Security Wrap-Up (June 23rd, 2021)

Happy Wednesday, everyone! We have some new security updates and topics for you to sink your teeth into. Check them out -

Strange malware stops you from visiting pirate websites
Last Thursday, Sophos researchers uncovered a malware campaign focused on “block[ing] infected users from being able to visit a large number of websites dedicated to software piracy.” Samples were buried in archives disguised as software packages promoted through the Discord chat service, whereas others are distributed via torrent. Numerous software brands, games, productivity tools, and cybersecurity solutions have been used to hide the malware, meaning that it’s targeting a broad subset of people who might not want to purchase a software license. If the malware’s executable is double-clicked, a message pop-up appears which claims the victim’s system is missing a crucial .DLL file. In the background, the malware is fetching a secondary payload, dubbed ProcessHacker, from an external website. This payload is responsible for modifying the HOSTS file on the target machine. The malware’s piracy website blocking process adds a list of hundreds of web domains and points them to a localhost address.

Email bug allows message snooping and credential theft
Researchers are warning that hackers can snoop on email messages by exploiting a bug in the underlying technology used by the majority of email servers that run IMAP. The bug, tied to the email server software Dovecot, was first reported in August 2020 and was patched on Monday. Over three-quarters of IMAP servers use Dovecot, according to an Open Email Survey. This vulnerability opens the door to a “meddle-in-the-middle” (MITM) attack, which could allow hackers to inject unencrypted commands into the encrypted TLS context, redirecting user credentials and mails to the attacker. A fix for this vulnerability is tracked as CVE-2021-33515 and is available for Dovecot running on Ubuntu, the Linux distribution for Debian. Dovecot version v2.3.14.1 and later mitigates the issue.

Over a billion records from CVS Health exposed online
On Thursday, WebsitePlanet , together with researcher Jeremiah Fowler, revealed the discovery of an online database belonging to CVS Health. This database was not password-protected and had no form of authentication in place to prevent unauthorized entry. The team found over one billion records within the 204GB database owned by CVS Health. The data discovered included production records of visitor IDs, session IDs, device access information, and more. Search records exposed also included queries for medications, COVID-19 vaccines, and a variety of CVS products. The researchers say that the unstructured database could be used in targeted phishing scams referencing some of the emails logged into the system. CVS Health has said the database was managed by an unnamed vendor on behalf of the firm and public access was restricted following disclosure.

Cisco patches vulnerabilities in smart switches
Cisco has flagged and patched several high-security vulnerabilities in its Cisco Small Business 220 Series Smart Switches that could allow session hijacking, arbitrary code execution, cross-site scripting, and HTML injection. It also issued fixes for high-severity problems in the AnyConnect mobility client, the Cisco DNA Center, and the Cisco Email Security Appliance, along with a number of other patches affecting various Cisco products. The high-severity issues are below:

  • CVE-2021-1566: Cisco Email Security Appliance and Cisco Web Security Appliance (Certificate-Validation Vulnerability)
  • CVE-2021-1134: Cisco DNA Center (Certificate Validation Vulnerability)
  • CVE-2021-1541 through 1543; CVE-2021-1571: Cisco Small Business 220 Series Smart Switches (Session Hijacking, Arbitrary Code-Execution, Cross-Site Scripting, HTML Injection)
  • CVE-2021-1567: Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module (DLL Hijacking)

Any security updates you want to share? Let us know!