This posting is here to collect cyber security news in July 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in July 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
243 Comments
Tomi Engdahl says:
US warns of action against ransomware gangs if Russia refuses https://www.bleepingcomputer.com/news/security/us-warns-of-action-against-ransomware-gangs-if-russia-refuses/
White House Press Secretary Jen Psaki says that the US will take action against cybercriminal groups from Russia if the Russian government refuses to do so. Lisäksi:
https://www.zdnet.com/article/ransomware-us-warns-russia-to-take-action-after-latest-attacks
Tomi Engdahl says:
Researchers Reproduce Exploit Used in Kaseya Hack
https://www.securityweek.com/researchers-reproduce-exploit-used-kaseya-hack
Tomi Engdahl says:
Rural Alabama Electric Cooperative Hit by Ransomware Attack
https://www.securityweek.com/rural-alabama-electric-cooperative-hit-ransomware-attack
A utility that provides power in rural southeastern Alabama was hit by a ransomware attack that meant customers temporarily can’t access their account information, but an executive said Tuesday that systems were beginning to be brought back online.
Tomi Engdahl says:
CISA Says Philips Vue Healthcare Products Affected by 15 Vulnerabilities
https://www.securityweek.com/cisa-says-philips-vue-healthcare-products-affected-15-vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday published an advisory to inform organizations about a total of 15 vulnerabilities affecting Philips Vue healthcare products.
The flaws, many of which exist in third-party components, affect several Philips Clinical Collaboration Platform Portal (Vue PACS) products, including MyVue, Vue Speech and Vue Motion, CISA said.
The security holes are related to improper input validation, memory bugs, improper authentication, insecure/improper initialization of resources, use of expired cryptographic keys, use of weak cryptographic algorithms, improper use of protection mechanisms, data integrity issues, cross-site scripting (XSS), improperly protected credentials, and the cleartext transmission of sensitive data.
“Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system,” CISA said in its advisory.
Of the 15 vulnerabilities, 7 appear to be specific to Philips products, while the rest impact third-party components such as Redis, 7-Zip, Oracle Database, jQuery, Python, and Apache Tomcat.
ICS Medical Advisory (ICSMA-21-187-01)
Philips Vue PACS
https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01
Tomi Engdahl says:
https://www.securityweek.com/continuous-updates-everything-you-need-know-about-kaseya-ransomware-attack
Tomi Engdahl says:
Sophos Acquires Capsule8 to Beef up Linux Protection
https://www.securityweek.com/sophos-acquires-capsule8-beef-linux-protection
British anti-malware powerhouse Sophos has acquired Capsule8 to beef up the Linux protection capabilities to its endpoint detection and response product stack.
Financial terms of the deal were not disclosed.
Capsule8, based in New York, raised $30 million in venture capital investments since launching in 2016. Capsule8’s investors include Intel Capital, Rain Capital, ClearSky and Bessemer Venture Partners.
Tomi Engdahl says:
Kaspersky Password Manager Generated Passwords That Could Quickly Be Brute-Forced
https://www.securityweek.com/kaspersky-password-manager-generated-passwords-could-quickly-be-brute-forced
Tomi Engdahl says:
No, open source Audacity audio editor is not “spyware”
The community’s telemetry concerns were received and addressed two months ago.
https://arstechnica.com/gadgets/2021/07/no-open-source-audacity-audio-editor-is-not-spyware/?utm_brand=ars&utm_source=facebook&utm_social-type=owned&utm_medium=social
Tomi Engdahl says:
Wall Street Journal:
A Dutch security researcher group says it had notified Kaseya in April about one of the flaws that was exploited in the devastating ransomware attack last week — President Biden is meeting officials to discuss recent attacks, including latest affecting hundreds of organizations around the world
Software Firm at Center of Ransomware Attack Was Warned of Cyber Flaw in April
https://www.wsj.com/articles/software-firm-at-center-of-ransomware-attack-was-warned-of-cyber-flaw-in-april-11625673291?mod=djemalertNEWS
President Biden is meeting officials to discuss recent attacks, including latest affecting hundreds of organizations around the world
Kaseya is still working to fully patch the cybersecurity flaw in its VSA software.
WASHINGTON—The software company linked to a massive ransomware spree that began last week and has impacted hundreds of organizations across the globe was notified in early April of a cybersecurity vulnerability used in the attack, according to the Dutch security researcher group that discovered the issue.
