SSD’s Security Disclosure weekly news recap — April 14, 2021

In this edition, we’ll give new updates to the Fortinet flaws abuse we discussed last week, 3 major social network leaks, new Android malware spreads by creating auto-replies to messages in WhatsApp, and our CVE of the week: a pre-auth RCE found in a QNAP QTS plugin.

Some updates to the Fortinet story we spoke about last week. The FBI and CISA warned that hackers are abusing three relatively old Fortinet vulnerabilities to breach government and commercial networks.

New updates revealed that one of these vulnerabilities was used by the Cring ransomware to infect and shut down 2 manufacturing plants in Italy.

Cring is ransomware that takes hold of networks by exploiting long-patched vulnerabilities to extract a domain’s administrator credentials. After infecting the system, Cring ransomware encrypts the stolen data and leaves a ransom note, which in this case, asks for 2 Bitcoins in exchange for the stolen data.

In this case, Cring abused the already patched vulnerability in Fortinet (CVE-2018–13379) which allows unauthenticated attackers to obtain a session file that contains the username and password for the VPN.

It did this by infecting one of the Company employees’ PC in Germany and then moved on to infecting the whole server, thus causing a shut down in these 2 plants.

As we mentioned, the hackers are abusing already patched vulnerabilities and so it is critical to update these as soon as possible.

A terrible week for social media, with Facebook, LinkedIn, and Clubhouse all experiencing major data leaks.

Facebook and LinkedIn reported data leaks of over half a billion users, including Mark Zuckerberg’s phone number leaked as well. Clubhouse had a smaller data leak of only 1.3 million users’ but due to their smaller size, this is still a major leak for the platform.

The data included: users’ IDs, full names, phone numbers, and email addresses and is reported to be sold on an illegal hacking website with the Clubhouse data being given for free.

Experts warn that this data could be used to execute sophisticated phishing attacks combining data from multiple leaks and in some cases brute forcing users' passwords.

We advise you to be careful when getting suspicious emails and have a look at whether your data was leaked in order to protect yourself.

Check Point Research recently published findings on malware hidden in a fake application on Google Play, that is capable of spreading itself via users’ WhatsApp messages.

WhatsApp, the Most-popular messaging app around the world, has over 2 billion users worldwide, making it a big target for hackers and malware agents. Like the ones who created this malware and provided it with new techniques for spreading itself, and for manipulating or stealing data from trusted applications such as WhatsApp.

When this malware is downloaded from the Play Store and installed, the malware starts a service that requests ‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ permissions. The purpose behind obtaining these permissions is to enable threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts.

Users should be wary of downloading links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups.

Our CVE of the week is a pre-auth RCE in QNAP QTS Surveillance Station plugin.

This vulnerability was reported to SSD by an independent researcher who discovered that a memory corruption vulnerability can lead to a pre-auth RCE on QNAP QTS’s Surveillance Station plugin. This plugin allows you to watch a live view or a playback recording of your Surveillance Station cameras.

The vulnerability occurs due to a lack of proper bound checking and could allow an attacker to overflow a stack buffer with a specially crafted HTTP request. This overflow could then be exploited to run arbitrary code in the system and compromise it.

SSD had reported the vulnerability to QNAP who fixed it and provided patches correcting it. If you’re using this plugin, we advise patch it as soon as possible.

Want to Be Part of the News?

At SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD provides the fast response and support needed to get zero-day vulnerabilities and disclosures reported to vendors and to get researchers the compensation they deserve. We help researchers get to the bottom of vulnerabilities affecting major operating systems, software, or devices.

We are constantly publishing our findings, intended on educating our global security researcher’s community. You can find more vulnerabilities on our Advisories page. If you have findings of your own you can send us your findings here using our report template.

Join the conversation:

Visit SSD

Twitter

Facebook

Youtube

--

--

Disclosing vulnerabilities responsibly since 2007

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store