OSN July 7, 2021

Fortify Security Team
Jul 7, 2021

Title: Microsoft Pushes Emergency Update for Windows PrintNightmare Zero-day
Date Published:  July 7, 2021

https://www.bleepingcomputer.com/news/security/microsoft-pushes-emergency-update-for-windows-printnightmare-zero-day/

Excerpt:  “Microsoft has released the KB5004945 emergency security update to fix the actively exploited PrintNightmare zero-day vulnerability in the Windows Print Spooler service impacting all Windows versions. However, the patch is incomplete and the vulnerability can still be locally exploited to gain SYSTEM privileges.  The remote code execution bug (tracked as CVE-2021-34527) allows attackers to take over affected servers via remote code execution (RCE) with SYSTEM privileges, as it will enable them to install programs, view, change, or delete data, and create new accounts with full user rights.”

Title: Fake Kaseya VSA Security Update Backdoors Networks with Cobalt Strike
Date Published:  July 7, 2021

https://www.bleepingcomputer.com/news/security/fake-kaseya-vsa-security-update-backdoors-networks-with-cobalt-strike/

Excerpt:  “Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA security updates.  Cobalt Strike is a legitimate penetration testing tool and threat emulation software that’s also used by attackers for post-exploitation tasks and to deploy so-called beacons that allow them to gain remote access to compromised systems.  The end goal of such attacks is either that of harvesting and exfiltrating sensitive data or delivering second-stage malware payloads.”

Title: Critical Infrastructure Cyberattacks Signaling the Importance of Prioritizing Security
Date Published:  July 7, 2021

https://www.helpnetsecurity.com/2021/07/07/critical-infrastructure-cyberattacks/

Excerpt:  “Armis released new data uncovering the lack of knowledge and general awareness of major cyberattacks on critical infrastructure and an understanding of security hygiene.  The survey of over 2,000 respondents from across the United States found that end users are not paying attention to the major attacks plaguing operational technology and critical infrastructure across the country, signaling the importance of businesses prioritizing a focus on security as employees return to the office.  In the past year, 65,000 ransomware attacks occurred in the United States. In other words, approximately 7 attacks per hour, a rate that is expected to continue to rise. As the U.S. looks at its vulnerable industries, the responsibility is falling on businesses to ensure that they are keeping the organization and employees safe and secure.”

Title: Researchers Uncovered the Network Infrastructure of REVil – The Notorious Ransomware Group That Hit Kaseya
Date Published:  July 7, 2021

https://securityaffairs.co/wordpress/119799/cyber-crime/researchers-infrastructure-revil-ransomware-gang.html

Excerpt:  “According to the recent research published by ReSecurity on Twitter, starting January 2021 REVil leveraged a new domain ‘decoder[.]re’ in addition to a ransomware page available in the TOR network.  The domain was included within the ransom notes dropped by the recent version of REVil, it came in the form of a text file containing contact and payment instructions.  Typically, the collaboration between the victim and REVil was organized via a page in TOR, but in the case their victim is not able to access the Onion Network, the group prepared domains available in Clearnet (WWW) acting as a ‘mirror’.”

Title: SonicWall Addresses Critical CVE-2021-20026 Flaw in NSM Devices
Date Published:  July 6, 2021

https://securityaffairs.co/wordpress/119767/security/sonicwall-fixes-cve-2021-20026-flaw.html

Excerpt:  “Positive Technologies researcher Nikita Abramov has provided details about the CVE-2021-20026 command injection vulnerability that affects SonicWall’s Network Security Manager (NSM) product.  At the end of May, SonicWall urged its customers to ‘immediately’ address a post-authentication vulnerability, tracked as CVE-2021-20026, impacting on-premises versions of the Network Security Manager (NSM).  The vulnerability rated with an 8.8 severity score could be simply exploited without user interaction.  The flaw could be exploited by an authenticated attacker to perform OS command injection using a crafted HTTP request.  The flaw affects NSM version 2.2.0-R10-H1 and earlier, the security vendor addressed it with the release of NSM 2.2.1-R6 and 2.2.1-R6 (Enhanced) versions.  “This critical vulnerability potentially allows a user to execute commands on a device’s operating system with the highest system privileges (root),” SonicWall explains.”