Kaseya Ltd., a Miami-based software supplier that helps technology-service providers manage computer networks, was told of a serious cybersecurity hole in its Kaseya VSA software on April 6, Victor Gevers, chairman of the Dutch Institute for Vulnerability Disclosure, said Wednesday. Mr. Gevers’s organization, which is a volunteer-run security group, discovered the flaw.
“When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands,” Mr. Gevers said in a blog post. “After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do.”
Kaseya VSA Limited Disclosure
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
07 Jul 2021 – Frank Breedijk
English below
Why we are only disclosing limited details on the Kaseya vulnerabilities
Last weekend we found ourselves in the middle of a storm. A storm created by the ransomware attacks executed via Kaseya VSA, using a vulnerability which we confidentially disclosed to Kaseya, together with six other vulnerabilities.
Ever since we released the news that we indeed notified Kaseya of a vulnerability used in the ransomware attack, we have been getting requests to release details about these vulnerabilities and the disclosure timeline. In line with the guidelines for Coordinated Vulnerability Disclosure we have not disclosed any details so far. And, while we feel it is time to be more open about this process and our decisions regarding this matter, we will still not release the full details.
Why the secrecy?
As the ransomware attack using Kaseya VSA software has shown, the effects of a malicious actor knowing the full details of a vulnerability can be devastating. This immediately poses a dilemma to anybody that discovers a critical vulnerability in a critical piece of software, do we disclose the details or not?
If the full details are made public, it is evident that many cars will get stolen very soon. If you inform the owners, this will likely happen too. The chances of the details remaining secret are slim if you inform a broad audience. Even if you limit the details to ‘a security issue involving the bumper’, you might tip off the wrong people. Telling the manufacturer there is a good chance that he comes up with a fix before large-scale car thefts are happening, and consider if you need to tell the owners to keep their car behind closed doors in the meantime.
How does this relate to Kaseya VSA?
When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands. After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do. We hypothesized that, in the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA.
As we stated before, Kaseya’s response to our disclosure has been on point and timely; unlike other vendors, we have previously disclosed vulnerabilities to. They listened to our findings, and addressed some of them by releasing a patch resolving a number of these vulnerabilities. Followed by a second patch resolving even more. We’ve been in contact with Kaseya ahead of the release of both these patches, allowing us to validate that these vulnerabilities had indeed been resolved by the patch in development.
Unfortunately, the worst-case scenario came true on Friday the 2nd of July. Kaseya VSA was used in an attack to spread ransomware, and Kaseya was compelled to use the nuclear option: shutting down their Kaseya Cloud and advising customers to turn off their on-premise Kaseya VSA servers. A message that unfortunately arrived too late for some of their customers.
We later learned that one of the two vulnerabilities used in the attack was one we previously disclosed to Kasya VSA.
What can we tell?
In this blogpost and DIVD case DIVD-2021-00011 we publish the timeline and limited details of the vulnerabilities we notified Kaseya of.
Full disclosure?
Given the serious nature of these vulnerabilities and the obvious consequences of abuse of Kaseya VSA we will not disclose the full details of the vulnerabilities until such time that Kaseya has released a patch and this patch has been installed on a sufficient number of systems, something for which we have the monitoring scripts. In the past few days we have been working with Kaseya to make sure customers turn off their systems, by tipping them off about customers that still have systems online, and hope to be able to continue to work together to ensure that their patch is installed everywhere.
Tomi Engdahl says:
Ransomware Attack Affecting Likely Thousands of Targets Drags On
REvil is said to have focused on Kaseya VSA, a software used by large companies and technology-service providers to manage and distribute updates
https://www.wsj.com/articles/ransomware-group-behind-meat-supply-attack-threatens-hundreds-of-new-targets-11625285071?cx_testId=3&cx_testVariant=cx_2&cx_artPos=3&mod=WTRN#cxrecs_s
Tomi Engdahl says:
Kaseya Ransomware Attack: What We Know as REvil Hackers Demand $70 Million
Hack is latest in string of high-profile incidents demanding payment to unlock computers
https://www.wsj.com/articles/kaseya-ransomware-attack-11625593654?cx_testId=3&cx_testVariant=cx_2&cx_artPos=4&mod=WTRN#cxrecs_s
Tomi Engdahl says:
Microsoft: PrintNightmare now patched on all Windows versions https://www.bleepingcomputer.com/news/security/microsoft-printnightmare-now-patched-on-all-windows-versions/
Microsoft has released the KB5004948 emergency security update to address the Windows Print Spooler PrintNightmare vulnerability on all editions of Windows 10 1607 and Windows Server 2016. Lisäksi:
https://docs.microsoft.com/en-us/windows/release-health/windows-message-center.
