Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2022-07-04 to 2022-07-11.
A heap buffer overflow was discovered in the WebRTC component. It was reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01. The vulnerability is being exploited in the wild. Chromium-based browsers are affected, e.g. Chrome, Microsoft Edge, Brave, … .
Business Automation is affected by a prototype pollution in async. The original advisory for Async was published 2022-04-13.
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Security tools sometimes extend the potential attack surface. In this case, no further details have been published.
… link following vulnerability where an attacker with lower privileges could manipulate a mountpoint which could lead to escalation of privilege on an affected machine.
Gigantic civilian data leak if confirmed: A hacker is selling an alleged Shanghai police data leak containing 1 billion Chinese nationals’ names, home addresses, ID #, phone #, criminal records, etc. Hacker says it’s from an Aliyun (Alibaba) private cloud server.
The issue seems to have been existing for quite some time. The database was indexed by a search engine in April 2021. @vinnytroia detected the database in January 2022. In April 2022 @MayhemDayOne detected the database. In a later scan, mid-June, he found the data gone. Instead, there were ransom notes asking for 10BTC. The police solved the ransom problem, but the access was still possible. On 2022-06-29 someone on a hacker forum offered to sell 23.88TB of data for 1 billion Chinese residents for 10BTC. The Chinese government has yet to publicly acknowledge the breach
Shadowcoerce utilized the MS-FSRVP functionality.
It’s used for creating shadow copies of file shares on a remote computer, and for facilitating backup applications in performing application-consistent backup and restore of data on SMB2 shares
Another vulnerability in VSS was patched in June CVE-2022-30154. A fix for shadowcoerce was either conveniently slipped in, or it was fixed “accidentally” as a by-product of the intended fix. There was no official statement from Microsoft.
A typosquatting attack on NPM packages was discovered. The initial indicator was the usage of a javascript obfuscator. Based on this, more than two dozen NPM packages with a common naming pattern were discovered, e.g., icons-package, icons-pack, icon-package, icons-packages, … . After the installation a respective typo-squatted domain was utilized for data exfiltration. The malicious packages have been collectively downloaded more than 27,000 times.
Recently, a cyber attack on Iran’s steel industry was reported by @GonjeshkeDarand. Stygian investigated the forensic reports and did pick out one aspect of the campaign. The malware displayed a video on the affected systems via Filter Graph COM object. At the same time, access to the affected system was likely blocked. The article includes a working proof-of-concept the displays a GIF and locks out the user of the system.
Chimera is a PowerShell obfuscation script from 2020. It was designed to bypass AMSI and commercial antivirus solutions.
Chameleon is illegitimate son of Chimera.
Chameleon is yet another PowerShell obfuscation tool designed to bypass AMSI and commercial antivirus solutions.
A neat javascript deobfuscator that can help identify malicious npm packages.
javascript cleaner & deobfuscator (primarily javascript-obfuscator/obfuscator.io)
Orange Cyber Security provides an interactive cheatsheet. Also, the mindmaps provide a great overview of potential attack paths.