Skip to Content

Cybersecurity and Infosec News Headlines Update on August 18, 2022

Thousands of Zimbra platforms actively targeted with critical vulnerabilities

Security experts are warning that attackers are actively exploiting a vulnerability in the Zimbra digital collaboration platform, and the exploit is circulating in the wild. A range of reports indicate threat actors are using the vulnerabilities, which can provide adversaries with full remote code execution with no authentication needed. Microsoft stated that more than 30,000 instances are believed to be publicly exposed, and the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2022-37042 and CVE-2022-27925 to its list of known exploited vulnerabilities. The vulnerabilities specifically affect Zimbra Collaboration Suite (ZCS) email servers and are similar to other vulnerabilities discovered in 2021 affecting Microsoft Exchange Server. CISA also warned users of another ZCS vulnerability on Aug. 4 — CVE-2022-27924, which was also being exploited in the wild. Federal agencies must patch for CVE-2022-27924 by Aug. 24.

Read more in

Exploit available for critical VMWare privilege escalation vulnerability

A researcher who discovered two critical vulnerabilities in VMware ONE Workspace Access released proof of concept exploit code for one of them. An attacker could exploit CVE-2022-31656 to gain admin privileges on the targeted device. VMWare had already released a warning telling users to patch the issue as soon as possible even before the PoC code was released. Security firm Imperva said it detected attempts to exploit the vulnerability after Aug. 9 when the code went public.

Read more in

CISA Releases Cybersecurity Toolkit for Elections

The US Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Joint Cyber Defense Collaborative (JCDC), has published a guide for election systems cybersecurity. Designed to help US state and local election officials, the Cybersecurity Toolkit to Protect Elections includes a tool to assess risk profile as well as information about tools and services that can be used to help secure election infrastructure assets.

Note

  • While free toolkits are obviously lower in acquisition cost, they still require a level of cybersecurity skill to use for any purpose other than producing “fill the binder” documentation. For example, the first step in this process is to use the online Election Security Risk Profile Tool developed by CISA and the U.S. Election Assistance Commission. The bad news: it asks the filler-outer to estimate risk at the Confidentiality/Integrity/Availability level with slider bars. All too often in the US election system, the person filling out this form will have no idea of what the risk level is and may not even understand those terms. The good news: the slider bars show curves for how election experts assessed the CIA risk and (at least on my browser) the default risk estimates are fairly high and clicking through maintains those defaults. The CISA focus on free tools unfortunately perpetuates the myth that additional spending on staffing and training by state and local is not required for election security – both are badly needed.
  • When performing a self-assessment, one of the hardest parts is to be brutally honest about your current state, particularly if you’re not used to this. Here is a case where peer review can help you. The Election Survey Risk Profile tool is ten pages of questions, with your answers driving added questions. Once you have an honest assessment, then the real work begins of addressing issues. CISA is leveraging the NIST Cybersecurity Framework, so there are plenty of resources and expertise to help you succeed.
  • As the tool suggests, in order to be effective, much less efficient, security must be risk based. However, risk assessment requires knowledge, skill, ability, and experience. These are not likely to be found in many of the 8000 election jurisdictions. It is all too easy, indeed common, for the novice to confuse threat, vulnerability, or consequences for risk. An effective tool for such a population must provide a lot of guidance while being easy to use. It must not rest upon the ability of the user to do something that he is not equipped to do.

Read more in

Cisco Acknowledges Network Breach

Cisco has acknowledged that threat actors managed to gain access to its corporate network. The company learned of the compromise in late May 2022. The threat actors, a ransomware group known as Yanluowang, used a hacked Google account to gain access to a Cisco employee’s VPN client. Cisco said that the group was not successful in deploying ransomware on their network.

Note

  • This is another example of how complex attacks will be used to try to (and sometimes succeed in) bypassing multifactor authentication. Definitely read the Initial Vector section of the Talos report to see what the compromised user did wrong (multiple things) and look at your awareness training to see if you have this covered. Cisco has recently seemed to be in the news too often for vulnerabilities in their products (see ASA item in this Newsbites, for example) but over the years (going as far back as SQL Slammer in 2002) Cisco’s internal security has aggressively focused on maintaining the skills, processes and controls to reduce time to detect, respond, restore, etc.
  • Thanks to Cisco for sharing the details to allow us to learn from Cisco’s experience.
  • The higher we raise the bar on password-based authentication, the more we can expect users to use electronic means to store those credentials. Make sure that you have policy and training about storing and syncing company credentials using non-corporate mechanisms. At a minimum make sure that remote access requires MFA rather than reusable credentials. Ideally, all remote entry points, including endpoints, should require MFA.
  • All too often an error by a single employee results in the compromise of the entire enterprise but it need not be so. “Zero Trust” architectures, or even network segmentation, can make the enterprise tolerant of the inevitable user error.

Read more in

White House to Provide Critical Infrastructure Sectors with Cybersecurity Guidance

The White House wants to provide the water sector (and other critical infrastructure sectors) with cybersecurity guidance. It asked Congress months ago to codify the Environmental Protection Agency’s (EPA) authority to establish standards for the water sector. An administration official said “the EPA’s current safety and security authorities allow them to roll cybersecurity in,” and added that the EPA will likely issue the rule this summer. Anne Neuberger, deputy national security adviser for cyber and emerging technology, said last week “We need the Hill to ensure that those authorities are clear. There’s hesitancy by agencies to move without real Hill backing to do so.”

Read more in

Microsoft’s August Patch Tuesday Includes Fix for RCE Flaw in MSDT

Microsoft’s Patch Tuesday for August 2022 addresses more than 120 security issues in multiple products; 17 of the vulnerabilities are rated critical. The batch of issues addressed includes a fix for a zero-day remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).

Note

  • The main issue with MSDT was the fact that it was directly exposed via Microsoft Office. This issue was fixed in an earlier update. However, the directory traversal/code execution issue remained. This has been fixed with this update.
  • While the number of issues seems large, 20 of these are Chromium-Edge and 32 are Azure Site Recovery. Also included in the patches are three critical Exchange server patches (CVE-2022-24477, CVE-2022-24516 and CVE-2022-21980) which need to be applied immediately. Fully fixing the issues requires enabling Windows Extended protection on Exchange Servers. Review the MS blog post on the Exchange Server Updates (https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862) for more details. Revitalize your projects to move to hosted email servers wherever possible.

Read more in

Cloudflare Says They Thwarted a Phishing Scheme in July

Cloudflare says their organization was recently targeted by a phishing scheme similar to the one that hit Twilio last week. Twilio’s network was breached after employees received phishing emails claiming to be from the company’s IT department that led them to a phony Twilio sign-in page. Cloudflare said it experienced a similar attempted attack last month, but was able to thwart it because they use hardware-based MFA keys. The Cloudflare blog post offers “a rundown of exactly what [they] saw in order to help other companies recognize and mitigate this attack.”