Lisäksi:
https://www.bleepingcomputer.com/news/microsoft/how-to-mitigate-print-spooler-vulnerability-on-windows-10/
Tomi Engdahl says:
Microsoft’s emergency patch fails to fix critical “PrintNightmare”
vulnerability
https://arstechnica.com/gadgets/2021/07/microsofts-emergency-patch-fails-to-fix-critical-printnightmare-vulnerability/
Despite Tuesday’s out-of-band patch being incomplete, it still provides meaningful protection against many types of attacks that exploit the print spooler vulnerability. Lisäksi:
https://www.bleepingcomputer.com/news/microsoft/windows-security-update-kb5004945-breaks-printing-on-zebra-printers/.
Lisäksi:
https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html
Tomi Engdahl says:
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours https://beta.darkreading.com/vulnerabilities-threats/attacks-on-kaseya-servers-led-to-ransomware-in-less-than-2-hours?
Automation allowed a REvil affiliate to move from exploitation of vulnerable servers to installing ransomware on downstream companies faster than most defenders could react.
Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/
On July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site portal.kaseya.net was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser.
Tomi Engdahl says:
Russia Cozy Bear’ Breached GOP as Ransomware Attack Hit https://www.bloomberg.com/news/articles/2021-07-06/russian-state-hackers-breached-republican-national-committee
Russian government hackers breached the computer systems of the Republican National Committee last week, around the time a Russia-linked criminal group unleashed a massive ransomware attack, according to two people familiar with the matter.
Tomi Engdahl says:
Critical Flaws Reported in Sage X3 Enterprise Management Software https://thehackernews.com/2021/07/critical-flaws-reported-in-sage-x3.html
Four security vulnerabilities have been uncovered in the Sage X3 enterprise resource planning (ERP) product, two of which could be chained together as part of an attack sequence to enable adversaries to execute malicious commands and take control of vulnerable systems.
Tomi Engdahl says:
Morgan Stanley Hit by Accellion Hack Through Third-Party Vendor
https://www.securityweek.com/morgan-stanley-hit-accellion-hack-through-third-party-vendor
Investment banking firm Morgan Stanley has informed the New Hampshire Attorney General that personal information of some customers was compromised through a third-party vendor that was using the Accellion FTA service.
Accellion’s file transfer service was hacked in December 2020 and January 2021, when a threat actor linked to the FIN11 cybercrime group exploited several vulnerabilities in FTA to access files pertaining to tens of organizations.
One of the organizations affected by the FTA incident is Guidehouse, which provides account maintenance services to Morgan Stanley’s StockPlan Connect business.
In a letter submitted last week to the New Hampshire Attorney General’s office, Morgan Stanley said Guidehouse informed them in May 2021 that some threat actors had exploited Accellion FTA to access Morgan Stanley documents that included personal information of StockPlan Connect participants.
The stolen files, Morgan Stanley says, were encrypted, yet the adversary “was able to obtain the decryption key during the security incident, due to the Accellion FTA vulnerability.”
Some of the information contained in the stolen documents included names, addresses, birth dates, Social Security numbers, and corporate company names.
“Note that any data within these files did not contain passwords that could be used to access financial accounts,” Morgan Stanley notes in the letter.
https://www.doj.nh.gov/consumer/security-breaches/documents/morgan-stanley-20210702.pdf
Tomi Engdahl says:
Israel Says It’s Targeting Hamas’ Cryptocurrency Accounts
https://www.securityweek.com/israel-says-its-targeting-hamas-cryptocurrency-accounts
Israel said Thursday it will begin seizing cryptocurrency accounts used by the Palestinian Hamas group to raise money for its armed wing.
Israeli Defense Minister Benny Gantz ordered security forces to seize the accounts after a joint operation “uncovered a web of electronic wallets” used by Hamas to raise funds using bitcoin and other cryptocurrencies, the ministry said.
