OSN July 6, 2021

Fortify Security Team
Jul 6, 2021

Title: REvil Ransomware Asks $70 Million to Decrypt all Kaseya Attack Victims
Date Published:  July 5, 2021

https://www.bleepingcomputer.com/news/security/revil-ransomware-asks-70-million-to-decrypt-all-kaseya-attack-victims/

Excerpt:  “REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack. The gang wants $70 million in Bitcoin for the tool that allows all affected businesses to recover their files.  The attack on Friday propagated through Kaseya VSA cloud-based solution used by managed service providers (MSPs) to monitor customer systems and for patch management.”

Title: Kaseya: Roughly 1,500 Businesses Hit by REvil Ransomware Attack
Date Published:  July 6, 2021

https://www.bleepingcomputer.com/news/security/kaseya-roughly-1-500-businesses-hit-by-revil-ransomware-attack/

Excerpt:  “Kaseya says the REvil supply-chain ransomware attack breached the systems of roughly 60 of its direct customers using the company’s VSA on-premises product.  In all, the cloud-based MSP software provider added that it’s aware of up to 1,500 downstream victims who had their networks managed by MSPs using Kaseya remote management tools.  “The attack had limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached,” Kaseya said in a press release.”

Title: QNAP Fixes Critical Bug in NAS Backup, Disaster Recovery App
Date Published:  July 6, 2021

https://www.bleepingcomputer.com/news/security/qnap-fixes-critical-bug-in-nas-backup-disaster-recovery-app/

Excerpt:  “Taiwan-based network-attached storage (NAS) maker QNAP has addressed a critical security vulnerability enabling attackers to compromise vulnerable NAS devices’ security.  The improper access control vulnerability tracked as CVE-2021-28809 was found by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs in HBS 3 Hybrid Backup Sync, QNAP’s disaster recovery and data backup solution.  The security issue is caused by buggy software that does not correctly restrict attackers from gaining access to system resources allowing them to escalate privileges, execute commands remotely, or read sensitive info without authorization.”

Title: Revil Ransomware Gang Hit Spanish Telecom Giant MasMovil
Date Published:  July 5, 2021

https://securityaffairs.co/wordpress/119719/cyber-crime/masmovil-ransomware-attack.html

Excerpt:  “MasMovil is one of the largest Spanish telecom operators, last week the group was hit by the REvil ransomware gang that claims to have stolen sensitive data from the company.  “We have downloaded databases and other important data” reads the message published by REvil ransomware gang on its Tor leak site.  The ransomware group shared screenshots of the allegedly stolen documents on its leak sites, the image shows folders from the systems of the company (i.e. Backup, RESELLERS, SCORING, PARLEM).”

Title: CISA, FBI Share Guidance for MSPs and Their Customers Impacted in Kaseya Attack
Date Published:  July 5, 2021

https://securityaffairs.co/wordpress/119728/cyber-crime/cisa-fbi-guidance-kaseya-attack.html

Excerpt:  “CISA and the Federal Bureau of Investigation (FBI) have published guidance for the organizations impacted by the massive REvil supply-chain ransomware attack that hit Kaseya ‘s cloud-based MSP platform.  The US agencies provides instructions to affected MSPs and their customers on how to check their infrastructure for indicators of compromise.  Kaseya has released a detection tool that could be used by organizations to determine if your infrastructure has been compromised. Below the list of recommendations included in the advisory published by CISA and the FBI for impacted MSPs”:

  • Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.
  • Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
  • Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
  • Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.”

Title: Website of Mongolian Certificate Authority Served Backdoored Client Installer
Date Published:  July 6, 2021

https://www.zdnet.com/article/website-of-mongolian-certificate-authority-backdoored-served-malware/

Excerpt:  “The official website of a Mongolian certification authority (CA) was harboring malware and facilitated downloads of a backdoored client to users.  Researchers from Avast named MonPass as the compromised CA, which was potentially breached up to eight times as eight different web shells and backdoors were present on the CA’s server.   During an analysis conducted between March and April, Avast not only found indicators of compromise due to the web shells and backdoors, but also that a version of the MonPass client, available from February 8, 2021, until March 3, 2021, for download, was malicious.”