Note

  • Sharing information lately practiced by Cloudflare, Cisco and Twilio is a great resource to learn and improve. One common theme lately is that targeted attacks are exploiting a disconnect in how some multi factor authentication systems work, and how users perceive them. You should update your user awareness training to include these abuse cases.
  • This is a great example of what phishing-resistant MFA means. Hardware MFA, in this case using FIDO2-compliant key and implemented origin-binding, even with the captured credentials, the attacker couldn’t get past the login prompt. That said, you need to make sure that your MFA is comprehensive, don’t exclude system administrators, VIPs, etc. Where using SSO, make sure that users have to strongly authenticate to the endpoint, and that the endpoint is trusted, genuine, and meets or exceeds your required security posture.

Read more in

Critical Flaws in Device42 Platform

Researchers from Bitdefender discovered multiple vulnerabilities in the Device42 Asset Management Platform that could be exploited to gain full root access to vulnerable systems. The flaws were found during a security assessment of the Device42 appliance with the production instance and with the staging instance. Bitdefender notified the vendor of the vulnerabilities on February 18, 2022. The flaws were patched on July 20, and report and CVEs released on August 10.

Note

  • Bitdefender gives kudos to the Device42 team for rapidly responding and working with them to make sure the issues are resolved. Make sure that your vulnerability disclosure team has a similar model, irrespective of the source reporting issues. Device42 version 18.01.00 addresses the four CVEs (CVE-2022-1399, CVE-2022-1400, CVE-2022-1401, and CVE-2022-1402). Given that Bitdefender has published their findings, it’s time to make sure that version was deployed.

Read more in

7-Eleven Denmark Hit with Ransomware

A ransomware attack caused 7-Eleven Denmark to shut down all 175 of its stores earlier this week. The attack prevented stores from using cash registers or accepting payments. Stores are gradually re-opening and are using alternate payment methods, such as cash of mobile payment systems. 7-Eleven Denmark acknowledged the attack in a statement on Facebook.

Note

While the attack took out the central payment systems, local stores were able to open by finding alternate solutions which worked locally. Make sure that your DR plan includes information on how to keep remote locations operating when central systems are offline. Consider not only the tactical immediate operational return, but also the long-term actions to reconcile information with those systems when they come back online.

Read more in

Fortinet: Older Microsoft Office Vulnerabilities are Still Being Exploited

Researchers from Fortinet say that threat actors are still exploiting a pair of known vulnerabilities in Microsoft Office that are five years old. The flaws, CVE-2017-0199 and CVE-2017-11882, are being exploited by a variant of the SmokeLoader malware.

Note

  • Make sure that users are staying on the current release of Office products, including subscription to (and application of) updates. Make sure you have written management support for minimum versions for users resistant to moving off treasured versions. Recovery from an incident related to running old versions quickly exceeds the cost of providing a license. Investigate Microsoft’s home use program to facilitate users being on current versions for their non-work systems.

Read more in

NHS Outage Due to Ransomware Attack on Vendor Network

A ransomware attack against a third-party vendor is responsible for an outage affecting the UK’s National Health Service (NHS). Managed service provider, Advanced, has released a FAQ document that provides information about which of its customer groups are affected and other details about the attack. Advanced says it could be three to four weeks before all the disruptions are mitigated.

Note

  • The service provider is rebuilding services with updated security practices, to include increased monitoring, EDR, and increased segmentation/isolation. If you’re going to rebuild everything, you may as well increase the security, and may be the only time you get management support to fully implement those changes. Beware that you’re changing things and unknown interdependencies may add significant time to the recovery process as they are resolved. As a customer, be aware of your service provider’s security posture. While we’re used to making sure our data data is isolated and protected, we also need to ensure that protections are in place to stop lateral movement, all endpoints leverage EDR, are actively monitored, and have a clear understanding of their service restoration model and timeline.

Read more in

Black Hat: Cisco ASA Vulnerabilities

Researchers from Rapid7 discovered vulnerabilities affecting Cisco Adaptive Security Appliance software, Adaptive Security Device Manager (ASDM), Cisco ASA-X and FirePOWER Services Software for ASA. Rapid7 disclosed the vulnerabilities to Cisco in February and March of this year. Cisco has released advisories addressing most of the vulnerabilities.

Note

  • As the ASDM packages are not signed, use caution downloading to make sure you have legitimate copies, including the Java based launcher. It’s also not verifying SSL certificates, so use caution to avoid MitM scenarios. At this time there is no auto-update, so make sure that you’re checking periodically, and don’t expose your ASDM services to the Internet. The good news is there are fixes for most of the ASA and FirePOWER Services you can deploy.

Read more in

More than 120 vulnerabilities disclosed as part of Microsoft Patch Tuesday

Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its line of products and software, the most in a single Patch Tuesday in four months. This batch of updates also includes a fix for a new vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) that’s actively being exploited in the wild, according to Microsoft. MSDT was already the target of the so-called “Follina” zero-day vulnerability in June. Two of the important vulnerabilities CVE-2022-35743 and CVE-2022-34713, are remote code execution vulnerabilities in MSDT. However, only CVE-2022-34713 has been exploited in the wild and Microsoft considers “more likely” to be exploited. Read more: Microsoft Patch Tuesday for August 2022 — Snort rules and prominent vulnerabilities

Attackers take advantage of new “C2-as-a-service” platform

In early 2022, a new C2 platform called “Dark Utilities” was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform. Since its initial release, Cisco Talos researchers observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining. Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention. Read more: Attackers leveraging Dark Utilities “C2aaS” platform in malware campaigns

Critical Flaws in Cisco SMB Routers

On Wednesday, August 3, Cisco released a security advisory warning of multiple vulnerabilities in some of its small business routers. The flaws affect the company’s RV160, RV260, RV340, and RV345 Series Routers. Cisco has made updates available.

Note

  • It is Tuesday, so it must be time for more Cisco SMB router vulnerabilities. A quick search at nvd.nist.gov shows 7 critical vulnerabilities this year and 8 last year (and 25 total over the two years). I guess it is cheap enough for Cisco to push vulnerability discovery right and left.
  • The exploit comes from input which is not properly validated/sanitized. Update to the latest firmware, and make sure that the management interface is only available to authorized systems/users. While the CVSS scores are 8.3/10 (CVE-2022-20841) and 9/10 (CVE-2022-20827) – don’t expect this vulnerability to remain on the “not actively exploited” list for long.

