Security Snacks #16 – Baron Samedit bug, Zhang Guo deception, SAP attacks & DDoS via RDP

Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

After witnessing state-sponsored threat actors targeting a slew of security vendors, we’re now learning about an even more brazen campaign… An elaborate state-sponsored social engineering attack targeting prominent security researchers and probably involving a Chrome zero-day exploit.

Other noteworthy news this week include three Apple iOS zero-days, critical SAP and RDP bugs all being exploited in-the-wild, plus a newly discovered 10-year old security vulnerability in Sudo impacting most Unix and Linux-bases systems.

Intigriti News

Notable Security News

New campaign targeting security researchers

Google TAG identified an elaborate social engineering campaign attributed to North Korea targeting security researchers. To establish credibility, the attackers created a technical blog containing write-ups of public vulnerabilities and used fake social media personas (e.g. ‘James Willy’, ‘Zhang Guo’, and ‘Billy Brown’…). They contacted well-known researchers via social media or email and offered to collaborate on vulnerability research. Then they sent researchers a malware-laced Visual Studio Project to take control of their machine.

A second attack vector was the attackers’ fake blog. It had malicious code that infected the victims systems just by visiting it. Since some of the victims had a fully patched Chrome browser, it seems to indicate that Chrome zero-days were probably used.

The campaign was also noticed by Microsoft who tracks the same threat actors as ZINC and shared a technical blog post confirming Google’s findings.

10-year-old Sudo bug lets Linux users gain root-level access

Security reseearchers from Qualys discovered a critical privilege escalation flaw in Sudo. CVE-2021-3156, nicknamed “Baron Samedit” (a contraction of Baron Samedi and sudoedit) is a heap overflow bug that allows any unprivileged user to gain root privileges and take over the system. It affects all Sudo versions released in the past ten years and most Unix and Linux-based operating systems. Patching as soon as possible is recommended considering that we’ll likely soon see public exploits and in-the-wild exploitation.

New SAP Exploit Published Online: How to Stay Secure?

CVE-2020-6207 is a Missing Authentication Check vulnerability in SAP Solution Manager that was made public last year. It allows unauthenticated remote attackers to take over vulnerable systems with admin privileges. Onapsis Research Labs who intially discovered the bug is warning against attackers who are currently actively scanning for it and shared recommendations to secure SAP systems against this.

DDoS Attackers Exploit Vulnerable Microsoft RDP Servers

Microsoft Remote Desktop Protocol (RDP) is intended to provide authenticated remote access to Windows workstations and servers. Netscout found out that RDP services configured to run on UDP port 3389 can be abused to amplify Distributed Denial of Service (DDoS) attacks. This has been weaponized and is exploited by DDoS-for-hire services. The attack can be mitigated either by disabling UDP access or putting RDP servers behind a VPN.

Apple says iOS 14.4 fixes three security bugs ‘actively exploited’ by hackers

Apple fixed three new iOS zero-days exploited in the wild. One affects the operating system kernel and allows for privilege escalation, the other two hit the WebKit and make remote arbitrary code execution possible. Apple is yet to disclose more details. In the meantime, iOS users should keep their devices updated.

Other Interesting News