Title: SideCopy Cybercriminals Use New Custom Trojans in Attacks Against India’s Military
Date Published:  July 7, 2021

https://www.zdnet.com/article/sidecopy-cybercriminals-use-custom-trojans-in-india-attacks/

Excerpt:  “The SideCopy advanced persistent threat (APT) group has expanded its activities, and now, new Trojans are being used in campaigns across India.  The APT has been active since at least 2019 and appears to focus on targets of value in cyberespionage. Last year, Cyware said that SideCopy was involved in a number of attacks, including those targeting Indian defense forces and military personnel.   On Wednesday, researchers from Cisco Talos said a recent surge in activity “signals a boost” in the APT’s development of techniques, tactics, and tools, with multiple, new remote access trojans (RATs) and plugins now in play.”

Title: Kremlin Hackers Reportedly Breached Republican National Committee
Date Published:  July 7, 2021

https://www.infosecurity-magazine.com/news/kremlin-breached-republican/

Excerpt:  “State-backed Russian hackers reportedly breached the Republican National Committee (RNC) last week, although the party denies any data was stolen.  Two people familiar with the matter told Bloomberg of the attack, which is thought to have come from APT29 (Cozy Bear), a notorious Kremlin hacking group that was blamed for the 2016 info-stealing raid on the Democratic National Committee (DNC).  The group was also pegged for the SolarWinds campaign and separate raids targeting IP related to COVID-19 vaccine development.  The RNC said that third-party IT services partner Synnex was breached over the July 4 holiday weekend, but no data was taken.  “We immediately blocked all access from Synnex accounts to our cloud environment,” chief of staff Richard Walters reportedly claimed.”

Title: US: We May Take Unilateral Action Against Russian Cyber-Criminals
Date Published:  July 7, 2021

https://www.infosecurity-magazine.com/news/us-unilateral-action-russian-cyber/

Excerpt:  “The White House has issued another strongly worded warning to the Putin administration: the US will take action against cyber-criminals living in Russia if the Kremlin doesn’t.  Press secretary Jen Psaki explained that the two countries are continuing “expert-level” talks in the wake of the meeting between Presidents Biden and Putin last month. Another talk focused on ransomware is scheduled for next week.  “I will just reiterate a message that these officials are sending,” she added. “As the President made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own.”  The news comes in the wake of a major new supply chain attack on US software provider Kaseya, which has affected around 1500 downstream organizations via their managed service providers (MSPs).  The attackers are said to have used the REvil/Sodinokibi variant, whose authors purportedly speak Russian, not least because the malware is coded not to infect any organizations residing in former Soviet countries.”

Title: The Rise of Initial Access Brokers
Date Published:  July 7, 2021

https://www.infosecurity-magazine.com/blogs/rise-initial-access-brokers/

Excerpt:  “An emerging trend in the underground economy is initial access brokerage, a flourishing market where opportunistic threat actors gain initial access to organizations (for example, via compromised VPN or RDP accounts) and sell or offer it as a service to other cyber-criminals in underground forums. Outsourcing the initial access to an external entity lets attackers focus on the execution phase of an attack without having to worry about how to find entry points into the victim’s network.  Several factors fuel the popularity of initial access brokers. Firstly, the direct consequence of the mass shift to remote work is an increase of exposed remote services, such as RDP and SSH. At the same time, organizations have accelerated the adoption of cloud applications without considering the security implications. Business continuity has been prioritized over security in both cases, leading organizations to use internal services and make cloud applications available to remote users without basic security features such as multi-factor authentication. For example, a recent survey found that approximately 78% of M365 administrators do not implement multi-factor authentication. The scattering of the workforce has made remote users more vulnerable to phishing, including new forms such as OAuth phishing, and cloud accounts are now a coveted target for malicious actors.”

Title: Agent REvil Unveiled in Kaseya VSA Ransomware Attack
Date Published:  July 5, 2021

https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack

Excerpt:  “In the world of cybersecurity, there are no holidays and days off as proven by the ransomware attacks that began during the Fourth of July weekend, impacting users of the Kaseya VSA remote management and monitoring software. Managed service providers (MSPs) were targeted by the REvil hacker group, in a novel approach to distributing ransomware that involved compromising on-prem Kaseya VSA servers and distributing malicious software that is still encrypting thousands of servers and workstations across industries worldwide. ”

Recent Posts

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 25, 2021

Title: Fake Opensea Support Staff Are Stealing Cryptowallets and NFTS Date Published: August 24, 2021 https://www.bleepingcomputer.com/news/security/fake-opensea-support-staff-are-stealing-cryptowallets-and-nfts/ Excerpt: “When an OpenSea user needs support, they can...

OSN August 24, 2021

Title: A Phishing Attack Exposes Medical Information for 12,000 Patients at Revere Health Date Published: August 23, 2021 https://www.thespectrum.com/story/news/2021/08/23/phishing-attack-exposes-information-12-000-patients-st-george/8214230002/ Excerpt: “A healthcare...