Security Spotlight: Critical Vulnerability Exploits and Patches, Plus Novel Attack Tactics
This blog was originally published by Bitglass here.
Written by Jeff Birnbaum, Bitglass.
Here are the top security stories from September 2021:
- Cisco Patches Three Critical Vulnerabilities Impacting Wireless Controllers and SD-WAN.
- Critical VMware vCenter Vulnerability Exploited in the Wild
- New APT Group FamousSparrow Exploits ProxyLogon and Uses Custom Backdoor
- Ransomware Delivery Tool Zloader Malware Being Spread Through Malicious Google Ads
- Walgreens Exposes Patient Data in COVID-19 Test Registration System
Cisco has released patches for three critical vulnerabilities that can lead to DoS conditions. The vulnerabilities affect its IOS XE software used in wireless controllers and SD-WAN products. The most critical bug (CVE-2021-34770) ranks 10 out of 10 in the CVSS vulnerability-severity rating scale and affects the Cisco Catalyst 9000 family of wireless controllers. The vulnerability allows an attacker to create a DoS attack by executing arbitrary code that can cause a wireless controller to crash and reload. The other two critical bugs are both rated 9.8/10 and are tracked as CVE-2021-34727 and CVE-2021-1619. CVE-2021-34727 is a software buffer overflow issue affecting Cisco’s SD-WAN software that can result in a DoS situation. CVE-2021-1619 is an authentication-bypass vulnerability that can also result in a DoS. All vulnerabilities have available patches, and CVE-2021-1619 has both a patch and workaround.
Hackers are actively exploiting VMware vCenter Server vulnerability CVE-2021-22005 affecting vCenter Server versions 6.7 and 7.0. The attacks seen have been based on code from an incomplete exploit released by security researcher Jang. The exploit allows remote code execution with root privileges. The bug has a 9.8 rating, and VMware has strongly recommended administrators install an available patch.
A new APT group dubbed FamousSparrow has been targeting governments, international organizations, engineering companies, law firms, and the hospitality industry. Active since 2019, FamousSparrow exploits ProxyLogon, a group of zero-day vulnerabilities used to compromise Microsoft Exchange servers, Microsoft SharePoint, and Oracle Opera. The group is also unique in their use of a custom backdoor to link to C&C infrastructure for data exfiltration. They have also created two customized versions of Mimikatz, a legitimate penetration testing kid.
Attackers have been buying Google keyword ads to distribute Zloader, a banking trojan used to steal sensitive information, deliver ransomware, and install backdoors or other malware. Microsoft states that attackers are using Google search keywords to target online ads and redirecting victims to compromised domains or domains owned by the attacker. Penetration testing kit Cobalt Strike and Ryuk ransomware are downloaded in some cases.
Pharmacy store chain Walgreens exposed the personal data of millions of people who used their COVID-19 testing services. Personal data including name, date of birth, gender identity, phone number, address, and email was available for anyone on the public web to see and collectible by ad trackers through Walgreens’ COVID-19 test registration system. Walgreens initially denied their page was insecure but has since added an authentication screen to confirmation pages, requiring users to enter the patient’s date of birth to view information.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.