Read more in

Open Redirect Flaws Used to Steal Account Credentials

Phishers are exploiting an open redirect vulnerabilities in the Snapchat and American Express websites to steal Microsoft 365 and Google Workspace account credentials. Open redirect occurs when sites do not validate user input. The attackers used personally identifiable information in the URLs to help generate malicious landing pages that were tailored to the user.

Note

  • Phishing is just the tip of the iceberg of open redirect issues. These flaws are often underestimated, and can be tricky to fix. But consider that if your site uses OAUTH for authentication, open redirect flaws can be used in some cases to steal authentication tokens.
  • Snapchat was told of the vulnerability over a year ago and hasn’t fixed it. Imagine if Snapchat sold breakfast cereal that was found to be contaminated with rat poison – the boxes of Snapchat would have been off the shelves in weeks if not days. It really is time for regulatory consequences that cause business disruption, not just fines, to companies that know of vulnerabilities but don’t fix them.
  • The best penetration testers and bug bounty hunters can demonstrate the severity of flaws like open redirection in a way that shows the client how to be more secure – and motivates them to make that change.
  • Prevention/training can include cautioning users around URLs that contain “url=”, “redirect=”, “external-link” or “proxy” strings, the better defense is for domain owners to limit redirection use, and include things like redirection disclaimers, (“You are leaving my site for this site, click here”).

Read more in

GitHub Seeks Comments on Plan to Improve npm Security with Code Signing

GitHub has opened a request for comments on its plan to bolster npm security with code signing. The move follows other efforts to improve npm security, including two-factor authentication, streamlined login, and enhanced artifact signing

Note

  • Sigstore is a very cool effort, supported by Open SSF, Google, Cisco, Redhat, VMware and others. Kubernetes adopting sigstore/code signing in May 2022 has really picked up adoption. But, the signing of code really isn’t what increases security – *verifying* the signatures and not using unsigned or invalid/expired code is the harder required part. Processes for using open source software need to be updated.
  • Code signing is a good idea, and you need to understand what the level of assurance is behind the signature on the code. Having a reliable issuance process and disallowing self-signed as well as enforcing scope – what projects they can and cannot sign code for is a step in the right direction.

Read more in

Plan to Have Sanitation Inspectors Assess Water Utility Cybersecurity is Met with Skepticism

Industry groups and cybersecurity experts have a lot to say about the White House’s plan to have the Environmental Protection Agency (EPA) delegate cybersecurity oversight to local sanitation inspectors. The US water sector currently has no minimum cybersecurity standards. Industry groups say the approach needs to be more granular to meet the cybersecurity needs of different utilities. The American Water Works Association (AWWA), which says the EPA did not engage the organization in its decisions, and noted that sanitation reviews are largely visual, making sure equipment is operating effectively. Cybersecurity experts have expressed concerns about state sanitation inspectors not being trained to conduct cybersecurity audits. Dragos CEO Rob Lee also pointed out that the underlying issue is how to pay for necessary water utility cybersecurity changes.

Note

  • It is easy to criticize thinking local water system inspectors could effectively perform cybersecurity audits, but the real issue is the lack of defined standards for required cybersecurity levels for the various levels of water utilities in the US – no auditor can audit without something against which to audit. By the way, Deputy National Security Advisor Anne Neuberger is quoted as saying the EPA is well equipped to make sure cybersecurity is “holistically” considered. Whenever I hear one of the “H” words (holistic and heuristic) used by a vendor or government official (the two that tend to use those terms the most) I automatically replace the former with “imaginary” and the latter with “undocumented.”
  • Clearly defined standards and requirements must be in place before you can effectively assess the cybersecurity. Otherwise, you’re going have inconsistent results. The selection of Sanitation Inspectors reflects their ability to subjectively inspect and audit against a known set of standards; it is not clear they are going to have the level of familiarity required to audit against cybersecurity requirements.
  • Cybersecurity evaluation, audit, is not an ancillary duty nor a job for amateurs. Such efforts will not enable any conclusions about the security of an enterprise. However, in this industry a very short checklist, suitable for use by any literate person, may enable the early identification and mitigation of dangerous omissions.

Read more in

HHS Suggestions for Healthcare Sector IoT Cybersecurity

The US Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HHS HC3) has published an analyst note providing healthcare organizations with information to improve IoT security. The note suggests limiting attack surface using network segmentation. It also describes common IoT attacks and lists steps to take to minimize the risk posed by IoT devices. HHS has also published a threat brief about web application attacks in healthcare.

Note

  • Healthcare continues to be a target, particularly their IT/OT systems. The guidance is familiar and appropriate for networked IT/OT components (segmentation – only authorized users/devices, use MFA, keep updated/patched, and monitor.) Don’t forget about embedded devices, such as pacemakers, which have wireless communication, which requires you to work with the provider to ensure you either have security best practices implemented or disable the interface.
  • Anyone who’s worked cybersecurity in healthcare knows this is partly a philosophical struggle along the CIA triad. To those of you in cybersecurity making patient health information access secure, immediate, and highly available, thank you! Yours is some of the hardest and most important working going on
  • In perhaps no other industry is process-to-process isolation more necessary than in healthcare. Isolating appliances may be a useful first step but a zero-trust architecture should be the goal.

Read more in

Tornado Cash Sanctioned for Laundering Cybercrime Proceeds

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Tornado Cash, a virtual currency mixer that has been used to launder billions of dollars in stolen virtual currency. The sanctions freeze company assets and prohibit US citizens from doing business with Tornado Cash without approval from OFAC.

Note

  • If you are a legitimate business, not much chance you were using Tornado Cash – or using “crypto currency” at all, since actual use for business transactions is minimal. But US Treasury has a compliance guide that is worth reading if you are – home.treasury.gov: Sanctions Compliance Guidance for the Virtual Currency Industry (PDF)
  • If you’re looking at accepting cryptocurrency, actions like this matter. Be sure you do your research, including getting input from peers on options and pitfalls. This is a case where you really need to be continuously monitoring your partners to ensure you’re not going to be on the wrong side of a regulatory decision. Make sure that you not only understand the relationships in play and how transactions are governed but also what the contingency plans are when something fails or becomes prohibited before jumping in with both feet.

Read more in

Slack Resets Some Users’ Passwords

Last week, Slack sent some workspace users emails requesting that they reset their passwords. The issue lay in a bug that exposed hashed versions of users’ passwords when they created or revoked a Shared Invite Link for their workspace. The issue affected all users who created or revoked such links between April 17, 2017, and July 17, 2022. Slack has fixed the bug.

