OSN July 1, 2021

Title: Printnightmare 0-Day Can Be Used to Take Over Windows Domain Controllers
Date Published: July 1, 2021

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/

Excerpt: “In June, Microsoft patched a vulnerability in the Windows Print Spooler that was listed as CVE-2021-1675. At first it was classified as an elevation of privilege (EoP) vulnerability. Which means that someone with limited access to a system could raise their privilege level, giving them more power over the affected system. This type of vulnerability is serious, especially when it is found in a widely used service like the Windows Print Spooler. A few weeks after the patch Microsoft raised the level of seriousness to a remote code execution (RCE) vulnerability. RCE vulnerabilities allow a malicious actor to execute their code on a different machine on the same network.”

Title: Mirai_ptea Botnet is Exploiting Undisclosed KGUARD DVR Vulnerability
Date Published: July 1, 2021

https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/

Excerpt: “On 2021-06-22 we detected a sample of a mirai variant that we named mirai_ptea propagating through a new vulnerability targeting KGUARD DVR. Coincidently, a day later, on June 23, we received an inquiry from the security community asking if we had seen a new DDoS botnet, cross-referencing some data, it was exactly this botnet that we had just discovered.”

Title: Babuk Ransomware Builder Mysteriously Appears in VirusTotal
Date Published: June 30, 2021

https://blog.malwarebytes.com/reports/2021/06/babuk-ransomware-builder-leaked-following-muddled-retirement/

Excerpt: “There are some doubts on how the Babuk operators planned to proceed after they contradicted their own announcement by also announcing they planned to switch to the Ransomware-as-a-Service (RaaS) model and so-called “double extortion”. Double extortion entails both encrypting a victim’s data and threatening to leak it. A threat actor operating the RaaS model provides the infrastructure, including the ransomware, for other threat actors to use. This business model makes it hard to fathom why RaaS customers would be interested in working with Babuk operators, if they abandoned the encryption part of the model. Extortion by threatening to release stolen data does not require the same specialized knowledge or infrastructure as encrypting data.”

Title: Adobe Zero-Day Exploit: Further Details on the Zero-Day Bug Patched in May by Adobe
Date Published: July 1, 2021

https://heimdalsecurity.com/blog/adobe-zero-day-exploit-rce-threat/

Excerpt: “The above-mentioned Crowdsource members of” detectify “ firstly discovered the Adobe Zero-Day Exploit in December 2020 by using AEM in a project that involved Sony Interactive Entertainment’s PlayStation division. They continued the investigation and discovered other subdomains from Mastercard containing this vulnerability three months later. After validating the issue, on the 27th March they notified Adobe and the company patched the vulnerability on the 6th of May. It is said that Adobe Zero-Day Exploit affected Linkedin customers too.”

Title: Lorenz Ransomware Attack Victims Can Now Recover Files With This Free Decryption Tool
Date Published: July 1, 2021

https://www.zdnet.com/article/lorenz-ransomware-attack-victims-can-now-retrieve-their-files-for-free-with-this-decryption-tool/

Excerpt: “Cybersecurity researchers have released a decryption tool which allows victims of Lorenz ransomware to decrypt their files for free – and crucially, without the need to pay a ransom demand to cyber criminals.  This is particularly important for Lorenz, as bug in the ransomware’s code means that even if victims paid for the decryption key, some of the encrypted files can’t be recovered. But following analysis of the malware, researchers at Dutch cybersecurity company Tesorion found that were able to engineer a decryption tool for Lorenz ransomware – and now it’s available for free via No More Ransom.”

Title: Google Chrome Will Get an Https-Only Mode for Secure Browsing
Date Published: July 1, 2021

https://www.bleepingcomputer.com/news/security/google-chrome-will-get-an-https-only-mode-for-secure-browsing/

Excerpt: “If you want to test this experimental feature right now, you will have to first enable the “HTTPS-Only Mode Setting” flag by going to chrome://flags/#https-only-mode-setting. This adds the “Always use secure connections” option to the browser’s security settings which, once enabled, will set up Chrome to automatically upgrade all navigation to HTTPS and display alerts before loading websites that don’t support it. The HTTPS upgrades will be automatic with no warnings to allow you to browse the Internet without interruptions over a secure connection wherever possible.”

Title: Microsoft Reveals Authentication Failures, System Hijack Vulnerabilities in Netgear Routers
Date Published: July 1, 2021

https://www.zdnet.com/article/microsoft-reveals-firmware-vulnerabilities-in-netgear-routers-leading-to-full-system-hijacking/

Excerpt: “Microsoft’s security team discovered the vulnerabilities after noting strange behavior in the router’s management port. While communication was protected with TLS encryption, it was still flagged as an anomaly when machine learning models were applied. Upon further investigation of the router firmware, the security researchers found three HTTPd authentication flaws.”

Title: Linkedin’s 1.2b Data-Scrape Victims Already Being Targeted by Attackers
Date Published: July 1, 2021

https://threatpost.com/linkedin-data-scrape-victims-targeted-attackers/167473/

Excerpt: “Yesterday, a database filled with the personal information of 88,000 U.S. business owners gleaned from the latest LinkedIn data scrape was shared in RaidForum, which the poster said specifically isolated U.S. business owners who have changed jobs over the past 90 days, CyberNews reported. The notably targeted database includes full names, email addresses, work details and any other information publicly listed on LinkedIn. It’s not hard to see how this particular group of people, fresh on a new job, flooded with onboarding paperwork and dealing with new co-workers might be easily tricked into clicking on a malicious link.”

Title: US CISA Releases a Ransomware Readiness Assessment (Rra) Tool
Date Published: July 1, 2021

https://securityaffairs.co/wordpress/119568/security/cisa-ransomware-readiness-assessment.html

Excerpt: “The Ransomware Readiness Assessment (RRA) will help you understand your cybersecurity posture with respect to the ever-evolving threat of ransomware.” CISA says. “The RRA also provides a clear path for improvement and contains an evolving progression of questions tiered by the categories of basic, intermediate, and advanced. This is intended to help an organization improve by focusing on the basics first, and then progressing by implementing practices through the intermediate and advanced categories.”

Title: Dropbox Used to Mask Malware Movement in Cyber Espionage Campaign
Date Published: July 1, 2021

https://threatpost.com/dropbox-malware-ongoing-spearphishing-cyberespionage/167402/

Excerpt: “Chinese-speaking cyber espionage actors have targeted the Afghan government, using Dropbox for command-and-control (C2) communications and going so far as to impersonate the Office of the President to infiltrate the Afghan National Security Council (NSC), researchers have found. The suspected advanced persistent threat (APT) group has been dubbed IndigoZebra. Kapsersky researchers, for their part, included the APT among the list of Chinese-speaking actors listed in its APT Trends report for the second quarter of 2017.”