New Microsoft Point and Print Vulnerability Discovered
Microsoft released a patch in Aug. 2021 to correct the “PrintNightmare” vulnerability in Point and Print, documented as CVE-2021-34481. However, there’s a new zero-day print spooler vulnerability. This vulnerability, CVE-2021-36958, could allow attackers to gain SYSTEM privileges on a computer.
Action Items
- See Microsoft’s advisory on the vulnerability.
- Microsoft says a workaround is “to stop and disable Print Spooler service.”
Hancitor is Spreading FickerStealer
Symantec reports FickerStealer, malware that extracts sensitive and private information, is now being spread by Hancitor. Attacks involve spam emails containing attachments that enable Hancitor to communicate with C2 servers and retrieve a URL containing FickerStealer.
Action Item
- Use email security
- Train employees on spam and phishing tactics.
Two Vulnerabilities Discovered in Zimbra Webmail
SonarSource discovered two vulnerabilities in Zimbra webmail, used by more than 200,000 businesses and more than 1,000 government and financial institutions.
A combination of these vulnerabilities could enable an attacker to gain unrestricted access to all employees’ emails.
CVE-2021-35208 is a cross-site scripting vulnerability that can be triggered when an employee views mail. A malicious email containing a JavaScript payload could ultimately provide an attacker access to the employee’s emails, their webmail session, and possibly additional attacks.
CVE-2021-35209 is a bypass of an allow-list that leads to a server-side request forgery vulnerability. Combined with the first vulnerability, SonarSource says an attacker could extract, for example, AWS IAM credentials or Google Cloud API tokens.
Action Items
- See technical details on SonarSource’s blog.
- Use Patch 18 for Zimbra 8.8.15 and Patch 16 for the 9.0 series; prior versions are vulnerable.
New Twist on Phishing: Fake Zoom Meeting Invitations
INKY researchers have discovered that attackers are using Zoom in a phishing campaign to steal credentials from users. The attackers send phishing emails to employees, asking them to review a Zoom meeting invitation by downloading a file attached to the email and downloading an attachment to start the meeting. Attackers used domain names such as zoomcommunications.com that users may think are legitimate—and that could bypass email security.
When users followed the instructions, they arrived at an authentic-looking Microsoft sign-in page, asking for login and password.
Action Items
- Educate employees and your clients about this scam.
- Check the URL of every email and website before clicking.
- Do not open attachments from unknown senders.
- If in doubt, contact the person by text or phone to confirm the email is legitimate.
McAfee Points out Ransomware Has Become Big Business
McAfee notes that although the Colonial Pipeline ransomware attack monopolized media attention, there’s more to the story. The DarkSide Ransomware as a Service attack was preceded by Babuk, Conti, Ryuk, and REvil. McAfee says widespread attacks on smaller organizations decreased, and attackers focused on larger organizations that could pay higher ransoms.
McAfee also points out that these victims were targeted with customized variants.
Action items
- Build a comprehensive security strategy that includes threat detection.
- Back up data in at least three locations, one of which is not connected to the internet and one that’s offsite.
- Talk through incident response today; know in advance how you will respond to an attack.
Top Exploited Vulnerabilities
The U.S. Cybersecurity and Infrastructure Securing Agency (CISA), as well as the FBI and agencies in Australia and UK, authored an advisory on the top 30 vulnerabilities that cyberattackers most commonly exploit.
The advisory points out that four of the most exploited vulnerabilities in 2020 impact remote work, VPN and cloud technologies.
Action Items
- Review the list here.
- Remediate vulnerabilities as soon as possible; patches are available for most.
- Organizations that have not kept patching up to date should have their systems evaluated for compromise and initiate incident response and recovery.
For more security updates and insights, visit DevPro Journal’s Security resources page.