Note

  • Slack leaked salted hashes of passwords, not passwords themselves. But yet another reason to first of all use long and random passwords to make offline brute forcing more difficult, and of course always use a different password for different services. In this case, the four emails I received from Slack about being affected by the leaks are non-events.
  • Slack estimates this impacted about 0.5% of users. Apparently, the shared invite link included the hashed value of the sender’s password. Slack has not revealed which hashing algorithm was used and sent communication to those impacted users directing them to change their passwords. It’s not a bad idea to go through and update your slack passwords, as well as checking to make sure you’re keeping your desktop client updated.
  • Slack offers its users a two-factor authentication option. The key word is “option.” All users of Software as a service (SaaS), indeed any cloud service, should expect and use strong authentication.

Read more in

NHS Outage Due to Cyberattack Against Managed Service Provider

The UK’s National Health Service (NHS) is experiencing an outage after a managed service provider suffered a cyberattack. The incident is affecting NHS’s 111 service, which is designed for people who need urgent health care, but not for life-threatening situations. The 999 emergency services number does not appear to be affected. The situation is expected to be resolved this week.

Note

  • The question is how insulated are you from compromise at your third-party providers. Make sure that your DR plans address both directly and indirectly connected systems. Whether a failure in the feed you send to the bank for payroll processing or outsourced/cloud services directly connected to your network, be sure to know what impacts are possible and what your recovery option is. Make sure that you have segmentation and monitoring, appropriate geographic distribution as well as redundancy of connections.

Read more in

Zimbra Vulnerability is Being Actively Exploited

A command injection vulnerability in Zimbra Collaboration is being actively exploited to steal email account credentials with no user interaction. Researchers from SonarSource discovered the vulnerability on March 11, 2022; Zimbra released a fix on May 10. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities Catalog with a mitigation due date of August 25, 2022.

Note

  • The patch for Zimbra was released May 10, 2022, with versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. The report from SonarSource, released a month after the patches were released, has details and pointers for attackers to successfully exploit the flaws. Yup, time to patch.

Read more in

Spear Phishing Operation Targeted Industrial Plants and Government Agencies

Researchers from Kaspersky said that an advanced persistent threat (APT) group with ties to China’s government used six separate backdoors to infiltrate networks at industrial plants, research organizations, and government agencies and ministries in Belarus, Ukraine, Russia, and Afghanistan. The attackers gained initial purchase in the systems with spear phishing emails.

Note

  • Make sure you’re looking at both sides of this equation. Making sure the users have the training and tools to spot and report phishing emails as well as making sure that you’re securing your systems, particularly critical systems, whether OT or IT. You know the drill, keep them updated, only allow authorized devices and user access, enable MFA where possible, monitor for irregular behavior. On the monitoring front, where OT systems have proprietary protocols, some network analyzers now understand these and can alert on unexpected traffic. Use caution with active response solutions on OT networks.
  • It is unlikely that any technique will ever wholly protect against human error but strong authentication will certainly help here. Once an enterprise network is compromised it almost impossible to completely trust it again. Backdoors are easy to install and very difficult to find and eliminate.

Read more in

Emergency Warning Takeover

The US’s FEMA has warned that there are serious vulnerabilities in the country’s emergency broadcast system that can allow an attacker to send emergency messages without authorization. A researcher named Ken Pyle with CBIR.com found the issue, and he’ll be showing a PoC at DEFCON this weekend. Read more: “Huge flaw” threatens US emergency alert system, DHS researcher warns

Slack Resets Passwords

Slack notified a small number of users that it had to reset their passwords after a security researcher found a bug that was including salted passwords in invitation links. Read more: Slack resets passwords after exposing hashes in invitation links

Chinese Cobalt Strike

There’s a new Chinese offensive framework called Manjusaka that’s like a Chinese version of Cobalt Strike. It’s written in Rust and targets Windows and Linux. It includes a C2 component written in GoLang. Read more: Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Twitter Confirms Zero-Day

Twitter has confirmed that a now-patched zero-day flaw allowed an attacker to link emails to Twitter accounts, which is something you’re not supposed to be able to do. This resulted in the de-anonymizing of 5.4 million Twitter accounts by submitting an email, getting back the Twitter account ID, and then scraping the account for info. Read more: Twitter confirms zero-day used to expose data of 5.4 million accounts

Microsoft ASM

Microsft has entered the Attack Surface Management space with a new tool called Microsoft Defender Attack Surface Management. It sports a real-time inventory, attack surface visibility, exposure detection and prioritization. Read more: Microsoft announces new external attack surface audit tool

Major Solana Hack

There was a major Solana hack last week that drained millions from over 9,000 hot wallets. The issue turned out to be due to a closed-source wallet called Slope, which was using a third-party logging service called Sentry that was sending seed phrases to a centralized server unencrypted. Read more: Solana’s $6M Exploit Likely Tied to Slope Wallet, Developers Say

US Takes Out al-Zawahiri With Ninja Bomb

The US didn’t use explosives in the drone strike that killed al-Zawahiri. They reportedly used what’s called a “flying Ginsu” missile (the Hellfire R9X), which deploys six retractable blades to do its damage. Read more: CIA Likely Used ‘Ninja Bomb’ to Kill Terrorist Leader Ayman al-Zawahiri

The R9X Missile

Taiwan Reports DDoS Attack After Pelosi Visit

Taiwan’s Ministry of Defense reported that its systems were targeted by a distributed denial-of-service (DDoS) attack earlier this week, shortly after US Speaker of the House Nancy Pelosi visited. Earlier in the week, the country’s presidential website reported a DDoS attack as well.

Note

  • The scale of these attacks, and their targets, point to hacktivists. It looked like recovery was swift, and I doubt it significantly affected operations at these organizations. But remember that DDoS attacks can also be used as a smoke screen to cover more sophisticated attacks.
  • The group Anonymous group jumped into the mix, retaliating for the attacks and taking credit for hacking into government website of China’s Heilongjiang Society Scientific Community Federation. The hacked site was taken down but lives on in the Internet Archive. The point is that beyond being prepared for DDoS attacks, you also need to watch for sympathetic actions, possibly retaliating on your behalf, resulting in unplanned escalation of tensions.

Read more in

Post-Quantum Encryption Algorithm Candidate Broken

Researchers have found a way to break one of the post-quantum computing encryption algorithm candidates chosen by the US National Institute for Standards and Technology (NIST) as a potential replacement for encryption algorithms currently in use. Using a single-core PC, researchers from the Computer Security and Industrial Cryptography group at KU Leuven broke the algorithm, known as Supersingular Isogeny Key Encapsulation, or SIKE, in one hour.

