Intelligence Corner

 Apple has patched yet another zero-day bug on Monday. An anonymous researcher found the bug in both Apple's iOS and macOS platforms and were allowing attackers to take over affected systems. The bug, tracked as CVE-2021-30807 , is found in the IOMobileFrameBuffer extension in both iOS and macOS but has been fixed per each specific platform. The three updates provided by Apple include iOS 14.7.1, iPadOS 14.7.1, and macOS Big Sur 11.5.1. Actors exploiting the vulnerability are able to "execute arbitrary code with kernel privileges", reported Apple in their update documentation. Apple stated that they were aware of reports that threat actors exploiting this vulnerability in the wild. While the bug was officially reported to Apple by an anonymous security researcher, Saar Amar of the Microsoft Security Response Center (MSRC) tweeted additional details that he had discovered on the flaw some months ago but hadn't yet reported his findings to Apple.  Saar describes the vul...

Safe Links, featured in Microsoft Defender for Office 365, provides URL scanning and rewriting of inbound emails and time-of-click verification of URLs and links in emails and other locations. Microsoft recently extended this feature to Teams in order to better protect users for URL-based phishing attempts. Team's popularity in the past couple years has skyrocketed, specifically in the last 18 months since the COVID-19 pandemic began and employees transitioned to remote work. "Safe Links in Defender for Office 365 scans URLs at the time of click to ensure that users are protected with the latest intelligence from Microsoft Defender", says Microsoft. Safe Links protection, available to all Teams users, works for links in conversations, group chats and Teams channels. By default, there is no Safe Links policy enabled so users will need to create them in order to leverage this new protection. In order to do so, users will need to navigate to their Microsoft 365 Defender por...

Security researchers recently uncovered four nasty bugs in the Sage X3 enterprise resource planning (ERP) platform. The platform is targeted at mid-sized companies, specifically in the manufacturing and distributor space, who are looking for an all-encompassing ERP platform. The platform manages multiple critical sectors of business like sales, inventory, finance, purchasing and other customer related functionalities. Researchers at Rapid7 , including Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarreal, and William Vu, discovered the bugs (CVE-2020-7387 through -7390) and said that the most severe of the flaws exist in the remote administrator function of the ERP. The team came to the conclusion that there could be supply-chain ramifications as a result of threat actors leveraging these bugs; much like what was seen with the SUNBURST/Solarwinds attack or initial reports of the Kaseya attacks. The Vulnerabilities From top to bottom, the first two vulnerabilities in the table b...

It seems root cause attribution was incorrect and Kaseya has just ruled out the recent compromise of client networks as a supply-chain attack but rather the direct exploitation of a zero-day ( CVE-2021-30116 ) vulnerability. Initial reports raised speculation that the REvil ransomware gang was behind the attack and might have obtained backend infrastructure access at Kaseya and abused it to deploy malicious payloads by way of updates to customers using VSA servers; similar to the Solarwinds/SUNBURST supply-chain attack. " The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution ," Kaseya stated . " This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya's VSA codebase has been maliciously modified ."  Essentially, they're saying that while the zero-day exploitation on Kaseya VSA software ...

Microsoft released an out-of-band update yesterday for multiple Windows versions in order to address CVE-2021-34527 , the second of two flaws which have been coined PrintNightmare by security professionals. The latest fix, however, does not fully address the issue and looks to only fix the RCE variants of PrintNightmare. The local privilege escalation variant does not appear to be addressed. The full advisory by the Cybersecurity Infrastructure and Security Administration (CISA) can be accessed  here . Additionally, the provided updates do not affect Windows 10 version 1607, Windows Server 2012 or Windows Server 2016. These are to be addressed at a later time, per the CERT Coordination Center (CERT/CC). The Vulnerabilities Last Tuesday, a proof-of-concept exploit for the initial PrintNightmare vulnerability (CVE-2021-1675) was uploaded to GitHub and showed how a threat actor could exploit the flaw to compromise an affected system. It was taken down within hours but the code had alr...

To expand on my previous entry regarding the initial disclosure and understanding of the Kaseya supply-chain attack by REvil ransomware operators, I wanted to provide some of the available information we have on affected businesses. Kaseya reported to the public that the attack resulted in the breach of roughly 60 direct customers systems using the VSA on-premises product. Further downstream, Kaseya adds another 1,500 victims whose networks were being managed by those direct MSP customers. As of their press release yesterday, Kaseya has asserted that the attack "had limited impact" and that "only approximately 50 of the more than 35,000" customers were affected. Kaseya stated that of the approximately 800,000 to 1,000,000 small businesses that are being managed by Kaseya customers, roughly 800 to 1,500 have been compromised. While this number seems low in comparison to the whole customer base, it's still a staggering number of potential compromises, ransoms, and...

On July 2nd, 2021, the IT management software company, Kaseya, disclosed to the public that they had a security incident on their hands impacting their on-premises version of Kaseya's Virtual System Administration (VSA) platform. Kaseya VSA is a cloud-based MSP platform used by customers to perform patch management and monitoring for clients.  The company issued a security advisory warning customers to immediately shut down their VSA server to keep from propagating the malware. " We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today. We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA ." Security...