Hackers start exploiting the new backdoor in Zyxel devices:

  • NIC-CERT/2021-01/196
  • Date: 2021-01-11

1. Hackers start exploiting the new backdoor in Zyxel devices:

Threat actors are actively scanning the Internet for open SSH devices and trying to login to them using a new recently patched Zyxel hardcoded credential backdoor. A secret hardcoded backdoor account in Zyxel firewalls and AP controllers. This secret 'zyfwp' account allowed users to login via SSH and the web interface to gain administrator privileges.

This backdoor allows threat actors to create VPN accounts to gain access to internal networks or port forward Internal services to make them remotely accessible and exploitable. Zyxel released the 'ZLD V4.60 Patch 1' last month that removes the backdoor accounts on firewall devices. Also patch for AP controllers on January 8th, 2021.

Reference: https://www.bleepingcomputer.com/news/security/hackers-start-exploiting-the-new-backdoor-in-zyxel-devices/

2. Google fixed a critical Remote Code Execution flaw in Android:

Google released an Android security update that addresses 43 flaws, including a critical remote code execution vulnerability in the Android System component tracked as CVE-2021-0316. Google addressed the flaws with the release of Security patch levels of 2021-01-05 or later.

Google also addressed other 2 critical flaws in the Qualcomm closed-source components tracked as CVE-2020-11134 and CVE-2020-11182.

Also fixed the following high-severity vulnerabilities:

Framework: CVE-2021-0303, CVE-2021-0306, CVE-2021-0307, CVE-2021-0310, CVE-2021-0315, CVE-2021-0317, CVE-2021-0318, CVE-2021-0319, CVE-2021-0304, CVE-2021-0309, CVE-2021-0321, CVE-2021-0322, CVE-2019-9376;

Media Framework: CVE-2021-0311, CVE-2021-0312; CVE-2021-0308, CVE-2021-0320;

System: CVE-2020-0471;

Kernel components: CVE-2020-10732, CVE-2020-10766, CVE-2021-0323;

MediaTek components: CVE-2021-0301;

Qualcomm components: CVE-2020-11233, CVE-2020-11239, CVE-2020-11220, CVE-2020-11250, CVE-2020-11261, CVE-2020-11262;

Qualcomm closed-source components: CVE-2020-11126, CVE-2020-11126, CVE-2020-11159, CVE-2020-11181, CVE-2020-11235, CVE-2020-11238, CVE-2020-11241, CVE-2020-11260.

Reference: https://source.android.com/security/bulletin/2021-01-01

https://securityaffairs.co/wordpress/113095/security/google-android-rce.html

3. BazarBackdoor, Another Powerful Malware From TrickBot Operators

A new campaign is propagating a new malware named “Bazar Backdoor,” a file less backdoor reportedly created by the same threat actors behind TrickBot.

Bazar Backdoor spreads itself through phishing messages purporting to be from legitimate senders. For example, the messages may include COVID-19-related payroll reports and lists of terminated employees. The potential victim needs to click on a link to documents that appear to be stored on Google Docs. After clicking on that link, he or she will be redirected to customized landing pages appearing to be PDF, Word or Excel documents.

Since extensions of files stored on Windows computers are usually not displayed by default, most Windows users will see the stored file as “PreviewReport.Doc” instead of “PreviewReport.Doc.exe”. The executable file, also known as Bazar Loader, is a loader of a backdoor.

Once backdoor is installed, it will download and launch Cobalt Strike, a legitimate information security application. Fraudsters often use cracked versions of Cobalt Strike to spread throughout a network, deploy malware and steal credentials.

Reference: https://cyware.com/news/bazarbackdoor-another-powerful-malware-from-trickbot-operators-69c9c4a6

https://www.pandasecurity.com/en/mediacenter/business/bazarbackdoor-trickbot-backdoor/https://www.pandasecurity.com/en/mediacenter/business/bazarbackdoor-trickbot-backdoor/

4.Mozilla Firefox disabling backspace key to prevent data loss :

Mozilla Firefox is disabling the browser's backspace key to prevent users from accidentally losing data typed into forms.

"To prevent user data loss when filling out forms, theBackspacekey as a navigation shortcut for "Go back one page" is now disabled. For thosewho wish to continue using the backspace key, you can enable it again in about:config using the following steps:

  1. Enter about:config in the Firefox address bar.
  2. Search forbrowser.backspace_actionand change its value to '0'.

Once the setting is enabled, you can use the backspace key to go back to the previous page in Firefox.

Reference: https://www.bleepingcomputer.com/news/software/mozilla-firefox-disabling-backspace-key-to-prevent-data-loss/

5.Microsoft makes the Windows 10 File Recovery tool easier to use :

Microsoft has released a new version of the Windows File Recovery tool (winfr.exe) that includes new modes that are easier to use. This new version is only available to Insiders, and users on the public releases will not be able to download it.

Microsoft introduces two new 'regular' and 'extensive'modes that can be used to recover files in Windows 10. The 'regular' mode is used to recover files that were recently deleted and when the hard drive is not corrupted. The 'extensive' mode, on the other hand, is used to recover a file that was deleted a while ago, when a disk has become corrupted, and when a disk has been formatted.

https://www.bleepingcomputer.com/news/microsoft/microsoft-makes-the-windows-10-file-recovery-tool-easier-to-use/