This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. In this issue, vulnerabilities continue to plague the global threat landscape. Part of protecting our clients is also promoting good security practices and raising awareness of current security trends, boosting your overall understanding of current breaches.
CISCO Critical Security Flaw Detected
Cisco has addressed a critical security flaw in its Application Centric Infrastructure (ACI) Multi-Site Orchestrator that could allow perpetrators to bypass security authentication on vulnerable devices. An attacker could exploit this vulnerability by sending a crafted request to the affected API. A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices. This is a classic example of a privilege escalation attack, which eventually leads to a strong foothold on the network from an attacker’s perspective. The bug, tracked as CVE-2021-1388, ranks 10 (out of 10) on the CVSS vulnerability scoring system and stems from an improper token validation in an API endpoint of Cisco ACI MSO installed the Application Services Engine. It affects ACI MSO versions running a 3.0 release of the software.
It was discovered that the flaw was due to insufficient access controls for an API running in the data network. Cisco discovered these vulnerabilities as part of its internal security testing and urges its customers to quickly mitigate them. Cisco also confirmed that no malicious attempts exploiting the vulnerability have been observed yet. CTRL Group recommends implementing risk-based patch management across the organisation so that the most critical vulnerabilities are prioritised. This would remediate any zero-day attacks and vulnerabilities thereby improving the security posture of the organisation.
Malformed URL Prefix Phishing Attacks Bypassing Email Security
A new phishing campaign has been detected that uses malformed URL prefixes to bypass email security solutions and reach their intended target. Rather than using of standard URL protocols HTTP:// or HTTPS:// , the domain linked in the phishing email used HTTP:/\ (forward slash, backslash). Most browsers assume that user accidentally type ‘/\’ so they automatically ‘fix’ it and take the user to the malicious destination. By hiding phishing information in the prefixes of URLs, attackers can send what looks like a link to a legitimate website, free of misspellings and all, with a malicious address hidden in the prefix of the link. Phishing attempts using these malformed URL prefixes increased by roughly 6000 per cent between early January to early February.
The campaigns targeting Office 365 credentials direct email recipients to a fake Microsoft Office 365 login page that is nearly identical to the genuine login page. The website even includes a reCAPTCHA, a common security feature of legitimate websites. If an unsuspecting user tried to log in on this page, they would be providing the attackers with their credentials which would give them access to their email contact lists and other sensitive data found in their cloud storage.
The first step is to set email filtering to look for “http:/\” and remove all matches. Whilst this may lead to false positives if someone makes a typo, an occasional mistake is worth having to resend a message when individual and organisational security is on the line. Employees are getting better at identifying misspellings and malicious domains, however, they may not recognise a malformed URL prefix, which is often not displayed in the browser. To help employees detect phishing scams, organisations must provide security awareness training on how to spot suspicious URL prefixes, block the sender and delete the message. As a final measure, multi-factor authentication should always be enabled to prevent attackers from gaining access.
VMWare Patches Critical RCE Flaw in vCenter Server
VMware has patched multiple vulnerabilities in its virtual-machine infrastructure for data centres that may allow attackers to execute an arbitrary command and take control of affected systems. Positive technologies researcher Klyuchnikov who discovered RCE vulnerabilities said that this is due to attackers being able to upload unauthorised files such as java server page scripts to VMware servers, enabling the execution of arbitrary commands with elevated privileges. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
The vulnerability, tracked as CVE-2021-21972, has a CVSS score of 9.8 out of 10 on the vulnerability-severity scale. The plugin is available in all default installations – potentially giving attackers a wide attack surface – and vROPs need not be present to have this endpoint available, according to VMware. With this access in place, the attacker can then successfully move through the corporate network and gain access to the data stored in the vulnerable system, such as information about virtual machines and system users.
A second vulnerability (CVE-2021-21973, CVSs score 5.3) allows unauthorised users to send POST requests, permitting an adversary to mount further attacks, including the ability to scan the company’s internal network and retrieve specifics about the open ports of various services.
VMware advised customers to install all updates provided on affected deployments to remediate the threat the vulnerabilities pose. The company also provided a workaround (https://kb.vmware.com/s/article/82374) for those who can’t immediately update their systems