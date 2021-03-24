In one look.

Google’s Project Zero released a update on a campaign they started tracking in February of last year. The campaign targeted Windows, iOS and Android systems, usually through water point attacks. The threatening actor was observed using four zero days in February 2020 and seven more in October, including:

“1 full channel targeting Windows 10 fully patched using Google Chrome

“2 partial channels targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung browser, and

“RCE exploits for iOS 11-13 and privilege escalation exploit for iOS 13 (although the vulnerabilities were present until iOS 14.1)”

Project Zero notes that the actors were highly skilled and that the campaign would have been expensive to run:

“The vulnerabilities cover a fairly broad spectrum of issues – from a modern JIT vulnerability to a large cache of font bugs. Overall, each of the exploits themselves showed a deep understanding of exploit development and exploitation. vulnerability exploited. In the case of Chrome Freetype 0 Day, the exploitation method was new to Project Zero. The process for determining how to trigger the iOS kernel privilege vulnerability would not have been trivial. The obfuscation methods were varied and took a long time to understand. “

The researchers offer no attribution for the attacks, although they believe two separate entities are working together on the campaign:

“These operational exploits also lead us to believe that while the entities between mining servers # 1 and # 2 are different, they are probably operating in a coordinated fashion. Both mining servers used Chrome Freetype RCE (CVE- 2020-15999) as the renderer for Windows (OS # 1) and Android (OS # 2), but the code surrounding these exploits was quite different. stopped at different times also suggests that there were two separate operators. “

SilverFish Group linked to Evil Corp.

PRODAFT researchers have identified a threat actor nicknamed “SilverFish” whose target list shows “significant overlap with companies affected by SolarWinds attacks.” PRODAFT describes SilverFish as a “highly sophisticated group of cybercriminals exclusively targeting large corporations and public institutions around the world, with a focus on the EU and the US”. The researchers note that some of the servers used in the attacks were also used by the cybercriminal group “Evil Corp.” The attacks hit “at least 4,720 targets, including, but not limited to, government institutions, global IT vendors, the aviation industry, and defense companies.” The researchers observed several different teams referenced in a command and control server, indicating that there are multiple operators behind the activity. It should be noted, however, that researchers fail to attribute SilverFish to Evil Corp. Sharing infrastructure, even sharing code, is not enough to make two organizations the same. It remains to be seen whether SilverFish and Evil Corp are really just the Morning Star and Evening Star, different appearances from Venus, or whether they are separate worlds, if they are related.

BIG-IP vulnerabilities exploited.

NCC Group researchers have observed exploitation of a critical vulnerability (CVE-2021-22986) in the BIG-IP server appliances of F5, Decipher reports. The vulnerability, which was patched on March 10, could allow an attacker to take full control of the system. NCC Group explains, “Exploiting this vulnerability requires two steps. First, authentication must be bypassed by taking advantage of the SSRF vulnerability to obtain an authenticated session token. This authenticated session can then be used to interact with REST API endpoints, which would otherwise require authentication. The most useful endpoint for an attacker is the tm / util / bash endpoint, which allows a (authenticated) user to execute commands on the underlying server with root privileges. However, because the REST API is designed for remote administration, there are many endpoints that an attacker might want to take advantage of. As part of the F5 fixes, a command injection vulnerability was also fixed … which could be used as another way to execute arbitrary commands after authentication bypassed. “

A public exploit for the flaw was released late last week, and users are urged to apply the patch as soon as possible.

CopperStealer targets passwords saved by browsers.

Proofpoint described “CopperStealer,” a recently discovered password thief and downloader that targets Apple, Amazon, Bing, Facebook, Google, Instagram, PayPal, Tumblr and Twitter. The malware is distributed through websites offering fake cracks for pirated software. Researchers believe CopperStealer is part of the SilentFade malware family:

“CopperStealer features many of the same targeting and delivery methods as SilentFade, a Chinese-born malware family first reported by Facebook in 2019. Proofpoint believes CopperStealer is a previously undocumented family belonging to the same class of malware like SilentFade, StressPaint, FacebookRobot, and Scranos. Facebook attributed the creation of SilentFade to Hong Kong-based ILikeAD Media International Company Ltd and, at the 2020 Virus Bulletin conference, revealed that it was responsible for more than $ 4 million in damages by “ compromising people’s Facebook accounts and then using people’s accounts to serve deceptive ads. . ‘”