Weekly threat roundup: SolarWinds-style hack, macOS Big Sur, Telegram

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Irretrievable data loss in macOS Big Sur

Apple has patched a programming bug in its flagship macOS Big Sur operating system that could lead to users being locked away from their data during a major software upgrade.

Usually, before any Mac device undergoes a significant OS update, the installation software performs a check for how much free hard disk space is available. In versions 11.2 and 11.3 of Big Sur, however, the check didn’t work as intended, according to Mr Macintosh, meaning the upgrade started even if users only had a few megabytes of space remaining.

The installer would eventually get stuck in a boot loop as it tried and failed to complete the installation. For users with Mac devices fitted with the T2 security chip and FileVault 2 encryption enabled, the problem was made worse, as this potent combination would permanently lock them out of their hard disk due to a failure to accept correct passwords in the recovery prompts following the installation process.

Centreon hit by SolarWinds-style supply-chain attack

French authorities have uncovered a wide-reaching supply-chain attack targeting several major organisations by hackers who compromised Centreon, an enterprise IT platform.

Centreon describes itself as a firm offering IT monitoring services that provide visibility to complex IT workflows from the cloud to the edge, with its customers including Airbus and Orange. The ANSSI cyber security agency claimed the hackers mainly targeted IT providers, and web hosting companies specifically.

The attack, which bears striking similarities to the devastating SolarWinds attack disclosed a few months ago, was orchestrated by alleged Russian cyber criminals, based on early evidence uncovered by investigators. One backdoor, for example, was identical to the Exaramel backdoor previously linked with the Russian TeleBots threat group.

Telegram patches major security holes

More than a dozen major vulnerabilities that could be triggered by remote hackers were fixed in the Telegram messaging service last year, according to a security researcher.

These 13 memory corruption flaws could have allowed attackers to send malicious animated stickers to users in order to gain access to their private messages, photos and video clips, if successfully exploited.

The leading WhatsApp alternative has now fixed all 13 flaws identified by the vulnerability researcher known as Polict, in three updates released across September and October for the Android, iOS, and macOS apps.

QNAP’s Surveillance Station vulnerable to exploitation

QNAP has patched a critical security flaw in its Surveillance Station app that, if exploited, could allow hackers to execute malicious code remotely on network-attached storage (NAS) devices running the software.

This app functions as a surveillance management system and can connect with up to 12 internet protocol (IP) cameras. However, It was found to be embedded with a stack-based buffer overflow vulnerability tracked as CVE-2020-2501, that meant NAS devices managed by the app were vulnerable to remote attack.

QNAP has now patched this bug, alongside fixing a separate cross-site scripting (XSS) flaw in its Photo Station app. This XSS flaw, which could’ve allowed hackers to inject malicious code into the service, was tagged CVE-2020-2502 and rated ‘medium’ in severity.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021