At a glance.
- Azure OMI vulnerability exploited.
- Chinese threat actor targets Indian entities.
- iPhone lock screen bypass vulnerability.
- Black market vaccine passports.
Azure OMI vulnerability exploited.
Researchers at Wiz discovered and disclosed four serious flaws affecting Azure's Open Management Infrastructure (OMI) Framework agent. One of the vulnerabilities can lead to unauthenticated remote code execution (CVE-2021-38647), while the other three are elevation-of-privilege flaws (CVE-2021-38645, CVE-2021-38649, and CVE-2021-38648). Microsoft released patches for the flaws on September 14th, but Wiz explained that many customers may not know that they're affected:
"Many different services in Azure are affected, including Azure Log Analytics, Azure Diagnostics and Azure Security Center, as Microsoft uses OMI extensively behind the scenes as a common component for many of its management services for VMs. In a survey, Wiz found that over 65% of sampled Azure customers were exposed to these vulnerabilities and unknowingly at-risk. Although widely used, OMI's functions within Azure VMs are almost completely undocumented and there are no clear guidelines for customers regarding how to check and/or upgrade existing OMI versions."
Microsoft reported on Saturday that several threat actors are attempting to exploit the remote code execution vulnerability to install cryptominers or Mirai botnet malware. The company noted, "Due to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks, we are anticipating an increase in the number of effects-type attacks (coin miners, bot installation, etc.)."
Chinese threat actor targets Indian entities.
Recorded Future's Insikt Group says that a Chinese state-sponsored threat actor tracked as "TAG-28" is active against targets in India. The actor deployed Winnti malware in operations against Indian media conglomerate The Times Group, the Unique Identification Authority of India (UIDAI), and the Madhya Pradesh Police department. The researchers note that "The UIDAI is the Indian government agency responsible for the national identification database, more commonly called “Aadhaar”, which contains private biometric information for over 1 billion Indian citizens." They add, "While we cannot confirm the intent behind the observed intrusions, an Indian media entity with broad reach across the Indian population and the Aadhaar system both present valuable targets for surveillance, espionage, or information operations."
iPhone lock screen bypass vulnerability.
Security researcher Jose Rodriguez disclosed an iPhone lock screen bypass vulnerability that can allow an attacker to access the iPhone's Notes, the Record reports. Rodriguez found that he could use Siri and VoiceOver to read out the user's notes while the iPhone was locked. Rodriguez was also critical of Apple's response to his disclosure, telling the Record, "Apple mitigated this, [but] didn’t fix at all, and they never asked me if the issue was fixed."
Black market vaccine passports.
Check Point and Fortinet say that fraudulent vaccine passports are proliferating in the online black market. Fortinet notes that most of these offers are likely scams, since there's no way to verify if the seller will actually send the product:
"FortiGuard Labs has now begun to encounter offers of fake vaccine passports as lures in email scams. Successfully enticing the general population to open a malicious email attachment with the promise of receiving an illegal product may be a first. It reflects how polarizing this issue is and why cybercriminals think that they can successfully exploit it."
Check Point states that, legitimate or not, the number of sellers has increased significantly over the past month:
"In our last report back in August 2021, we shared that fake ‘vaccine passport’ certificates were on sale for US$100-US$120, with majority of sellers from European countries. Also on sale: The EU Digital COVID certificate, CDC and NHS COVID-19 vaccine cards, and fake PCR COVID-19 tests. The number of advertisement groups and their sizes have multiplied by a hundred percent since the beginning of 2021. In August 2021, CPR saw the number of sellers to number around 1,000. Today, the number of sellers has grown exponentially to north of 10,000, marking a 10x increase."