MountLocker ransomware / Four 0-day in Android / Scheme flooding / Mercedes-Benz with bugs

Welcome to the newest episode of the Xopero Security Center. What have we got in store this week? First, MountLocker ransomware has been enhanced with a new “skill”. The threat is now able to use Active Directory to efficiently search company networks and infect devices connected to it. We also describe the four most recent 0-day security vulnerabilities found in Android. We also introduce you to the new attack called scheme flooding. This is a very neat method of user profiling based on the applications installed on the device. Today’s release ends with the news about Mercedes. Researchers identified five vulnerabilities in the latest infotainment system in Mercedes-Benz cars. Are you curious and ready for more? Great, then let’s enjoy your ride… eh reading.

MountLocker ransomware uses Windows Active Directory APIs to worm through networks

Last week, MalwareHunterTeam discovered a new MountLocker executable that contains a new worm feature that allows it to spread and encrypt to other devices on the network. This new MountLocker version is now using the Windows Active Directory Service Interfaces API as part of its worm feature.

Stages of the cyber attack

The ransomware first uses the NetGetDCName() function to retrieve the name of the domain controller. Then it performs LDAP queries against the domain controller’s ADS using the ADsOpenObject() function with credentials passed on the command line. Once it connects to the Active Directory services, it will iterate over the database for objects of ‘objectclass=computer’.

For each object it finds, MountLocker will attempt to copy the ransomware executable to the remote device’s ‘\C$\ProgramData’ folder. The ransomware will then remotely create a Windows service that loads the executable so it can proceed to encrypt the device. Using this method, the ransomware can find all devices that are part of the compromised Windows domain and encrypt them using stolen domain credentials.

Are you using AC? Then you have a problem

Many corporate environments rely on complex active directory forests and computers within them. And now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan. As Windows network administrators commonly use this API, specialists believe the threat actor who added this code likely has some Windows domain administration experience.


Android patches 4 new zero-day bugs exploited in the wild

Google on Wednesday updated its May 2021 Android Security Bulletin to disclose that four of the security vulnerabilities that were patched earlier this month by Arm and Qualcomm may have been exploited in the wild as zero-days.

The four Android vulnerabilities impact Qualcomm GPU and Arm Mali GPU Driver components and includes:

CVE-2021-1905 (CVSS score: 8.4) – A use-after-free flaw in Qualcomm’s graphics component due to improper handling of memory mapping of multiple processes simultaneously.

CVE-2021-1906 (CVSS score: 6.2) – A flaw concerning inadequate handling of address deregistration that could lead to new GPU address allocation failure.

CVE-2021-28663 (CVSS score: NA) – A vulnerability in Arm Mali GPU kernel that could permit a non-privileged user to make improper operations on GPU memory, leading to a use-after-free scenario that could be exploited to gain root privilege or disclose information.

CVE-2021-28664 (CVSS score: NA) – An unprivileged user can achieve read/write access to read-only memory, enabling privilege escalation or a denial-of-service (DoS) condition due to memory corruption.

Successful exploitation of the weaknesses could grant an adversary access to the targeted device and take over control. It’s, however, not clear how the attacks themselves were carried out, the victims that may have been targeted, or the threat actors that may be abusing them.

Android users are recommended to install this month’s security updates as soon as possible.

This month’s Android security updates also include patches for critical vulnerabilities in the System component that could be exploited by remote attackers using specially crafted files to execute arbitrary malicious code within the context of a privileged process.

Regrettably, users who haven’t switched to new devices that still receive monthly security updates might not be able to install these patches.

Sources 12

We have a cross-browser tracking problem… Four major browsers affected by scheme flooding vulnerability

The scheme flooding vulnerability allows websites to identify users reliably across different desktop browsers and link their identities together.

The list of affected browsers (desktop versions) is below:

– Chrome,
– Firefox,
– Safari,
– Tor Browser.

The vulnerability uses information about installed apps on a computer to assign a permanent unique identifier even if the user switches browsers, uses incognito mode, or a VPN. In other words, It’s possible to link your Chrome visit to your Firefox or Safari visit, identify you uniquely and track you across the web.

Dangerous profiling

The list of installed applications on someone’s device can reveal a lot about his or her occupation, habits, and age. A website may be able to detect a government or military official on the internet based on their installed apps and associate browsing history that is intended to be anonymous.

How does it work?

The scheme flooding vulnerability allows an attacker to determine which applications you have installed. In order to generate a 32-bit cross-browser device identifier, a website can test a list of 32 popular applications and check if each is installed or not. The whole process takes only a few seconds.

You can check it yourself. Enter skype:// into your browser address bar and see for yourself what will happen.

Are you done? If you have Skype installed, your browser will open a confirmation dialog that asks if you want to launch it. Any application that you install can register its own scheme to allow other apps to open it.

Attackers could prepare a list of application URL schemes that they want to test. The list may depend on their goals, for example, if they want to check if some industry or interest-specific applications are installed… and verify potential vulnerabilities to use. Based on such information, attackers can prepare a well-profiled campaign and successfully infiltrate targeted organizations.


Researchers find five exploitable bugs in Mercedes-Benz cars

Security researchers from Tencent Security Keen Lab identified five vulnerabilities in the latest infotainment system in Mercedes-Benz cars. Four of them could be exploited for remote code execution.

The infotainment system initially was introduced on A-class vehicles in 2018, but has since been adopted on the car maker’s entire vehicle line-up.

The vulnerabilities tracked as CVE-2021-23906, CVE-2021-23907, CVE-2021-23908, CVE-2021-23909, and CVE-2021-23910, provide hackers with remote control of some of the car’s functions, but not with access to physical features, such as steering or braking systems.

The Keen Team researchers discovered that the tested systems were running an outdated Linux kernel version that is affected by vulnerabilities that could be exploited to carry out specific attacks. They explored multiple attack scenarios that could leverage the browser’s JavaScript engine, Wi-Fi chip, Bluetooth stack, USB functions, or third-party apps in their head unit.

Following the initial compromise, which involved setting up a persistent web shell with root privileges, the researchers were able to unlock specific car functions and the vehicle’s anti-theft protection, inject a persistent backdoor, and even perform vehicle control actions.

By sending specific CAN messages, the researchers were able to control the ambient light in the vehicle, control the reading lights, open the sunshade cover and control the back-seat passenger lights, but were not able to take control of the vehicle.

The identified vulnerabilities were reported to the vendor in November 2020. Patches started rolling out in late January 2021.

Sources 12

Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Fraudsters employ Amazon ‘vishing’ attacks in fake order scams (ZDNet)
2. Keksec Cybergang Debuts Simps Botnet for Gaming DDoS (Threat Post)
3. Apple’s Find My Network Can be Abused to Exfiltrate Data From Nearby Devices (The Hacker News)
4. Bizarro banking Trojan surges across Europe (ZDNet)
5. Exploit released for wormable Windows HTTP vulnerability (Bleeping Computer)
6. “Those aren’t my kids!” – Eufy camera owners report video mixups (Naked Security)
7. Cyber-attack on Irish health service ‘catastrophic’ (BBC)
8. Transparent Tribe APT expands its Windows malware arsenal (Talos Intelligence)
9. Spammers flood PyPI with pirated movie links and bogus packages (Bleeping Computer)
10. A dozen Android apps exposed data of 100M+ users (Security Affairs)