This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
376 Comments
Tomi Engdahl says:
NRA: No comment on Russian ransomware gang attack claims https://www.bleepingcomputer.com/news/security/nra-no-comment-on-russian-ransomware-gang-attack-claims/
The Grief ransomware gang claims to have attacked the National Rifle Association (NRA) and released stolen data as proof of the attack.
Today, the ransomware gang added the NRA as a new victim on their data leak site while displaying screenshots of Excel spreadsheets containing US tax information and investments amounts.
Tomi Engdahl says:
All Windows versions impacted by new LPE zero-day vulnerability https://www.bleepingcomputer.com/news/security/all-windows-versions-impacted-by-new-lpe-zero-day-vulnerability/
A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept (PoC) exploit that gives SYSTEM privileges under certain conditions. As this bug requires a threat actor to know a user name and password for another user, it will not be as heavily abused as other privilege elevation vulnerabilities we have seen recently, such as PrintNightmare.
The bad news is that it affects all versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.
August, Microsoft released a security update for a “Windows User Profile Service Elevation of Privilege Vulnerability” tracked as CVE-2021-34484 and discovered by security researcher Abdelhamid Naceri.
After examining the fix, Naceri found that the patch was not sufficient and that he was able to bypass it with a new exploit that he published on GitHub.
“But as I see from ZDI advisory and Microsoft patch, the bug was metered as an arbitrary directory deletion bug.”
“Microsoft didn’t patch what was provided in the report but the impact of the PoC. Since the PoC I wrote before was horrible, it could only reproduce a directory deletion bug.”
Naceri says that since they only fixed the symptom of his bug report and not the actual cause, he could revise his exploit to make a junction elsewhere and still achieve privilege elevation.
This exploit will cause an elevated command prompt with SYSTEM privileges to be launched while the User Account Control (UAC) prompt is displayed.
Will Dormann, a vulnerability analyst for CERT/CC, tested the vulnerability and found that while it worked, it was temperamental and did not always create the elevated command prompt.
When BleepingComputer tested the vulnerability, it launched an elevated command prompt immediately
As this bug requires a threat actor to know a user name and password for another user, it will not be as heavily abused as other privilege elevation vulnerabilities we have seen recently, such as PrintNightmare.
Tomi Engdahl says:
FBI Publishes Indicators of Compromise for Ranzy Locker Ransomware
https://www.securityweek.com/fbi-publishes-indicators-compromise-ranzy-locker-ransomware
The Federal Bureau of Investigation (FBI) this week released a Flash report to publicly share indicators of compromise (IOCs) for the Ranzy Locker ransomware.
The ransomware has been targeting businesses in the United States since late 2020 and, by July 2021, compromised more than 30 victims in the information technology, transportation sector, the construction subsector of critical manufacturing, and the academia subsector of government facilities.
A typical attack starts with brute forcing Remote Desktop Protocol (RDP) connections to gain initial access to the network. Recently, the adversary exploited known Microsoft Exchange Server vulnerabilities and phishing messages for initial access.
During the attack, the Ranzy Locker operators would also attempt to identify important files for exfiltration, including customer data, Personally Identifiable Information, and financial records, the FBI said i the report.
https://www.ic3.gov/Media/News/2021/211026.pdf
Tomi Engdahl says:
Critical GoCD Authentication Flaw Exposes Software Supply Chain
https://www.securityweek.com/critical-gocd-authentication-flaw-exposes-software-supply-chain
A highly-critical vulnerability in a popular open-source CI/CD solution can be exploited to hijack sensitive secrets for downstream supply chain attacks, according to a warning from SonarSource.
The vulnerability was flagged in GoCD, a CI/CD server product used in many parts of Silicon Valley, and can be exploited by unauthenticated attackers to siphon highly sensitive information from a vulnerable GoCD Server instance, including all encrypted secrets stored on the server.
“The vulnerability can be used to impersonate a GoCD Agent, i.e. GoCD worker, and take over software delivery pipelines. [It can be] used to take over a GoCD server and execute arbitrary code on it,” according to an advisory from SonarSoure.
SonarSource researcher Simon Scannell explained that an unauthenticated attacker can extract all tokens and secrets used in all build pipelines.
“For instance, attackers could leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files that are being produced as part of the build processes, leading to supply-chain attacks,” Scannell added.
https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
Tomi Engdahl says:
https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html
Tomi Engdahl says:
https://krebsonsecurity.com/2021/10/fbi-raids-chinese-point-of-sale-giant-pax-technology/
Tomi Engdahl says:
Top official says cyber operations are ‘not just about the systems’
https://www.c4isrnet.com/cyber/2021/10/20/top-official-says-cyber-operations-are-not-just-about-the-systems/
The Department of Defense is at an “inflection point” when it comes to cyberspace and cyber operations and must consider the role of the people behind cybersecurity systems, according to a top official.