Note

  • This is exactly why we need to look for new encryption standards long before they are actually needed. The NIST process is slow and deliberate. It does allow for sufficient time and it does give these proposed standards exposure to encourage review.
  • Three of the new schemes rely on new, less understood assumptions, which could really raise the bar, or be subject to an old-school attack not accounted for. Now is the time to find issues with the new candidates, not after we’ve moved to them. I give a lot of credit for all the candidates who effectively signed up for a multi-round, public, murder board. Once the process completes, vendors will need time to both produce products which implement them, and come up with best practices so you can then discuss moving to Post-Quantum Encryption effectively.

Read more in

VMware: Patch Critical Authentication Bypass Flaw

On Tuesday, August 2, VMware released an advisory that includes fixes for 10 vulnerabilities that affect its VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager Connector, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager products. The most serious of the flaws is a remote authentication bypass issue that affects local domain users.

Note

  • I hope I do not need to remind anybody to not expose these systems to the open internet. This isn’t the first critical VMWare flaw this year.
  • Take a deep breath, grab your coffee, and scan the VMware advisory page for your specific product to find actions needed. It includes a table of criticality, CVE’s and links to KB articles for each. While not actively exploited, the criticality should be used as an indicator of how likely that is to change. There is only one workaround listed for one out all of these issues, frankly, plan to patch all the affected things.

Read more in

CISA and ACSC: Top Malware Strains of 2021

In a joint alert, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) provide overviews of the top malware strains of 2021. The majority of the top malware strains – Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader – have been around as one variant or another for at least five years.

Note

  • The top strains include RATs, banking Trojans, information stealers and ransomware. If the names Tesla, Formbook, AZORult, LokiBot, etc. aren’t well known to you, read the CISA bulletin to learn about them. The mitigations remain the same: implement (comprehensive) MFA, keep systems patched and updated, don’t expose RDP to the internet, have good (offline) backups and train users. When I say comprehensive MFA, I mean don’t skip any externally facing services, and don’t exclude any users from having to use it.

Read more in

FEMA: Critical Vulnerabilities in Emergency Alert System Devices

The US Department of Homeland Security’s (DHS’s) Federal Emergency Management Agency (FEMA) has issued a bulletin warning of critical vulnerabilities in Emergency Alert System (EAS) devices. The flaws in the encoder/decoder devices could be exploited to send phony emergency alerts on radio and television. FEMA is urging all EAS system participants to ensure their devices are running the most recent software versions and have their patches up to date; are protected by a firewall; and that audit logs are reviewed regularly to check for unauthorized access.

Note

  • The vulnerability is now public knowledge, which means participants have to patch PDQ. Some of the Monroe Electronics components of the system had flaws which couldn’t be patched previously due to a lack of updates for the last few years. Ken Pyle, who discovered those flaws, will be presenting more information at the DEFCON 30 IoT village.
  • An instance where false positives more tolerable than false negatives, short of so frequent as to destroy trust in true positives.

Read more in

DoJ Using Paper for Sensitive Documents

The US Department of Justice says it has been filing sensitive court documents on paper rather than electronically since January 2021. In an interview with Cyberscoop, Deputy Assistant Attorney General for National Security Adam Hickey said, “Convenience is great, but security in any internet connected system is going to be different from what it would be on paper.”

Note

  • Often, sensitive OT devices are (wisely!) disconnected from the internet, it’s probably a good idea to isolate the most sensitive documents. Putting them on paper makes them much less accessible by foreign adversaries!
  • The downside of paperless is that you need to make sure the protections are appropriate for your most sensitive paper based processes. When assessing the process think of how we handled paper. While we are familiar with locked filing cabinets, offices and storage rooms, you still have transport concerns, even registered mail can get waylaid. Even so, the risks of the old processes may be lower than the online process for certain use cases. Document gaps and make deliberate decisions to accept the risk or require alternate processes in those scenarios.

Read more in

House Bill Would Reauthorize NCFI

A bipartisan bill in the US Senate would reauthorize the National Computer Forensics Institute. Would extend funding though 2028. NCFI “train state and local law enforcement, judges and prosecutors in digital evidence, network intrusion, and computer/mobile device forensic issues.” The House passed a companion bill last month.

Note

The course is conducted through the local US Secret Service field office and is available to active full time employees (law enforcement, judges and prosecutors) of state or local government agency. If you fit into one of those categories, this should be a great opportunity to hone your skills around digital evidence, network intrusion, and computer/mobile device forensic issues.

Read more in

Cyberattack Hits Association of German Chambers of Industry and Commerce

A cyberattack against the Association of German Chambers of Industry and Commerce (DIHK) prompted the organization to shut down its IT systems. According to a statement on the DIHK website, the shutdown was “a precautionary measure for security reasons. We are currently working intensively on a solution and defense. After being checked, the IT systems are successively started up so that the services for companies are then available again.”

Note

Translation – we don’t know the scope of the attack; turn it all off, check everything, only enabling known-good services. This is a tough call, particularly with 79 chambers and over three million members who use their services. They are using the DIHK web site and LinkedIn to post updates. Are you prepared to communicate in a similar situation? Make the call? And do you have multiple communication paths for users and partners?

Read more in

SolarWinds CISO on Lessons Learned from Sunburst

SolarWinds CISO Tim Brown led the incident response to the Sunburst attack, which exploited a supply chain vulnerability in Orion, a SolarWinds IT performance monitoring system. The incident prompted SolarWinds to establish a new software development process that includes addressing security early on. Brown sees the event as a valuable learning experience, and not just for SolarWinds. CISOs at other companies have been able to get more funding from boards, and it has prompted government to adopt new software procurement practices and move forward with plans to secure the software supply chain.

Note

  • Don’t get caught up in buzzwords and new shiny terms, make sure that you’re using secure practices with software you’re producing, paying attention to internet sourced components, make sure software installed is the genuine product from your vendor, with sufficient regression testing prior to production deployment. Make sure that you’re watching your threat feeds for software and services you use so you can follow up on possible areas of concern. After that, rely on your existing processes for detection and monitoring of malfeasance.

Read more in

US Financial Companies Fined for Failing to Provide Adequate Cybersecurity

The US securities and Exchange Commission (SEC) has fined US financial companies JP Morgan Chase & Co and Trade Station for “deficient customer identity programs.” In addition, the Consumer Financial protection Bureau fined US Bancorp for opening unauthorized accounts. The fines for the three companies totaled $3.5 million.

Note

  • The SEC has a red flags rule, which requires financial institutions and some “creditors” to conduct a risk assessment to determine if they have covered (in scope) accounts. If so, they are required to implement a program for the relevant red flags to protect those accounts from identity theft. If you are a FI or creditor, review the rule to make sure that your risk-assessment meets the current criteria there, and address any shortcomings post-haste.
  • It is not clear from the report cited below whether this punishment is more about IAM or the traditional requirement that banks know their customer, authentication, or new account.

