Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
Businesses hacked through SonicWall’s Email Security flaws
Researchers have found evidence that hackers have exploited three severe zero-day vulnerabilities in SonicWall’s Email Security platform to breach the network of an unidentified business.
Cyber criminals are said to have chained three flaws, CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, together to install a backdoor, access files and emails, and move across the victim’s organisation. These vulnerabilities were first discovered in March 2021, and a hotfix was made available for the first two flaws on 9 April 2021. SonicWall then released a fix for the final vulnerability this week, before disclosing details of the exploitation.
Hackers exploit Pulse Secure VPN flaws
Two major hacking groups have deployed a dozen malware families to compromise US and European organisations by exploiting vulnerabilities in Pulse Secure’s VPN platform.
Tracked as CVE-2021-22893, the critical remote code execution flaw in Pulse Connect Secure is rated a maximum of ten on the threat severity scale. It was chained with other previously known flaws in Pulse Secure products to infiltrate a series of organisations, including those in the US defence sector. An alert issued by the Cybersecurity and Infrastructure Security Agency (CISA) confirmed multiple government agencies and critical organisations in the US were breached.
Ivanti, Pulse Secure’s parent company, has released a number of mitigations, although a full patch won’t be available until next month. The purpose of the hack, and its scale, isn’t fully clear, although FireEye researchers have linked the attack to Chinese state-backed groups.
Telegram used to remotely control ToxicEye malware
Hackers are using the Telegram instant messaging app to remotely control and distribute several malware families, including ToxicEye.
Researchers with Check Point Research (CPR) have so far found evidence of more than 130 cyber attacks involving ToxicEye that were managed through Telegram. Telegram-based malware is a growing trend and coincides with the app’s increasing popularity.
This approach allows hackers to send malicious commands and operations through the app, even if Telegram isn’t installed or being used by the victim. Attackers simply begin the process by creating a Telegram account and a dedicated bot. They then execute commands to spread the malware through spam campaigns as well as through email attachments.
Benefits of using Telegram include the fact it’s a legitimate and easy-to-use app that isn’t blocked by any enterprise security software or network management tools. Anonymity also means that attackers are difficult to identify, given you only need a phone number to create an account. Unique features in Telegram also mean attackers can easily exfiltrate data from victims’ PCs and transfer new malicious files to infected machines.
Google fixes another actively exploited Chrome bug
Google patched seven vulnerabilities this week including another zero-day flaw that has been actively exploited, adding to a growing list of flaws in the web browser that hackers have hijacked this year.
Tracked as CVE-2021-21224, this vulnerability was described as “type confusion in V8”, although the precise attack mechanism or the consequences of successful exploitation weren’t disclosed. This bug follows two more Google Chrome flaws that were patched in recent months, including CVE-2021-21220 and CVE-2021-21166, both described as memory corruption bugs.