It’s been a busy several days in cybersecurity. Below is an overview of the key events, followed by Assura’s take on these matters.
- Google announced the discovery of a zero-day privilege escalation flaw in Microsoft Windows, possibly dating back to Windows 7.
- The U.S. Department of Homeland Security, U.S. Cyber Command, and FBI announced two new malware variants used by sophisticated threat actors.
- Microsoft warned that threat actors continue to exploit the Zerologon bug in Active Directory.
Windows Zero-Day Vulnerability
On October 30, Google Project Zero technical lead Ben Hawkes tweeted that they reported a Windows Kernel bug (CVE-2020-17087) that can be used for sandbox escape. It’s a buffer overflow vulnerability in the Windows Kernel Cryptography Driver, cng.sys. This coupled with a zero-day announced 10 days earlier in the desktop version of Chrome (CVE-2020-15999) would allow an attacker to break out of Chrome’s sandbox. A sandbox escape vulnerability such as this could allow an attacker to elevate privileges or potentially execute code and completely take over the victim’s system. This is highly dangerous for victims who accidentally visit a malicious website or are served a malicious web advert.
Google has released an update to Chrome, which we encourage all users to apply as soon as possible. Chrome updates tend to be stable and represent a low risk of operational disruption. Microsoft is expected to release an update to the cng.sys driver in November’s “Patch Tuesday” cycle.
DHS/Cyber Command/FBI Announce New Malware Used by Sophisticated Threat Actors
On October 29, the DHS Cybersecurity and Infrastructure Security Agency (CISA), U.S. Cyber Command’s Cyber National Mission Force (CNMF) announced the discovery of the Zebrocy malware, which is being used by a “sophisticated cyber actor.” The malware runs as Windows executable files, which are designed to allow a remote operator to perform various (presumably superuser-level) functions on a compromised system.
A full analysis of the Zebrocy malware, including Indicators of Compromise (IOCs) is available here.
Another alert issued by CISA and CNMF, but this time joined by the FBI, is for a PowerShell Script called ComRAT. This malware is used by Russian-sponsored threat actor Turla, which is an espionage group active for at least a decade to exploit victim networks.
The usual guidance applies to address these threats:
- use quality antivirus software and keep it up to date;
- ensure systems are fully patched for security flaws;
- don’t allow users to use an account with administrator-level privileges for their day-to-day work;
- train users to be cautious when opening email attachments;
- monitor networks and systems for suspicious activities and IOCs.
In the case of ComRAT, organizations also should limit users with the ability to execute PowerShell scripts and run the PowerShell console and PowerShell Integrated Scripting Environment (ISE) to those with an absolute need for these tools and rights.
Microsoft Still Reporting Exploits of Zerologon Vulnerability in the Wild
On October 30, Microsoft implored both businesses and governments to update their Active Directory domain controllers to patch against the Zerologon attack. Zerologon, which was announced in August 2020, can allow an attacker to spoof a domain controller account and use it to steal domain credentials, take over the domain, and completely compromise all Active Directory identity services.
This vulnerability is being used by a new variant of the Ryuk ransomware to quickly spread throughout victim environments such as hospitals and other healthcare facilities.
This vulnerability should be patched immediately. It only needs to be applied to servers with the Domain Controller role so it should not be a heavy lift in most organizations.
While these are all severe vulnerabilities, the countermeasures to address them represent basic security practices. If you’re an Assura endpoint security client, you’re protected via our AI-based threat blocking and disablement of script execution on end-user workstations. If you’re an Assura Security Monitoring & Response customer, our SOC is on alert for these threats and is monitoring to detect known IOCs.
If you’re an Assura client, please do not hesitate to reach out to your Virtual ISO or Assura SOC point-of-contact if have questions about any of these. Otherwise, please contact us at [email protected]
The Assura Team