Tomi Engdahl says:
Cyber-mercenaries helped Saudis hack an NYT reporter
https://pluralistic.net/2021/10/24/breaking-the-news/
Tomi Engdahl says:
https://talentree.fi/softa/euroopan-kyberturvallisuuskuukausi/
Tomi Engdahl says:
Hackers Breach iOS 15, Windows 10, Google Chrome During Massive Cyber Security Onslaught
https://www.forbes.com/sites/daveywinder/2021/10/30/hackers-breach-ios-15-windows-10-google-chrome-during-massive-cyber-security-onslaught/
During the weekend of 16-17 October, Chinese hackers went on something of a rampage that saw all but three of the 15 target products breached during the exploit onslaught that was the Tianfu Cup. This annual competition, held in the Sichuan province of Chengdu, has been the go-to for China’s elite hackers since they were banned from participating in similar competitive hacking events outside of the country. The biggest and best known of these, Pwn2Own, is due to take place in Austin, Texas, 2-5 November, and I will be reporting on that next weekend when the results are known.
there’s a sense that China has the “critical mass and doesn’t need to collaborate to innovate in hacking,” in what he called a kind of U.S. versus them situation. Curry sees the Tianfu Cup, with the months of preparation that lead up to the almost theatrical on-stage reveal, as a show of force. “This is the cyber equivalent of flying planes over Taiwan,” he says, adding the positive being that the exploits will be disclosed to the vendors.
the hackers taking part will not disclose their exploits and the vulnerabilities used until the vendors have had adequate time to issue a fix. “This kind of etiquette is known as responsible disclosure, or more recently coordinated disclosure, Jonathan Knudsen, a senior security strategist at the Synopsys Software Integrity Group, explains. “When it works, it is a beautiful dance,” he says.
it also means “the Chinese government could stockpile a significant number of zero-days against widely used products in other regions and have access to the knowledge required to exploit these products before they’re successfully patched.”
Jake Williams, the co-founder of BreachQuest, doesn’t think it’s clear that events such as these increase the risk that Chinese state threat actors exploit vulnerabilities before disclosure. “Researchers do often retain vulnerabilities they’ve discovered in order to use them in competitions like these,” he says, adding, “but it’s important to consider the reason they stockpile vulnerabilities for competitions rather than disclosing them immediately to impacted vendors.”
“Even when vendors have implemented bug bounties, these usually pay pennies on the dollar compared to prizes won at competitions,” he says, “if vendors dislike the vulnerability competition ecosystem, they have the power to disrupt its market economics.”
Williams concludes that “we shouldn’t be concerned about the Tianfu Cup any more than any other vulnerability competition,” instead, he says, “we should refocus that concern on the fact that vendor disclosure programs encourage competitions like the Tianfu Cup.”
Tomi Engdahl says:
Google Chrome is Abused to Deliver Malware as Legit’ Win 10 App https://threatpost.com/chrome-deliver-malware-as-legit-win-10-app/175884/
Malware delivered via a compromised website on Chrome browsers can bypass User Account Controls to infect systems and steal sensitive data, such as credentials and cryptocurrency.
Tomi Engdahl says:
Hive ransomware now encrypts Linux and FreeBSD systems https://www.bleepingcomputer.com/news/security/hive-ransomware-now-encrypts-linux-and-freebsd-systems/
The Hive ransomware gang now also encrypts Linux and FreeBSD using new malware variants specifically developed to target these platforms.
Tomi Engdahl says:
Pink, a botnet that competed with the vendor to control the massive infected devices https://blog.netlab.360.com/pink-en/
Pink is the largest botnet we have first hand observed in the last six years, during peak time, it had a total infection of over 1.6 million devices (96% are located in China) Pink targets mainly mips based fiber router, and has very strong and robust architecture
Tomi Engdahl says:
Schreiber Foods back to normal after ransomware attack shuts down milk plants https://www.zdnet.com/article/schreiber-foods-back-to-normal-after-ransomware-attack-shut-down-milk-plants/
Schreiber Foods said its plants and distribution centers are back up and running after a ransomware attack took down their systems earlier last weekend.
Tomi Engdahl says:
Europol detains suspects behind LockerGoga, MegaCortex, and Dharma ransomware attacks https://therecord.media/europol-detains-suspects-behind-lockergoga-megacortex-and-dharma-ransomware-attacks/
Europol said it detained 12 suspects this week it believes were part of a professional criminal group that orchestrated a long string of ransomware attacks that targeted large companies and which hit more than 1, 800 victims across 71 countries since 2019. also:
https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure.
also:
https://www.bleepingcomputer.com/news/security/police-arrest-criminals-behind-norsk-hydro-ransomware-attack/
Tomi Engdahl says:
TrickBot malware dev extradited to U.S. faces 60 years in prison https://www.bleepingcomputer.com/news/security/trickbot-malware-dev-extradited-to-us-faces-60-years-in-prison/
A Russian national believed to be a member of the TrickBot malware development team has been extradited to the U.S. and is currently facing charges that could get him 60 years in prison.