Title: Suspected Cyber-Criminal “Dr Hex” Tracked Down Via Phishing Kit
Date Published:  July 6, 2021

https://www.infosecurity-magazine.com/news/cybercriminal-dr-hex-tracked/

Excerpt:  “Security researchers have revealed how patient detective work enabled them to trace and identify a suspected prolific cyber-criminal, who was finally arrested in May.  A two-year investigation into the individual, who often went by the online moniker “Dr Hex,” ended when Interpol’s Operation Lyrebird swooped on the man in Morocco earlier this year.  Group-IB’s Threat Intelligence team claimed the individual was active since 2009 and allegedly responsible for phishing, defacing, malware development, fraud, and carding, resulting in thousands of unsuspecting victims. These included customers of French telecoms companies, banks and other multinationals.  The trail began when the threat intelligence team identified and deanonymized a phishing kit that was used to target a French bank. It found that almost every script used in the kit featured the name “Dr Hex” and an email address.  That email led them to a YouTube channel signed up under the same name, and in turn to an Arabic crowdfunding platform, which revealed another name associated with the individual. This name was apparently used to register two domains created using the email from the phishing kit.”

Title: Japan Looks to Boost Military Cyber Experts Amid Security Threat
Date Published:  July 6, 2021

https://www.infosecurity-magazine.com/news/japan-boost-military-security/

Excerpt:  “The Japanese military is set to add hundreds of new cybersecurity specialists to its forces in the face of aggression from hostile nations, according to a new report.  Ministry of Defense plans seen by Nikkei revealed that there were 660 such personnel in the country’s Self Defense Forces (SDF) at the end of fiscal 2020. However, the plan is to increase this figure to 800 by the end of March 2022 and over 1000 by the end of 2023.  A single unit will also be created to look after unified cybersecurity for all three branches of the Japanese military — land, sea and air — in a bid to boost efficiency.  Such expertise is sorely needed in the face of increasing hostility from Chinese and Russian state-backed hackers and organized cybercrime.”

Title: Microsoft Issues New CVE for ‘PrintNightmare’ Flaw
Date Published:  July 2, 2021

https://www.darkreading.com/endpoint/microsoft-issues-new-cve-for-printnightmare-flaw/d/d-id/1341471

Excerpt:  “Microsoft on Thursday issued a new vulnerability identifier (CVE) for the “PrintNightmare” flaw that affects Windows Print Spooler services, claiming the flaw is similar to but distinct from another critical flaw in the technology (CVE-2021-1675) that it had patched on June 8.  The company also published a FAQ and workarounds for the freshly issued CVE while it investigated the critical new vulnerability for which exploit code is already publicly available. “Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability,” the company said July 1. “This is an evolving situation and we will update the CVE as more information is available.””

Title: Watch for Cybersecurity Games at the Tokyo Olympics
Date Published:  July 2, 2021

https://beta.darkreading.com/vulnerabilities-threats/watch-for-cybersecurity-games-at-the-tokyo-olympics

Excerpt:  “It was a close call, but the 2018 Pyeongchang Winter Olympics almost ended before it started. A harmful cyberattack threatened to cause severe disruptions to the opening ceremony and the subsequent sporting events. Fortunately, a sleepless night at the Olympics’ technology operations center allowed for a speedy and efficient incident response process.  Three years later, the threat landscape has changed, and the Tokyo Olympics is no safer than its predecessor. In fact, the heavy reliance on technology means these Olympics might be the most vulnerable Games yet. Not only is the upcoming Olympics’ use of technology set to be the most innovative yet, but COVID-related audience restrictions mean spectators must keep up with events electronically. Now that there are events to keep up with, it’s not only the athletes who are preparing to show off their skills.”

Recent Posts

Beers & Bytes Recognized as a Top Industry Podcast

Beers & Bytes Recognized as a Top Industry Podcast

Beers & Bytes was recently named the Gold Winner for Best Cybersecurity Podcast among North American-based companies with between 10 and 49 employees. The honor was conveyed by the highly-coveted Cybersecurity Excellence Awards program. The recognition comes as...

Fortify 24×7 Named To MSSP Top 250 MSSPs List For 2020

Fourth-Annual List Honors Leading MSSP, MDR, and SOCaaS Cybersecurity Companies Worldwide September 28, 2020, Point Roberts, WA: MSSP Alert, published by After Nines Inc., has named Fortify 24x7 to the Top 250 MSSPs list for 2020 (https://www.msspalert.com/top250)....

Fortify 24×7 Named To ChannelE2E Top 100 Vertical Market MSPs

May 5, 2020, Point Roberts, WA: Fortify 24x7 has been named to After Nines Inc.’s ChannelE2E Top 100 Vertical Market MSPs list and research (https://www.channelE2E.com/top100) for 2020. The annual list and research identify and honor the top 100 managed services...

Fortify 24×7 Named To 2019 MSSP Alert Top 200 MSSP List

On September 19, 2019, MSSP Alert, published by After Nines Inc., has named Fortify 24x7 to the Top 200 MSSPs list for 2019 (https://www.msspalert.com/top200). The list and research identify and honor the top 200 managed security services providers (MSSPs) that...