It said Hamas has been waging an online campaign to raise donations for its military wing, efforts that accelerated after the 11-day Gaza war in May. Cryptocurrencies such as bitcoin are favored for illicit transactions because they are perceived as hard to trace.
“The intelligence, technological and legal tools that enable us to get our hands on terrorists’ money around the world constitute an operational breakthrough,” Gantz was quoted as saying.
Tomi Engdahl says:
Cisco Patches High Severity Vulnerabilities in BPA, WSA
https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-bpa-wsa
Tomi Engdahl says:
Mac Malware Used in Attacks Targeting Industrial Organizations in Middle East
https://www.securityweek.com/mac-malware-used-attacks-targeting-industrial-organizations-middle-east
Tomi Engdahl says:
Biden Pressured to Act on ‘Russian’ Ransomware, Hacking
https://www.securityweek.com/biden-pressured-act-russian-ransomware-hacking
Tomi Engdahl says:
Android Updates for July 2021 Patch Tens of High-Severity Vulnerabilities
https://www.securityweek.com/android-updates-july-2021-patch-tens-high-severity-vulnerabilities
Google on Wednesday announced the availability of the July 2021 security updates for the Android operating system, which include patches for over 40 vulnerabilities.
The most severe of these vulnerabilities affects the System component and could “enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains in its advisory.
Seventeen of the vulnerabilities were addressed with the 2021-07-01 security patch level. These include two elevation of privilege bugs in Framework, one elevation of privilege and one information disclosure issue in Media framework, and seven elevation of privilege and six information disclosure bugs in System.
All of these vulnerabilities have a severity rating of high and most of them affect devices running Android 8.1, 9, 10, and 11.
Tomi Engdahl says:
Emails Offering Kaseya Patches Deliver Malware
https://www.securityweek.com/emails-offering-kaseya-patches-deliver-malware
Tomi Engdahl says:
IT management software maker Kaseya is still working on patching the vulnerabilities exploited in the recent ransomware attack, but some cybercriminals are sending out emails offering the patches in an effort to distribute their malware.
https://www.securityweek.com/emails-offering-kaseya-patches-deliver-malware
Tomi Engdahl says:
Non-Malicious Android Crypto Mining Apps Scam Users at Scale
https://www.securityweek.com/non-malicious-android-crypto-mining-apps-scam-users-scale
With no bad behavior, the mobile apps are difficult to detect by automated security scans
Between March 2020 and March 2021, the value of bitcoin rose from $6,483 to $58,734 (Statista.com). The value is roughly $32,500 at the time of publishing. There’s money in cryptocurrency; and where there’s money, there’s criminals.
Researchers at mobile security firm Lookout have identified more than 170 Android apps that target and scam users interested in cryptocurrencies. Twenty-six of these were found on the official Google Play store — the remainder on third-party stores.
The apps are hardly sophisticated — but scams don’t need to be sophisticated, they just need to work. These work. The Lookout researchers report that the apps have scammed more than 86,000 people, and have stolen at least $350,000.
Tomi Engdahl says:
Lazarus gang targets engineers with job offers using poisoned emails
https://www.tripwire.com/state-of-security/security-data-protection/lazarus-gang-targets-engineers-with-job-offers-using-poisoned-emails/
Tomi Engdahl says:
We Got the Phone the FBI Secretly Sold to Criminals
‘Anom’ phones used in an FBI honeypot are mysteriously showing up on the secondary market. We bought one.
https://www.vice.com/en/article/n7b4gg/anom-phone-arcaneos-fbi-backdoor
Clicking the calculator doesn’t open a calculator—it opens a login screen.
“Enter Anom ID” and a password, the screen reads. Hidden in the calculator is a concealed messaging app called Anom, which last month we learned was an FBI honeypot.
Tomi Engdahl says:
The hackers, whoever they are..reportedly trolled the nation’s Supreme Leader Ali Khamenei, posting his phone number as “the number to call for information” on multiple train station message boards
Hackers Derail Iran’s Train System, Post Supreme Leader’s Phone Number as Help Line
https://gizmodo.com/hackers-derail-irans-train-system-post-supreme-leaders-1847260870
The cyberattack took place early Friday morning and has resulted in massive problems.
Cyberattacks reportedly disrupted Iran’s railway system on Friday, causing “unprecedented chaos” at stations throughout the country, according to state media.
