//Blogs - 24 September 2021

AusCERT Week in Review for 24th September 2021

Greetings,

We wanted to remind everyone that it's worth having a look to be sure that you're not affected by the VMware vCenter vulnerability related to CVE-2021-22005 - a patch is available and so is a quicker (but temporary) mitigation. We notified a small number of members yesterday of internet-exposed servers.

More information can be found in this Bleeping Computer article.

Bleeping Computer also reported on a vulnerability in macOS Finder that makes it possible for attackers to run commands on Macs running any macOS version up the most recent release, Big Sur.

With the unveiling of Apple’s IOS 15 this week, there has been a lot of focus on their increased efforts to offer consumers greater control over who sees their data. MacRumors released a guide on the new privacy and security features that have seen mixed reactions concerning Apple’s handling of user data.

Lastly, to all the parents, guardians and family members experiencing school holidays, remember, this too shall pass so enjoy the family time and/or look forward to the end… good luck!


DDoS botnets, cryptominers target Azure systems after OMIGOD exploit goes public
Date: 2021-09-17
Author: The Record

Threat actors are attacking Azure Linux-based servers using a recently disclosed security flaw named OMIGOD in order to hijack vulnerable systems into DDoS or crypto-mining botnets.
The attacks, which began on Thursday night, September 16, are fueled by a public proof-of-concept exploit that was published on the same day on code hosting website GitHub.
Discovered over the summer by cloud security firm Wiz, the vulnerability resides in an app called Open Management Infrastructure (OMI), which Microsoft has been silently installing by default on most Azure Linux virtual machines.

Microsoft Exchange Autodiscover bug leaks hundreds of thousands of domain credentials
Date: 2021-09-22
Author: The Record

Security researchers have discovered a design flaw in a feature of the Microsoft Exchange email server that can be abused to harvest Windows domain and app credentials from users across the world.
Based on his finding, Serper said he registered a series of Autodiscover-based top-level domains that were still available online. [...] For more than four months, between April 16, 2021, and August 25, 2021, Serper said these servers received hundreds of requests, complete with thousands of credentials, from users that were trying to set up their email clients, but their email clients were failing to find their employer’s proper Autodiscover endpoint.

Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation
Date: 2021-09-22
Author: The Hacker News

Microsoft has opened the lid on a large-scale phishing-as-a-service operation that's involved in selling phishing kits and email templates as well as providing hosting and automated services at a low cost, thus enabling cyber actors to purchase phishing campaigns and deploy them with minimal efforts.
"With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today," Microsoft 365 Defender Threat Intelligence Team said in a Tuesday report.

Researchers compile list of vulnerabilities abused by ransomware gangs
Date: 2021-09-18
Author: Bleeping Computer

Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims' networks.
All this started with a call to action made by Allan Liska, a member of Recorded Future's CSIRT, on Twitter over the weekend. Since then, with the help of several other contributors that joined his efforts, the list quickly grew to include security flaws found in products from over a dozen different software and hardware vendors.


ESB-2021-3190 - Cisco IOS XE Software multiple vulnerabilities

Cisco IOS XE is currently experiencing technical difficulties - those difficulties? A range of quite serious vulnerabilities, ranging from unauthenticated code execution to DoS, all warranting a patch.

ESB-2021-3162 - VMSA-2021-0020 - VMware vCenter Server updates address

Security bugs in VCenter server that were privately disclosed to VMWare have been classified as "critical" after it was discovered they were, in fact, critical.

ASB-2021-0183-2 - Microsoft Patch Tuesday update for Azure for September 2021

It was good to see Microsoft stay consistent this week - both in the sense patch Tuesday came and went, and that we were spoiled with an assortment of privilege escalation and code execution vulnerabilities.

ESB-2021-3099-2 - Apple security update for iOS 14.8 and iPadOS 14.8

Apple announced some not-so-fun vulnerabilities for iOS and iPadOS this week - malicious applications are capable of executing code with kernel privileges, and interestingly one vulnerability permitted this over a Bluetooth connection.

ESB-2021-3212 - iOS 12.5.5 Vulnerabilities

Apple's at it again with the vulnerabilities, having identified a number of serious issues with iOS 12.5.5 that are actively being exploited.


Stay safe, stay patched and have a good weekend!

The AusCERT team