Tomi Engdahl says:
Hackers Breach iOS 15, Windows 10, Google Chrome During Massive Cyber Security Onslaught https://www.forbes.com/sites/daveywinder/2021/10/30/hackers-breach-ios-15-windows-10-google-chrome-during-massive-cyber-security-onslaught/
During the weekend of 16-17 October, Chinese hackers went on something of a rampage that saw all but three of the 15 target products breached during the exploit onslaught that was the Tianfu Cup. This annual competition, held in the Sichuan province of Chengdu, has been the go-to for China’s elite hackers since they were banned from participating in similar competitive hacking events outside of the country.
Tomi Engdahl says:
APTs, Teleworking, and Advanced VPN Exploits: The Perfect Storm https://www.darkreading.com/threat-intelligence/apts-teleworking-and-advanced-vpn-exploits-the-perfect-storm
A Mandiant researcher shares the details of an investigation into the misuse of Pulse Secure VPN devices by suspected state-sponsored threat actors.
Security News This Week: The SolarWinds Hackers Are Looking for Their Next Big Score https://www.wired.com/story/solarwinds-hackers-iran-gas-station-hack-ransomware-security-news/
Plus: Gas station hacks in Iran, ransomware arrests in Europe, and more of the week’s top security news.
Tomi Engdahl says:
Remote Desktop Protocol (RDP) Discovery
https://isc.sans.edu/forums/diary/Remote+Desktop+Protocol+RDP+Discovery/27984/
I have noticed a surge in probe against the RDP service in the past 2 weeks. In August, a remote code execution (RCE) critical patch was released to fix an exploit related to CVE-2021-34535 which include a POC to exploit this vulnerability. This vulnerability is also affecting Microsoft Hyper-V Manager “Enhanced Session Mode” [5] and Microsoft Defender’s Application Guard (WDAG).
Tomi Engdahl says:
Chaos ransomware targets gamers via fake Minecraft alt lists https://www.bleepingcomputer.com/news/security/chaos-ransomware-targets-gamers-via-fake-minecraft-alt-lists/
The Chaos Ransomware gang encrypts gamers’ Windows devices through fake Minecraft alt lists promoted on gaming forums.
TA575 criminal group using ‘Squid Game’ lures for Dridex malware https://www.zdnet.com/article/ta575-criminal-group-using-squid-game-lures-for-dridex-malware/
The emails come with subject lines saying things like “Squid Game is back, watch new season before anyone else, ” or pretend to offer victims a spot in the cast of the show’s second season.
Tomi Engdahl says:
Misconfigured Database Leaks 880 Million Medical Records https://www.infosecurity-magazine.com/news/misconfigured-database-leaks-880-m/
Researchers have found an unsecured database leaking over 886 million patient records online, although it’s now confirmed that this was dummy data.. The non-password-protected data trove was found by Jeremiah Fowler and Website Planet and traced to healthcare AI firm Deep 6 AI, which fixed the privacy snafu promptly after it was responsibly disclosed.
Tomi Engdahl says:
12 People Arrested Over Ransomware Attacks on Critical Infrastructure
https://www.securityweek.com/12-people-arrested-over-ransomware-attacks-critical-infrastructure
Europol and Norwegian Police on Friday announced the arrests of 12 individuals suspected of being involved in ransomware attacks launched against companies around the world, including critical infrastructure organizations.
According to Europol, the suspects played various roles in ransomware attacks that impacted more than 1,800 victims across 71 countries, including many major corporations that suffered significant disruptions due to the attacks.
The law enforcement operation targeting the 12 suspects was carried out on October 26 in Ukraine and Switzerland, and it resulted in the seizure of cash, luxury vehicles and electronic devices.
“Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions,” Europol said.
Tomi Engdahl says:
Shrootless: macOS Vulnerability Found by Microsoft Allows Rootkit Installation
https://www.securityweek.com/shrootless-macos-vulnerability-found-microsoft-allows-rootkit-installation
Tomi Engdahl says:
Massachusetts Health Network Hacked; Patient Info Exposed
https://www.securityweek.com/massachusetts-health-network-hacked-patient-info-exposed
A Worcester, Mass. health care network says someone hacked into its employee email system, potentially exposing the personal information of thousands of patients.
UMass Memorial Health notified patients earlier this month if their information was involved in the breach, which occurred between June 2020 and January. The personal data included Social Security numbers, insurance information and medical information, The Telegram & Gazette reported Thursday.
More than 200,000 patients and health plan participants could have been affected by the breach, according to a federal database of cybersecurity incidents at medical facilities.
Tomi Engdahl says:
Hackers Breach iOS 15, Windows 10, Google Chrome During Massive Cyber Security Onslaught
https://www.forbes.com/sites/daveywinder/2021/10/30/hackers-breach-ios-15-windows-10-google-chrome-during-massive-cyber-security-onslaught/
Tomi Engdahl says:
https://www.securityinfowatch.com/video-surveillance/article/21243600/congress-passes-bill-banning-new-fcc-equipment-authorizations-for-hikvision-dahua-and-others