A Busy Week in Cyber Threats

It’s been a busy several days in cybersecurity. Below is an overview of the key events, followed by Assura’s take on these matters.

On October 30, Google Project Zero technical lead Ben Hawkes tweeted that they reported a Windows Kernel bug (CVE-2020-17087) that can be used for sandbox escape. It’s a buffer overflow vulnerability in the Windows Kernel Cryptography Driver, cng.sys. This coupled with a zero-day announced 10 days earlier in the desktop version of Chrome (CVE-2020-15999) would allow an attacker to break out of Chrome’s sandbox. A sandbox escape vulnerability such as this could allow an attacker to elevate privileges or potentially execute code and completely take over the victim’s system. This is highly dangerous for victims who accidentally visit a malicious website or are served a malicious web advert.

Google has released an update to Chrome, which we encourage all users to apply as soon as possible. Chrome updates tend to be stable and represent a low risk of operational disruption. Microsoft is expected to release an update to the cng.sys driver in November’s “Patch Tuesday” cycle.

On October 29, the DHS Cybersecurity and Infrastructure Security Agency (CISA), U.S. Cyber Command’s Cyber National Mission Force (CNMF) announced the discovery of the Zebrocy malware, which is being used by a “sophisticated cyber actor.” The malware runs as Windows executable files, which are designed to allow a remote operator to perform various (presumably superuser-level) functions on a compromised system.

A full analysis of the Zebrocy malware, including Indicators of Compromise (IOCs) is available here.

Another alert issued by CISA and CNMF, but this time joined by the FBI, is for a PowerShell Script called ComRAT. This malware is used by Russian-sponsored threat actor Turla, which is an espionage group active for at least a decade to exploit victim networks.

The full analysis of ComRAT, along with IOCs is available here.

The usual guidance applies to address these threats:

In the case of ComRAT, organizations also should limit users with the ability to execute PowerShell scripts and run the PowerShell console and PowerShell Integrated Scripting Environment (ISE) to those with an absolute need for these tools and rights.

On October 30, Microsoft implored both businesses and governments to update their Active Directory domain controllers to patch against the Zerologon attack. Zerologon, which was announced in August 2020, can allow an attacker to spoof a domain controller account and use it to steal domain credentials, take over the domain, and completely compromise all Active Directory identity services.

This vulnerability is being used by a new variant of the Ryuk ransomware to quickly spread throughout victim environments such as hospitals and other healthcare facilities.

This vulnerability should be patched immediately. It only needs to be applied to servers with the Domain Controller role so it should not be a heavy lift in most organizations.

While these are all severe vulnerabilities, the countermeasures to address them represent basic security practices. If you’re an Assura endpoint security client, you’re protected via our AI-based threat blocking and disablement of script execution on end-user workstations. If you’re an Assura Security Monitoring & Response customer, our SOC is on alert for these threats and is monitoring to detect known IOCs.

If you’re an Assura client, please do not hesitate to reach out to your Virtual ISO or Assura SOC point-of-contact if have questions about any of these. Otherwise, please contact us at [email protected].

Sincerely,

The Assura Team