PrintNightmare security update / Kaseya attack crisis / WD got new 0-day

The PrintNightmare case definitely dominated the media during the last few days. There was a heated discussion as to whether the patch (released by Microsoft) solves the problem at all. Why such different opinions? The patch turned out to work against all known exploits, but it was not without its flaws. So if you are wondering if it is worth updating – yes, and do it as soon as possible. If there will be another patch release, you can definitely read about it in the Security Center.

Detailed information about the emergency security update – and other IT news – can be found below. Let’s start then.

PrintNightmare security update – better patch now, even if it’s incomplete

The PrintNightmare vulnerability (CVE-2021-1675) – that we described last week – could grant attackers full control of vulnerable systems via remote code execution (RCE) with SYSTEM privileges. As the Print Spooler commands run at the highest privilege level it allows to dynamically load third-party binaries. That is why Microsoft has released the KB5004948 emergency security update pretty fast. The patch addresses the vulnerability on all affected versions of Windows that are still in support – even Windows 7.

There is a ‘but’…

While Microsoft says these security updates address the PrintNightmare vulnerability, security researchers have discovered that the patch is incomplete and it can be bypassed to achieve both remote code execution and local privilege escalation with the official fix installed. It looks like right now Microsoft only fixed the remote code execution component of the vulnerability. However, malware and threat actors could still use the local privilege escalation component to gain SYSTEM privileges on vulnerable systems only if the Point and Print policy is enabled.

The OOB security updates could be bypassed only in specific scenarios. It’s worth mentioning that it is still working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare.

Microsoft is now encouraging customers to update as soon as possible. Just a few steps are required to patch this critical Windows Print Spooler RCE vulnerability:

  • In all cases, the CVE-2021-34527 security update is a must-have. The update will not change existing registry settings
  • After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
  •  If the registry keys documented do not exist, no further action is required
  •  If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
    • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

If you cannot immediately install the security updates on your system(s), you can disable the Windows Print Spooler service to mitigate the PrintNightmare vulnerability temporarily.

Source: 1 | 2 

Android apps with over 5.8 million downloads used a sneaking method to stole Facebook credentials

The apps provided fully functioning services for photo editing and framing, exercise and training, horoscopes, and removal of junk files from Android devices. All of them also offered users an option to disable in-app ads by logging into their Facebook accounts. Users who chose the option saw a genuine Facebook login form containing fields for entering usernames and passwords.

Trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.

The researchers at Dr. Web identified five malware variants stashed inside the apps. Three of them were native Android apps, and the remaining two used Google’s Flutter framework, which is designed for cross-platform compatibility. There were classified as the same trojan because they use identical configuration file formats and identical JavaScript code to steal user data.

The majority of the downloads:

PIP Photo: more than 5.8 million times
Processing Photo: with more than 500,000 downloads
Rubbish Cleaner: more than 100,000 downloads
Inwell Fitness: more than 100,000 downloads
Horoscope Daily: more than 100,000 downloads
App Lock Keep: more than 50,000 downloads
Lockit Master: more than 5,000 downloads
Horoscope Pi: 1,000 downloads
App Lock Manager: 10 downloads

All apps have been removed from Google Play. Anyone who has downloaded one of the above apps should examine their device and their Facebook accounts for any signs of compromise.


Ongoing Kaseya attack crisis: fake security update drops Cobalt Strike

Have you already heard about the REvil ransomware attack on Kaseya VSA Software? In short: the company has confirmed that 60 customers and 1,500 downstream businesses were impacted as a result of an attack on its remote device management software, which was used to spread ransomware.

Now Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA security updates.

Cobalt Strike is a legitimate penetration testing tool and threat emulation software that’s also used by attackers for post-exploitation tasks and to deploy so-called beacons that allow them to gain remote access to compromised systems.

The end goal of such attacks is either that of harvesting and exfiltrating sensitive data or delivering second-stage malware payloads.

According to Malwarebytes, malicious emails sent as part of thiskierun malspam campaign come with a malicious ‘SecurityUpdates.exe’ attachment as well as a link pretending to be a security update from Microsoft to patch the Kaseya vulnerability. 

The attackers gain persistent remote access to the targets systems once they run the malicious attachment or download and launch the fake Microsoft update on their devices.

Since Kaseya says that it failed to deploy a fix for the VSA zero-day exploited by REvil, many of its customers might fall for this pishing campaign’s tricks in their effort to protect their networks from attacks.


Western Digital: zero-days vulnerabilities comes in threes

Bad news comes in threes – most particularly for Western Digital customers. Do you remember our news from two weeks ago about Western Digital My Book NAS devices wiped clean worldwide? There’s another zero-day waiting for whoever can’t or won’t upgrade its My Cloud storage devices.

The latest zero-day entails an attack chain that allows an unauthenticated intruder to execute code as root and install a permanent backdoor on the vendor’s NAS devices. It’s found in all WD devices running the old, no-longer-supported My Cloud 3 operating system: an OS that the researchers said is “in limbo,” given that WD recently stopped supporting it.

So, WD has said that its update  – My Cloud OS 5 – fixed the bug. But there is a hack. According to the researchers who found the OS 3 vulnerability, Radek Domanski and Pedro Ribeiro OS 5 is a complete rewrite of OS 3 that skewered some popular features. So it’s not surprising that not all users are likely to upgrade. 

There is hope. Domanski and Ribeiro have developed and released their own patch that fixes the vulnerabilities in OS 3. Where’s the catch? Well, it needs to be reapplied every time the device reboots. 

Let us remind you of the previous Western Digital crisis. The June attack actually turned out to be two attacks rolled into what at first seemed like one: An old remote-code execution (RCE) bug from 2018 that WD first blamed for the remote wipes, and then a previously unknown zero-day flaw that enabled unauthenticated remote factory-reset device wipes.

Now comes this one – a third, similarly serious zero-day vulnerability in a much broader range of newer Western Digital My Cloud NAS boxes. 

So it seems users have just two options – use researchers patch and reapply every time the device reboots or upgrade to OS 5 and lose popular features. Tough choice.


Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Sage X3 Vulnerabilities Can Pose Serious Risk to Organizations (Security Week)
2. Passwords by Kaspersky Password Manager exposed to brute-force attack (Hack Read)
3. Fake Android Apps Promise Cryptomining Services to Steal Funds (Dark Reading)
4. New Ryuk Ransomware Sample Targets Webservers (McAfee Labs)
5. Dozens of Vulnerable NuGet Packages Allow Attackers to Target .NET Platform (The Hacker News)
6. Experts uncover malware attacks targeting corporate networks in Latin America (The Hacker News)
7. Android Updates for July 2021 Patch Tens of High-Severity Vulnerabilities (Security Week)
8. Leaked Babuk Locker ransomware builder used in new attacks (Bleeping Computer)
9. Hackers Use New Trick to Disable Macro Security Warnings in Malicious Office Files (The Hacker News)
10. Hancitor tries XLL as initial malware file (InfoSec Handlers Diary Blog)