The hackers, whoever they are, also reportedly trolled the nation’s Supreme Leader Ali Khamenei, posting his phone number as “the number to call for information” on multiple train station message boards, Reuters reports. According to some Iranian outlets, the number, 64411, was displayed on screens in train stations and redirected to Ayatolla Khamenei’s office when dialed.
The railway’s website, local ticket offices, and cargo services have all apparently been affected, the news outlet reports.
Hackers breach Iran rail network, disrupt service
https://www.reuters.com/world/middle-east/hackers-breach-iran-rail-network-disrupt-service-2021-07-09/
DUBAI, July 9 (Reuters) – Train services in Iran were delayed by apparent cyberattacks on Friday, with hackers posting the phone number of the country’s supreme leader as the number to call for information, state-affiliated news outlets reported.
Trains were delayed or cancelled as ticket offices, the national railway’s website and cargo services were disrupted, with “unprecedented chaos at railway stations across the country”, the state broadcaster IRIB reported.
Tomi Engdahl says:
The Biggest Ransomware Attack in History Just Happened…
https://m.youtube.com/watch?v=aiVEzkAX4LU&feature=youtu.be
Julkaistu 9.7.2021
With a $70 Million dollar bounty companies like Kaseya have a lot to answer for and ensure the security of many of their customers, all the way down to someone like you. At the same time the world is still reeling in and trying to understand just how large the “SolarWinds” cyberattack has grown and just who is responsible. Thanks for watching!
Tomi Engdahl says:
Chinas Great Firewall is blocking around 311k domains, 41k by accident https://therecord.media/chinas-great-firewall-is-blocking-around-311k-domains-41k-by-accident/
In the largest study of its kind, a team of academics from four US and Canadian universities said they were able to determine the size of Chinas Great Firewall internet censorship capabilities. In a research project that lasted nine months, from April to December 2020, academics developed a system called GFWatch that accessed domains from inside and outside Chinas internet space and then measured how the Great Firewall (GFW) would tamper with the connection at the DNS level in order to prevent Chinese users from accessing a domain, or an external entity accessing Chinese internal sites.
Tomi Engdahl says:
Ukraine says Russian hackers hit its Navy website https://www.reuters.com/world/europe/ukraine-says-russian-hackers-hit-its-navy-website-2021-07-09/
Ukraine’s defence ministry said that hackers linked to the Russian authorities on Friday attacked the website of the Ukrainian Naval Forces and published fake reports about the international Sea
Breeze-2021 military drills. Kyiv started in late June the military exercises involving more than 30 countries in the Black Sea, despite Russian calls to cancel the drills.
Tomi Engdahl says:
Scanning for Microsoft Secure Socket Tunneling Protocol https://isc.sans.edu/forums/diary/Scanning+for+Microsoft+Secure+Socket+Tunneling+Protocol/27622/
Over the past month I noticed a resurgence of probe by Digitalocean looking for the Microsoft (MS) Secure Socket Tunneling Protocol (SSTP). This MS proprietary VPN protocol is used to establish a secure connection via the Transport Layer Security (TLS) between a client and a VPN gateway.
Tomi Engdahl says:
Cyber-attack disrupts Irans national railway system https://therecord.media/cyber-attack-disrupts-irans-national-railway-system/
Train services were canceled or delayed in Iran after a cyberattack crippled the national railway companys computer systems on Friday morning. The exact nature of the disruption is unclear, but the outage affected both passenger and cargo transportation services. According to multiple local media outlets, the system used for managing train schedules along with ticketing services went down on Friday morning, local time.
Tomi Engdahl says:
Mint Mobile hit by a data breach after numbers ported, data accessed https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
Mint Mobile has disclosed a data breach after an unauthorized person gained access to subscribers’ account information and ported phone numbers to another carrier. According to the data breach notification email sent to affected subscribers this weekend, between June 8th and June 10th, a threat actor ported the phone numbers for a “small”
number of Mint Mobile subscribers to another carrier without uthorization.
Tomi Engdahl says:
Tapahtumahuijarit löysivät Suomen: Näin tunnistat vedätyksen https://www.is.fi/digitoday/tietoturva/art-2000008113726.html
HEVISAURUS-bändi joutui vastikään tappelemaan Facebook-huijarien kanssa. Aitoa tapahtumailmoitusta keikasta kopioitiin, ja huijarit levittivät bändin nimissä haitallisia verkkolinkkejä. Ilmiö on Suomessa verrattain tuore. Koronan alkuvaiheessa näitä oli paljon.