Read more in

New Majusaka toolkit used in attacks in Asia

Cisco Talos recently discovered a new attack framework called “Manjusaka” being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. Talos recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. Read more: Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

TCL LinkHub Mesh Wi-Fi system contains 17 vulnerabilities

The TCL LinkHub Mesh Wi-Fi system is a multi-device Wi-Fi system that allows users to expand access to their network over a large physical area. What makes the LInkHub system unique is the lack of a network interface to manage the devices individually or in the mesh. Instead, a phone application is the only method to interact with these devices. However, this setup leaves the LinkHub Mesh Wi-Fi system open to several vulnerabilities, which we are disclosing today. An attacker could exploit these vulnerabilities to carry out a variety of malicious actions, including injecting code at the operating system level, stealing credentials and causing a denial of service of the entire network. During Talos’ research into this product, 17 different vulnerability reports were generated. These reports group together similar CVEs into reports that are sent to vendors, and in this case are a grouping of 41 unique CVEs. Read more: Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities

Apps Expose Twitter API Keys

More than 3,200 apps are exposing Twitter API keys publicly. Researchers from the cybersecurity firm CloudSEK “discovered that 3207 apps were leaking valid Consumer Key and Consumer Secret.” Bad actors with access to these keys could perform actions as the account owners. CloudSEK recommends that developers use API key rotation.

Note

  • There is nothing you can do to protect credentials once you send them to the user. If you would like the user to interact with Twitter using your application, use the user’s credentials, not yours.
  • Review source code to make sure that hard-coded API keys are not included. When stored, make sure they are not in plaintext. Consider using the mobile device secure storage for API keys versus storing them in configuration files.

Read more in

CISA Adds Atlassian Flaw to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added the Atlassian Questions for Confluence hard-coded credentials vulnerability (CVE-2022-26138) to its Known Exploited Vulnerabilities catalog. Atlassian has released updates (2.7.38 and 3.0.5) to address the flaw, which is being actively exploited. Federal agencies have until August 19 to mitigate the vulnerability.

Note

  • Exploiting the flaw is trivial and we have seen a number of attempts against honeypots. Treat exposed unpatched systems as compromised.
  • The motivator here is that this is being actively exploited, which you may need to leverage if you’re not getting support to update to the patched version. Agencies are likely already being asked to report out on remediating the Atlassian flaws, expect this to fold into your regular BOD-22-01 reporting.

Read more in

Austrian Government Investigating Alleged Spyware Company

Authorities in Austria are investigating a company in that country that allegedly makes spyware to be used for targeting law firms, banks, and consultancies. The spyware has been used to target organizations in at least three countries. News of the investigation follows close on the heels of a report from Microsoft’s Threat Intelligence Center that included information about malware known as Subzero that was allegedly developed by a company based in Vienna, Austria.

Note

  • In the 1980s I worked for the US Secret Service designing surveillance equipment used in counterfeiting investigations. Back then there were companies that pretended to sell anti-surveillance equipment to law enforcement (who, of course, didn’t need it) but really sold to criminals. We had to build in “anti-anti-surveillance” capabilities because in an open society it is hard to make dual use technologies illegal, as we’ve seen with social networks in recent times. Seems like in this case (DSIRF selling spyware that exploited a (now patched) vulnerability) existing laws could be used against the companies doing this.
  • Back in January, Xavier Mertens wrote up a malicious Excel file that matches the type of malware used by this company. See isc.sans.edu/diary: Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
  • The company accused of developing the Subzero spyware is DSIRF (tracked by Microsoft as KNOTWEED). The malware spreads multiple ways including exploiting zero-day vulnerabilities in Windows and Acrobat Reader. Microsoft’s advisory allowed the company to be linked to the sale of the software for unauthorized surveillance. Microsoft announced that Defender Antivirus, signature build 1.371.503.0, detects KNOTWEED and released a patch for the zero-day (CVE-2022-22047) in their July 12 patch release.

Read more in

US Court System Breach

At a hearing of the US House Committee on the Judiciary last week, committee chair Jerrold Nadler said the US federal judicial court system “faced an incredibly significant and sophisticated cyber security breach, one which has since had lingering impacts on the department and other agencies.” The breach was conducted by three foreign state-sponsored threat actors.

Note

  • Not much info on this one, but odds are high it was yet another failure of basic security hygiene and really not all that sophisticated of an attack.
  • This is a breach from 2020 which is only just now coming to light. Even now, the concerns are of eradication and preventing recurrence. While not disclosed, at this point scope should be very well known so recovery actions can complete. The lesson here is to have a disclosure timeline that you manage, as opposed to learning your breach was announced by a third-party at a venue you’ve not granted permission for the disclosure.
  • The lesson for the rest of us is that “data at rest” for an indefinite period should be encrypted.

Read more in

Akamai Mitigated Largest Ever DDoS Against a European Company

Akamai thwarted the largest distributed denial-of-service (DDoS) attack ever faced by a European customer. The unnamed organization was targeted by DDoS attacks over a 30-day period earlier this summer. The attack peaked at 659.6 million packets per second (Mpps) and 853.7 gigabits per second (Gbps) over 14 hours on July 21.

Note

  • I’d like to see the newly formed DHS CISA Cyber Safety Review Board look at this or any of the other recent “largest ever DDoS” attacks and determine why ISPs couldn’t detect much/most of this attack and apply filtering at the source’s connection to their services. If the water companies were delivering sewage to businesses and government agencies, we would not expect to see companies paying to filter it out on the receiving end.
  • Companies like Akamai, Microsoft and Cloudflare will continue to raise the bar on their DDoS protection capabilities, which deserves kudos. Seems like we’re continuing to hear about mitigating “the largest attack ever.” I think the better question is what can your ISP and CDN do for you to mitigate these attacks and have you signed up for that service. If they have free and paid services, fully understand the difference so you can make an informed choice.

Read more in

Tennessee Valley Authority IG Audit Report on EDR

The Tennessee Valley Authority Office of the Inspector General has published the results of an audit they conducted “to determine the effectiveness of endpoint protection on TVA desktops and laptops.” The White House’s Federal zero-trust architecture strategy includes deploying endpoint detection and response (EDR) technology that meet technical requirements set by the Cybersecurity and Infrastructure Security Agency (CISA). While the TVA IG’s audit found aspects “of TVA’s endpoint protection program to be generally effective,” the report found some gaps in TVA’s policy, procedures, and internal controls and notes that TVA does not require endpoint protection for all network connections.

