SSD’s Security Disclosure weekly news recap — April 7, 2021
In this edition, we’ll give new updates to the North Korean campaign targeting security researchers, Chinese police arresting the biggest video game cheats syndicate, FBI and CISA warning about hackers abusing FortiNet flaws, and our CVE of the week: an SSRF vulnerability found in VMware’s vRealize.
New Updates to the Campaign Targeting Security Researchers
These are updates to a campaign that we spoke about in February. This campaign was launched by a North Korean-backed hacker group that used fake profiles to try and steal vulnerabilities of security researchers and use them to execute attacks.
Last week, Google's Threat Analysis Group posted that these hackers had launched another campaign using a fake company called “SecurElite”. It was advertised as an offensive security company based in Turkey that offers pentests, software security assessments, and exploits.
The hacker group had also opened more social media profiles posing as fellow security researchers and recruiters to lure their potential victims.
Similarly to the campaign in January, the website and fake profiles provided links that contained a browser exploit for Internet Explorer that would attempt to compromise security researchers visiting their website.
Google reported the fake profiles and added the website to Google Safe-Browsing but they still asked anyone who has additional information about this campaign to report it to Google.
Chinese Police Arrested the Biggest Video Game Cheats Syndicate
The syndicate they arrested, operated several websites that sold game cheats in exchange for cryptocurrency. The main website sold a cheat program for “Game for Peace”, the Chinese version of PubG mobile.
The “Game for Peace” cheat was dubbed “Chicken Drumstick” and would allow gamers to have abilities like automatic shooting aim or seeing through walls. Cheats like this helped the syndicate obtain over 100 million dollars in cryptocurrency which made them a target for the Chinese police.
Using the help of the tech giant Tencent, Police were able to arrest the main operators of this syndicate in an operation that spanned over 6 provinces and 17 websites.
One of the perpetrators they arrested was found in possession of more than 5.2 million dollars in cryptocurrency and several luxury cars like Rolls Royce and Lamborghini.
More investigations are being made to find other perpetrators outside of China. For now, these perpetrators have been charged with illegally providing programs and tools for the intrusion and manipulation of computer information systems.
Hackers Abusing Fortinet’s SSL VPN Flaws
The FBI and CISA are warning against hackers using three relatively old Fortinet vulnerabilities to breach government and commercial networks.
Fortinet is a security company, providing many cybersecurity solutions to clients around the world. One of their solutions is FortiOS which is the operating system of their products.
Last week, the FBI and CISA warned that nation-state hackers are looking for unpatched versions of FortiOS to gain access to companies’ and governments’ systems.
The attackers in this case are abusing 3 known and patched vulnerabilities (CVE-2018–13379, CVE-2019–5591, and CVE-2020–12812). These vulnerabilities can allow attackers to download system files, intercept sensitive information and bypass the authentication in FortOS’s SSL VPN.
Both the FBI and CISA say that these attacks are part of a growing trend in the past year of attacking VPNs, as more and more people work from home. They also advise Fortinet users to patch their FortiOS.
CVE-2021–21975 — Server Side Request Forgery in vRealize
Our CVE of the week is a server-side request forgery in VMware’s vRealize.
Last Tuesday, VMware released patches updating their AI-powered IT management program, vRealize. This program manages IT operations for private, hybrid, and multi-cloud environments using one AI-powered platform.
The vulnerability in this program was found by a Positive Technologies security researcher, Egor Dimitrenko. He discovered a pre-authentication server-side request forgery in vRealize Manager API.
A Server-side request forgery vulnerability allows attackers to induce the server-side application to make HTTP requests to an arbitrary domain they choose. In this case, this vulnerability could allow attackers to steal administrative credentials without requiring authentications or user interaction.
This vulnerability has been rated at a high risk since it is easy to execute but luckily, VMware hasn’t found examples of it being exploited in the wild — just yet — so we advise you to patch as soon as possible.
Want to Be Part of the News?
At SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD provides the fast response and support needed to get zero-day vulnerabilities and disclosures reported to vendors and to get researchers the compensation they deserve. We help researchers get to the bottom of vulnerabilities affecting major operating systems, software, or devices.
We are constantly publishing our findings, intended on educating our global security researcher’s community. You can find more vulnerabilities on our Advisories page. If you have findings of your own you can send us your findings here using our report template.
