There’s no shortage of cyber-attacks making the headlines, but what do they mean for you?
At CyberCX, we keep a close eye on the news to identify reports of the latest trends, issues and exploits.
Here we present a selection of recent news stories that caught our attention, and the important lessons we can learn to keep secure.
Securing Digital Supply Chains
Even organisations with the best security systems can find themselves at risk if other organisations in their digital supply chain are vulnerable.
It was recently revealed that up to 18,000 organisations may have unknowingly installed backdoors into their networks. These organisations all use “Orion”, a network monitoring tool created by American software firm, SolarWinds.
Reports indicate that an advanced persistent threat (APT) group, likely to be originating in Russia, gained access to Orion servers and manipulated scheduled patches. When Orion customers ran system updates in March 2020, they unknowingly installed remote access trojan (RAT) malware that created backdoors into their networks. As Orion is a network monitoring tool, it has extensive network-wide access privileges. This allowed the attackers to deeply penetrate victims’ networks, remaining undetected for many months.
Despite thousands of potential victims, it is thought that around 100 organisations were specifically targeted. This speaks to the highly targeted nature of the campaign, as well as the attackers’ efforts to stay under the radar.
It is believed those behind the breach gained extensive access to emails, user IDs, passwords, financial records, source code, as well as highly confidential files. With SolarWinds customers including numerous US government agencies, including the military, as well as many large enterprises, the potential damage is enormous. It is thought the breach went undetected for over six months.
The seriousness of the breach has led some to label it the Pearl Harbour of American IT.
This case demonstrates the importance of supply chain security. Orion was a known, trusted tool. SolarWinds customers would have had no reason to suspect that an Orion update could contain such malware. However, with ongoing supply chain monitoring and auditing, organisations stand a much better chance of stopping or catching such threats. Even for those that don’t use Orion, a connected third-party may do so. This could also be a risk.
If your organisation uses Orion, you should consider deactivating the software and engaging professionals to investigate whether you have been breached and whether any backdoors into your network can be identified. All organisations should have regular independent assessments of your digital supply chain moving forward to help identify potential third-party risks.
Chrome Updates
Ironically, the most widely used applications are also the ones that many people forget to update.
Few applications are as widely used as Google’s Chrome browser. Chrome usually runs updates automatically in the background approximately every six weeks. Most users don’t think about checking to ensure they are using the latest version.
However, given the recent release of 16 security patches, and the fact that the United States Cyber and Infrastructure Security Agency (CISA) has issued an alert to urgently update Chrome web browsers, it’s worth ensuring that all the computers in your environment are running the latest version.
As mentioned, Google recently released 16 security fixes for Chrome version 87.0.4280.141 for use on Windows, Mac and Linux, 15 of which are High Severity vulnerabilities. These address a range of vulnerabilities that, if left unpatched, could leave the way open for remote code execution in the privilege context that Chrome is running in.
13 of these vulnerabilities were identified by external bug-bounty hunters, with Google awarding more than $110,000 to the researchers:
CVE | Description |
CVE-2021-21106 | Use after free in autofill in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2021-21107 | Use after free in drag and drop in Google Chrome on Linux prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2021-21108 | Use after free in media in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2021-21109 | Use after free in payments in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2021-21110 | Use after free in safe browsing in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2021-21111 | Insufficient policy enforcement in WebUI in Google Chrome prior to 87.0.4280.141 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. |
CVE-2021-21112 | Use after free in Blink in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2021-21113 | Heap buffer overflow in Skia in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2021-21114 | Use after free in audio in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2021-21115 | User after free in safe browsing in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2021-21116 | Heap buffer overflow in audio in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2020-16043 | Insufficient data validation in networking in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to bypass discretionary access control via malicious network traffic. |
CVE-2020-15995 | Out of bounds write in V8 in Google Chrome prior to 86.0.4240.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
To ensure you’re running the updated Chrome, simply select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right corner of the browser. A tab will open showing the browser version and should automatically run an update if required. Chrome is currently running version 88 for Windows, Mac and Linux. Updated Android and iOS browsers can be found in the Google Play and App Store, respectively.
We strongly urge all Chrome users never to turn off automatic Chrome updates. Security vulnerabilities in browsers can put you at risk, and Chrome has a decent track record of issuing patches on a regular basis to address any identified vulnerabilities.