Viime kesäkuussa, kun alkoi olla näitä virtuaalikonsertteja, niin silloin tämä ilmiö oikeastaan alkoi, Traficomin alaisen Kyberturvallisuuskeskuksen johtava asiantuntija Jussi Eronen taustoittaa Suomen tilannetta.
Tomi Engdahl says:
Biden asks Putin to crack down on Russian-based ransomware gangs https://www.bleepingcomputer.com/news/security/biden-asks-putin-to-crack-down-on-russian-based-ransomware-gangs/
President Biden asked Russian President Putin during a phone call today to disrupt ransomware groups operating within Russia’s borders behind the ongoing wave of attacks impacting the United States and other countries worldwide. “President Biden underscored the need for Russia to take action to disrupt ransomware groups operating in Russia and emphasized that he is committed to continued engagement on the broader threat posed by ransomware,” a White House statement reads.
Tomi Engdahl says:
Feds indict The Bull for allegedly selling insider stock info on the dark web https://arstechnica.com/gadgets/2021/07/feds-indict-the-bull-for-allegedly-selling-insider-stock-info-on-the-dark-web/
Federal prosecutors and attorneys on Friday charged a man with securities fraud for allegedly selling insider stock information on the dark web site AlphaBay. The defendant also sold information through multiple criminal marketplaces and through an encrypted messaging platform. In an indictment filed in federal court in the Southern District of New York, Department of Justice prosecutors alleged that Apostolos Trovias, 30, of Athens, Greece, created an account on AlphaBay in 2016 and used it to advertise and sell stock tips until the dark web criminal marketplace was shut down the following year.
Tomi Engdahl says:
Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/
On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible.
Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations. Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.
Tomi Engdahl says:
Dont Be Rude, Stay: Avoiding Fork&Run .NET Execution With InlineExecute-Assembly https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/
Some of you love it and some of you hate it, but at this point it should come as no surprise that .NET tradecraft is here to stay a little longer than anticipated. The .NET framework is an integral part of Microsofts operating system with the most recent release of .NET being .NET core. Core is the cross-platform successor to the .NET Framework that brings .NET to Linux and macOS as well. This now makes .NET more popular than ever for post exploitation tradecraft among adversaries and red teams.
Tomi Engdahl says:
REvil victims are refusing to pay after flawed Kaseya ransomware attack https://www.bleepingcomputer.com/news/security/revil-victims-are-refusing-to-pay-after-flawed-kaseya-ransomware-attack/
The REvil ransomware gang’s attack on MSPs and their customers last week outwardly should have been successful, yet changes in their typical tactics and procedures have led to few ransom payments. When ransomware gangs conduct an attack, they usually breach a network and take time stealing data and deleting backups before ultimately encrypting the victim’s devices. When a victim is shown proof of stolen data, backups are deleted, and their devices are encrypted, it creates a much stronger incentive for them to pay the ransom to restore their data and prevent the leak of data.
Tomi Engdahl says:
CISA Publishes Malware Analysis Report and Updates Alert on DarkSide Ransomware https://us-cert.cisa.gov/ncas/current-activity/2021/07/07/cisa-publishes-malware-analysis-report-and-updates-alert-darkside
CISA has published a new Malware Analysis Report (MAR) on DarkSide Ransomware and updated Alert AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks, originally released May 11, 2021. This update adds indicators of compromise associated with a DarkSide ransomware variant that executes a dynamic-link library used to delete Volume Shadow copies available on the system.
Tomi Engdahl says:
Magecart Swiper Uses Unorthodox Concatenation https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html
MageCart is the name given to the roughly one dozen groups of cyber criminals targeting e-commerce websites with the goal of stealing credit card numbers and selling them on the black market. They remain an ever-growing threat to website owners. Weve said many times on this blog that the attackers are constantly using new techniques to evade detection. In this post I will go over a case involving one such MageCart group.
Tomi Engdahl says:
Hackers Use New Trick to Disable Macro Security Warnings in Malicious Office Files https://thehackernews.com/2021/07/hackers-use-new-trick-to-disable-macro.html
While it’s a norm for phishing campaigns that distribute weaponized Microsoft Office documents to prompt victims to enable macros in order to trigger the infection chain directly, new findings indicate attackers are using non-malicious documents to disable security warnings prior to executing macro code to infect victims’ computers.
