6 new zero-days in Windows OS / Attack on Electronic Arts / Android with critical RCE bug

Welcome to the Xopero Security Center! This month’s patch harvest was an extremely big one. The IT world heated up the information about six new zero-days patched by Microsoft in recent days. No less serious update has got Android users. Google has released a fix for the critical RCE bug and other 90+ vulnerabilities … Let’s stop at Google for a little longer. Chrome also has got a series of urgent fixes – one of the bugs is currently being used in a series of attacks. Let’s not forget about the last data breaches and cyberattacks too. Electronic Arts, a game publisher that you probably associate with the FIFA series fell a victim to the hackers. They stole – among other things – Frostbite engine and FIFA 21 source codes. Details, as usual, can be found below.

Update your Windows to patch 6 new serious zero-day bugs

New month, new security update. Microsoft on Tuesday released another round of security patches for Windows OS and other supported software. This time we have got patches for 50 vulnerabilities, including six zero-days under active attack.

Resolved flaws concerned following products: Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge, SharePoint Server, Hyper-V, Visual Studio Code – Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.

Of these 50 bugs, five are rated Critical, and six under active attack. 

CVE-2021-33742 (CVSS score: 7.5) – a remote code execution bug in the Windows MSHTML platform. Attackers could successfully exploit this and execute code on a target system if they can convince a victim to view specially crafted Web content. 

CVE-2021-33739 (CVSS score: 8.4) – Microsoft DWM Core Library Elevation of Privilege Vulnerability that requires low attack complexity, no privileges, and no user interaction to successfully exploit.

CVE-2021-31955 (CVSS score: 5.5) – Windows Kernel Information Disclosure Vulnerability and CVE-2021-31956 (CVSS score: 7.8) – Windows NTFS Elevation of Privilege Vulnerability are used as part of an exploit chain, along with a Chrome zero-day, in active attacks observed on April 14–15 that researchers say were “highly targeted.”

And CVE-2021-31199 and CVE-2021-31201 (CVSS score: 5.2), the final two zero-days exploited this month, are elevation of privilege vulnerabilities in the Microsoft Enhanced Cryptographic Provider. Both vulnerabilities are related to Adobe CVE-2021-28550, a zero-day affecting Windows and macOS patched last month.


Attack on Electronic Arts – hackers steal FIFA 21 and other games source code 

Hackers have breached the network of gaming giant Electronic Arts (EA) and claim to have stolen roughly 780 GB of data. Including FIFA 21 matchmaking server code, FIFA 22 API keys, and some software development kits for Microsoft Xbox and Sony. They also purport to have much more, including the source code and debugging tools for Frostbite, which powers EA’s most popular games like Battlefield, FIFA, and Madden. 

EA confirmed the data breach. EA spokesperson said it was not a ransomware attack and claimed that only a limited amount of game source code was stolen. According to the statement, no player data was accessed and there is no risk to customers’ privacy. The company also does not expect any impact on its games or business. 

The group of hackers broke into the company in part by tricking an employee over Slack to provide a login token.

The attackers are selling the batch of data and access for $28 million. It’s quite strange that they did not attempt to ransom the data back to EA. The stolen information might be valuable to competitors or may include information or vulnerabilities that could be used in future attacks against EA products or customers. 

Back(up)… to the game!

It’s worth noticing that the game source code is highly proprietary and sensitive intellectual property that is the heartbeat of a company and should be strongly protected. 

From the perspective of the backup vendor we highly recommend having a repository backup in place. While most companies host their source code (aforementioned heartbeat of a company) on platforms like GitHub and Bitbucket, having such a repository backup like GitProtect.io is a must for their existence. 


Android with critical RCE bug and other 90+ problems – patch your device

Google’s June security bulletin addresses 90+ security vulnerabilities in Android and Pixel devices, including a critical remote code execution bug that could allow an attacker to commandeer a targeted vulnerable mobile device.

CVE-2021-0507 – the RCE vulnerability, is the most severe bug of this patch release. It exists in the System component in the Android OS and could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.

Google also addressed a critical elevation-of-privilege (EoP) issue in the System component tracked as CVE-2021-0516 and multiple high-severity EoP vulnerabilities in other components, including the Media Framework, the System, and the Kernel.

The company didn’t share any further details. It’s the standard procedure at Google which does not release the technical details of patched vulnerabilities until an overwhelming majority of vulnerable handsets receive the fixes.


New Chrome 0-day bug under attacks – update ASAP!

If you are using the Google Chrome browser on your Windows, Mac, or Linux computers, you need to update it immediately to the latest version released on Wednesday. It addresses 14 newly discovered security issues, including a zero-day flaw that is being actively exploited in the wild.

Tracked as CVE-2021-30551, the vulnerability stems from a type confusion issue in its V8 open-source and JavaScript engine. The vulnerability was leveraged by the same actor that abused CVE-2021-33742, an actively exploited remote code execution flaw in the Windows MSHTML platform that was updated by Microsoft on June 8. 

Both the Chrome and Windows exploits enable criminals to gain a foothold in the targeted system, the stager module download and execute a more complex malware dropper from a remote server. 

The two zero-days are said to have been provided by a commercial exploit broker to a nation-state actor, which used them in limited attacks against targets in Eastern Europe and the Middle East

Google Chrome will automatically attempt to upgrade the browser the next time you launch the program, but you can perform a manual update by going to Settings > Help > ‘About Google Chrome.


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Lessons Learned from 100 Data Breaches by Imperva (Part 1 | Part 2)
2. Mysterious Custom Malware Collects Billions of Stolen Data Points (Threat Post)
3. Microsoft warns of cryptomining attacks on Kubernetes clusters (Bleeping Computer)
4. Intel’s latest patch set plugs some serious holes in CPU, Bluetooth, server, and – ironically – security lines (The Register)
5. GitHub now scans for accidentally-exposed PyPI, RubyGems secrets (Bleeping Computer)
6. Adobe issues security updates for 41 vulnerabilities in 10 products (Bleeping Computer)
7. Android 12: Second beta arrives with privacy features (ZDNet)
8. CD Projekt: Data stolen in ransomware attack now circulating online (Bleeping Computer)
9. Audi, Volkswagen data breach affects 3.3 million customers (Bleeping Computer
10. McDonald’s discloses data breach in US, Taiwan and South Korea (Security Affairs)