Note

  • Independent of Zero Trust, our hybrid work model drives the need for both effective EDR and remote connections to services. Configure your VPN to conduct a posture check against minimum standards prior to allowing the connection, to include enabled/current EDR. Make sure that your EDR is indeed that, not just an anti-malware tool, and that you’ve enabled protections as well as centralized the logging from your endpoints. Make sure that updates, configuration management and logging work irrespective of the VPN. As you move into “vpnless” services make sure that appropriate posture checks are made before connections are made, and the control point is as close to the target service as possible to prevent bypass.

Read more in

European Energy Company Encevo Discloses Cyberattack

Luxembourg-based energy provider Encevo has acknowledged that some of its subsidiaries were targeted in a cyberattack. Encevo says that the attackers exfiltrated data and rendered data inaccessible. Customers are advised to reset account credentials.

Note

  • Indicators point to this as the BlackCat ransomware and that they threatened to post 180,000 files (about 150GB ), adding extortion to their ransomware plans. Encevo is still working to determine the scope of the attack and plan their recovery. While customers are advised to reset their credentials, I would hold off until they are certain the malware is contained/eradicated. If you happen to have used the same credentials with Encevo and ANY OTHER service, change those non-Encevo passwords immediately, enabling MFA if offered.

Read more in

Proposed Legislation Addresses Federal Data Center Resilience

A bill introduced in the US Senate would direct the Office of Management and Budget (OMB) to establish requirements to protect federal data centers. The Federal Data Center Enhancement Act of 2022 addresses both cybersecurity and physical security, aiming to improve the centers’ resilience against cyberattacks, terrorist attacks, and natural disasters.

Note

  • It is hard to be against any action to improve government data center security, but after the terrorist attacks against the US on September 11 2001 and the impact of Hurricane Katrina in 2005 I think we saw similar legislation, though without the new “resilience” buzzword. I’d like to see reviews of both gaps and best practices in federal data center protection happen before more layers of security requirements are issued.
  • I’m not so sure we need information on how to harden a data center. Information for building or retrofitting data centers with different tiers is well known, and we already have controls intended to verify the basics. The bigger problem is to ensure that services are in a data center commensurate with their C-I-A levels. This means you need to find out what service level your data center is built to, then making sure that your applications are not expecting a higher level. Don’t forget about geographic diversity. With the administration directive to cloud adoption, many service providers already have solutions to get your CIA levels without you having to physically build anything. You also have the flexibility to select application specific options, rather than having to build your facility to the highest common denominator.

Read more in

Australian Man Charged for Creating and Distributing RAT

Australian authorities have charged an individual for allegedly creating and selling spyware for criminal use. Jacob Wayne John Keen allegedly created a remote access trojan (RAT) and sold it to more than 14,500 people in 128 countries between 2012 and 2019. Keen faces six counts that carry a maximum sentence of 20 years in prison.

Note

  • The spyware, named Imminent Monitor, was allegedly created by Keen when he was 15 and he administered it from 2013 until his shutdown in 2019. The RAT, which is distributed via email and text messages, included keystroke monitors, recording from webcams and/or microphones, hidden RDP access and even a cryptocurrency miner. The miner is not a typical RAT function. Imminent Monitor sold for AUD $35.

Read more in

Confluence servers under attack due to hardcoded password

Confluence server owners are advised to update their installations as news has emerged last week of active exploitation attempts of a vulnerability the company patched in one of its most popular products.

According to Atlassian, the vulnerability (CVE-2022-26138) is a hardcoded password in Questions for Confluence, an app that can be installed on Confluence Server and Data Center on-premise instances to allow employees to ask questions and receive answers from a company’s various internal departments.

While Atlassian released a patch that disables this built-in hardcoded account on July 20, Confluence server owners did not get that much of a time window to install fixes, as the username and credentials for this account were published on Twitter a day later by an “annoyed researcher.”

As things usually tend to go in Infosecland, it did not take long before these details were put to “good use,” and cybersecurity firms Greynoise and Rapid7 reported seeing ongoing exploitation of this vulnerability less than a week after the patch was released.

Since Confluence on-premise servers are broadly used in corporate and government environments, the US Cybersecurity and Infrastructure Security Agency (CISA) has also urged Confluence server owners to check and see if the vulnerable app had been installed on their servers and then install the patches.

Atlassian warned that disabling the app won’t fix the issue, and server owners must either install the security fixes or manually disable the hardcoded account created by the Questions for Confluence app:

News of this issue being exploited in the wild comes after threat actors, including ransomware gangs, exploited another Confluence bug (CVE-2022-26134) a month earlier, and many more other vulnerabilities before that.

Proxy service hack

The operators of the 911[.]re proxy network said they are shutting down in the aftermath of a data breach that destroyed key components of its business operation, Brian Krebs reported. The shutdown also comes days after the same Krebs published an in-depth look at the shady service earlier this month.

Russian Postal Service leak

Hackers published last week a data trove they claim to have stolen from the official Russian Postal Service. The data contains more than 10 million data points about past shipments. This includes sender and recipient names, addresses, and shipment details. In a statement to local media, Pochta denied the breach and said the hackers obtained the data from a third-party contractor. Russian delivery services have been at the center of several data leaks since Russia’s invasion of Ukraine. Past leaks include Yandex Food, DeliveryClub, and CDEK.

OneTouchPoint breach

Marketing platform OneTouchPoint disclosed a security breach last week. The breach is the result of a ransomware attack that took place in April this year, and the company said that 34 healthcare organizations that used its platform had data compromised in the incident.

Another crypto hack

DeFi platform Nirvana lost roughly $3.5 million following a flash loan attack that took place last week. Just like any respectable DeFi platform, Nirvana is now begging the hacker on its knees to return the stolen funds in exchange for a “bug bounty” payment (wink-wink) of $300,000.

Creos pipeline attack

The operators of the AlphV ransomware claimed to have successfully attacked the Creos Luxembourg natural gas pipeline operator. The company previously disclosed a cybersecurity incident last week but did not specify if it was ransomware.

Breach costs passed to customers

An IBM report published last week has found that almost 60% of the surveyed companies will pass on the costs incurred and associated with a recent data breach downstream to their customers in the form of price hikes.

AdGuard VPN gets blocked in Russia

AdGuard, one of today’s largest ad-blocking companies, said that its ad-blocking and DNS privacy services are having issues for Russian users after Russian telecommunications watchdog Roskomnadzor blocked AdGuard VPN servers last week.

Regrettably, their methods were crude, and along with AdGuard VPN, the entire adguard.com domain became unavailable for Russian users. This led to multiple issues with AdGuard Ad Blocker and AdGuard DNS service.