In yet another instance of malware authors continue to evolve their techniques to evade detection, researchers from McAfee Labs stumbled upon a novel tactic that “downloads and executes malicious DLLs
(ZLoader) without any malicious code present in the initial spammed attachment macro.”
Tomi Engdahl says:
Global Phishing Campaign Targets Energy Sector and its Suppliers https://www.intezer.com/blog/research/global-phishing-campaign-targets-energy-sector-and-its-suppliers/
Our research team has found a sophisticated campaign, active for at least one year, targeting large international companies in the energy, oil & gas, and electronics industries. The attack also targets oil & gas suppliers, possibly indicating that this is only the first stage in a wider campaign. In the event of a successful breach, the attacker could use the compromised email account of the receipt to send spear phishing emails to companies that work with the supplier. Thus using the established reputation of the supplier to go after more targeted entities.
Tomi Engdahl says:
Lazarus Targets Job-Seeking Engineers with Malicious Documents https://threatpost.com/lazarus-engineers-malicious-docs/167647/
The notorious Lazarus advanced persistent threat (APT) group has been identified as the cybergang behind a campaign spreading malicious documents to job-seeking engineers. The ploy involves impersonating defense contractors seeking job candidates. Researchers have been tracking Lazarus activity for months with engineering targets in the United States and Europe, according to a report published online by AT&T Alien Labs.
Tomi Engdahl says:
Microsoft’s PrintNightmare update is causing problems for some printers https://www.zdnet.com/article/microsofts-printnightmare-patch-is-now-causing-problems-for-some-printers/
Microsoft’s emergency update which included a fix for the so-called PrintNightmare print spooler problem has the unexpected side-effect of causing a problem with some printers. he PrintNightmare flaw is a major security risk for enterprise, where print spoolers are used on Windows machines. Microsoft considered it serious enough to rush out a patch last week, before its usual Patch Tuesday update. The PrintNightmare bug is being tracked as CVE-2021-1675 and CVE-2021-34527. One of them is a remote code execution flaw and the other is a local privilege escalation flaw. An additional concern was that exploit code was in the public domain before Microsoft released a patch for it.
Tomi Engdahl says:
South Korea’s atomic energy think tank exposed to North Korean
hacking: spy agency
https://www.koreatimes.co.kr/www/nation/2021/07/103_311822.html
South Korea’s national think tank on nuclear power has been exposed to a hacking attack presumably launched by North Korea, but no major data was leaked, the state spy agency said Thursday. “An investigation is underway after receiving a damage report from the Atomic Energy Research Institute on June 1. … It was exposed (possibly) to North Korea for about 12 days,” Rep. Ha Tae-keung, a member of the parliamentary intelligence committee, told reporters, citing a briefing from the National Intelligence Service (NIS).
Tomi Engdahl says:
FBI warns cryptocurrency owners, exchanges of ongoing attacks https://www.bleepingcomputer.com/news/security/fbi-warns-cryptocurrency-owners-exchanges-of-ongoing-attacks/
The Federal Bureau of Investigation (FBI) warns cryptocurrency owners, exchanges, and third-party payment platforms of threat actors actively targeting virtual assets in attacks that can lead to significant financial losses. The FBI issued the warning via a TLP:GREEN Private Industry Notification (PIN) designed to provide cybersecurity professionals with the information required to properly defend against these ongoing attacks.
Tomi Engdahl says:
“Cyber Disruption” Stops Websites of Iranian Ministry
https://www.securityweek.com/cyber-disruption-stops-websites-iranian-ministry
Websites of Iran’s transport and urbanization ministry Saturday went out of service after a “cyber disruption” in computer systems of its staff, the official IRNA news agency reported.
The report did not elaborate but said the case is under investigation. This is the second abnormality in computer systems related to the ministry.
On Friday, Iran’s railroad system came under cyberattack with hackers posting fake messages about alleged train delays or cancellations on display boards at stations across the country. It came after the electronic tracking system on trains across Iran failed.
Tomi Engdahl says:
Biden Tells Putin Russia Must Crack Down on Cybercriminals
https://www.securityweek.com/biden-tells-putin-russia-must-crack-down-cybercriminals