Cyber Security Weekly Briefing 6-12 November

November 12, 2021

​Microsoft's security bulletin

Microsoft has published its November security bulletin in which it has fixed a total of 55 bugs in its software, including six 0-day vulnerabilities, two of which are currently being exploited. The first, classified as CVE-2021-42292 and with a CVSS of 7.8, is a security mechanism evasion flaw in Microsoft Excel. The second 0-day under exploitation (CVE-2021-42321 and CVSS of 8.8) is a remote code execution vulnerability in Microsoft Exchange Server. The remaining four 0-day vulnerabilities, for which no details have been provided at this stage, are information disclosure flaws in Windows Remote Desktop Protocol (CVE-2021-38631 and CVE-2021-41371) and remote code execution vulnerabilities in 3D Viewer (CVE-2021-43208 and CVE-2021-43209).

More: https://msrc.microsoft.com/update-guide/releaseNote/2021-Nov

​Campaign against a recent vulnerability in Zoho

Researchers at Unit 42 in Palo Alto have published an investigation into a campaign exploiting vulnerability CVE-2021-40539 (CVSS 9.8) in Zoho's ManageEngine ADSelfService Plus solution. This is the second campaign detected against the same flaw, as last 16 September CISA issued a statement confirming that it was being actively exploited by an APT. The exploitation attempts in this second campaign, unrelated to the one exposed by CISA, began on 22 September and did not end until the beginning of October, during which time the threat agent breached at least nine entities in various sectors. In the infection chain, researchers observed that, after gaining access to the victim's network, either the Godzilla webshell or the NGLite backdoor, both of which are used to move laterally, were installed. As they managed to move through the infrastructure, they exfiltrated information from the servers until they reached the DC, where they installed the credential-stealing tool KdcSponge. It is worth noting that while Palo Alto links this campaign to the APT27 group (TG-3390), of Chinese origin, Microsoft's Threat Intelligence team, which has also followed the exploitation of the same vulnerability, has attributed the campaign to the Chinese actor DEV-0322, related to the SolarWinds incident.

All details: https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/

​​Unauthorised access to Aruba Central

HPE has reported a security incident that reportedly resulted in an unauthorised third-party gaining access to information in the Aruba Central cloud environment. The actor, who has not yet been identified, gained access by using a stolen access key, which allowed him to view stored user data. In particular, a repository containing clients' network telemetry data and another with data on the location of WiFi devices were affected, affecting data such as MAC address, IP address, type of operating system, host name and username in WiFi networks where authentication is required. According to the information provided by the company, the actor would have had access on October 9th for the first time, and could have access until October 27th, when the password was changed. This meant that the data to which he had access dated back to 10 September at the latest, as they are removed from the repositories every 30 days. HPE reportedly confirmed that no sensitive/confidential data was affected, and no action was required from customers.

More information: https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/

​​Multiple vulnerabilities in AMD's graphics driver for Windows 10

Private security researchers in collaboration with CyberArk Labs and Apple Media Products RedTeam have reported a long list of vulnerabilities in AMD's graphics driver for Windows 10. In particular, 18 of the detected bugs have been rated with a high severity as a set of flaws in various APIs could lead to privilege escalation scenarios, denial of service, information disclosure and even arbitrary code execution in kernel memory. Meanwhile, AMD has already addressed all vulnerabilities and has issued an advisory reflecting all assigned CVEs, as well as information on how to apply updates to both AMD Radeon Software and AMD Radeon Pro Software for Enterprise. In addition, AMD has also recently fixed bugs in its AMD EPYC server processor product and performance issues of its processors compatible with the new versions of Windows 11 released by Microsoft.

More: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1000