrary OS commands.

A third critical flaw patched in Dell OpenManage Enterprise is CVE-2021-21596 (CVSS score of 9.6), a remote code execution issue that could allow a malicious attacker that has access to the immediate subnet to access sensitive information and potentially elevate privileges. The vulnerability was identified by independent security researchers Pierre Kim and Alexandre Torres, who reported it to Dell along with more than 20 other issues in the infrastructure management console.