Tor Android app banned again in Russia

A Russian court re-introduced a ban on the Tor Browser mobile app inside Russia’s borders. The Russian government initially ordered Google to remove the app from the official Play Store at the end of May, but the ban was reversed last week following a legal action citing a breach of procedures, only for the ban to be re-introduced days later.

Israel clears police of NSO wrongdoings

An Israeli government commission said last week that Israeli police forces did not break any laws when they deployed the NSO Group’s Pegasus spyware in some cases. The Israeli government was forced to investigate the police force’s use of the Pegasus spyware after local media claimed they deployed NSO’s tools against political activists and not just criminal suspects.

Imminent Monitor RAT author finally charged

Australian authorities have finally charged the creator of the Imminent Monitor remote access trojan, almost three years after Europol cracked down on the operation. Jacob Wayne John Keen, 24, from Brisbane, was charged for creating the widely popular hacking tools, along with his mother, 42, who authorities said profited from the proceeds of her son’s crimes.

Russian extortionist sentenced

Russian authorities have detained a suspect in the Kaluga region, near Moscow, on charges of breaking into users’ VK social media accounts, stealing private information, and threatening victims to release the data unless they pay a ransom demand.

Raspberry Robin

Microsoft said on Friday that they’d seen instances where the new Raspberry Robin malware has deployed second-stage malware known as FakeUpdates/SocGholish.

In the eyes of several security experts, this is a worrying event as the SocGholish operation has been previously used to drop ransomware inside corporate networks in the past.

More from Katie Nickels, Director of Intelligence at Red Canary, the security firm that initially discovered and documented the Raspberry Robin malware earlier this year.

“Many organizations have observed and publicly discussed Raspberry Robin’s initial execution behaviors, but there remained a major gap in that no one seems to have observed any later-stage activity—like an eventual payload. Microsoft’s finding that Raspberry Robin has deployed malware called FakeUpdates/SocGholish is an interesting development. Microsoft is certainly credible, but we can’t independently verify their claim at this time.

Raspberry Robin itself is an activity cluster that we created based on observed behaviors in multiple different environments. We continue to see Raspberry Robin activity, but we have not been able to associate it with any specific person, company, entity, or country. Ultimately, it’s too early to say if Evil Corp is responsible for, or associated with, Raspberry Robin. The Ransomware-as-a-Service (RaaS) ecosystem is a complex one, where different criminal groups partner with one another to achieve a variety of objectives. As a result, it can be difficult to untangle the relationships between malware families and observed activity.

Microsoft’s findings suggest that the adversaries behind Raspberry Robin may have some kind of relationship with DEV-0206 and DEV-0243, two groups tracked by Microsoft, but the exact nature of that relationship is unclear. Red Canary has not directly observed Raspberry Robin spreading SocGholish/FakeUpdates, nor are we aware of any clear connection to Evil Corp, DEV-0206, or DEV-0243, but we’re watching to see if more evidence emerges to solidify these relationships or if they were simply one-time occurrences.”

SafeSound ransomware decrypted

Chinese security firm Rising released a free decryption utility for users impacted by the SafeSound ransomware.

New HiddenAds attacks

McAfee said it discovered 13 apps available on the Play Store that were infected with the HiddenAds adware. The apps were collectively downloaded more than 7.2 million times.

Investment scam network

Security firm Group-IB said it uncovered a network of more than 10,000 malicious sites that are likely being used in an investment scam scheme.

ENISA ransomware report

ENISA, the European Union Agency for Cybersecurity, has published a report analyzing more than 600 ransomware attacks that took place between May 2021 and June 2022. The report introduces the LEDS matrix (Lock, Encrypt, Delete, Steal) that maps ransomware capabilities based on the actions performed and assets targeted.

Capabilities of current ransomware in terms o actions they perform and assets they target.

DawDropper

Trend Micro has published a report on DawDropper, a new dropper-as-a-service (DaaS) for Android malware. This new service is advertised on the dark web and has already been seen inside infected apps on the official Google Play Store, where it has been used to push more advanced banking trojans to devices previously infected with the more innocuous DawDropper first-stage payload.

Racoon Stealer v2

Cybersecurity firm Zscaler published a technical analysis of the Racoon Stealer v2 malware. A similar report is also available from Sekoia.

Charming Kitten OpSec mistakes

PwC researchers published a report detailing the operational security (OpSec) mistakes of Charming Kitten (APT35, Yellow Garuda), an Iranian APT known for making such mistakes for years.

New rowhammer research

A team of academics and security researchers from AWS, Google, and others, have published new research last week detailing a new method of conducting rowhammer attacks on computer memory. The attack, named Half-Double [PDF], will be presented at the USENIX security conference in the next few days and is also accompanied by PoC code. According to the research team, the Half-Double attack is “an escalation of [classic] Rowhammer [attacks] to rows beyond immediate neighbors,” with the research team creating errors two rows apart from the line of attacked memory cells.

New cryptographic attack

Academics from Belgian university KU Leuven have published details about a cryptographic attack against the Supersingular Isogeny Diffie–Hellman (or SIDH) key exchange algorithm. The SIDH algorithm is an analog of the more well-known Diffie–Hellman algorithm that can be used to establish a secret key between two parties over insecure connections and was designed to resist attacks from quantum computers. According to the research team, their attack can recover keys within one hour. Mathematician Steven Galbraith has more on the topic, along with the following conclusion:

There is no doubt that this result will reduce confidence in isogenies. The sudden appearance of an attack this powerful shows that the field is not yet mature. The relatively recent attack by Ward Beullens on Rainbow has a similar impact on multivariate crypto. The correct response to this is not to attempt to minimise the impact, nor to reflexively declare the subject dead. Instead, we should keep our minds open and let the mathematicians work out the implications, wherever they lead.

Arris router vulnerabilities

Security researcher Derek Abdine published details on Friday on three vulnerabilities in the firmware of Arris routers and all derivative products. Abdine says that while two of the three vulnerabilities are “impractical to exploit,” the third is rated critical. The vulnerabilities impact Arris DSL routers, which are usually handed out by ISPs to their customers for at-home connectivity. Abdine says that at least 19,000 such devices can be easily discovered online.

New tool

Palo Alto Networks has open-sourced a Python library for the extraction of information from .NET Portable Executable (PE) malware files.

SteelCon videos

Talks from the SteelCon 2022 security conference, which took place last week, are now available on YouTube.

TLS test suite

Academics from two German universities have launched a new TLS test suite to evaluate the RFC compliance of Transport Layer Security (TLS) libraries. Named TLS-Anvil, more details will be presented in the next weeks at the USENIX security conference.

xxx

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.