OSN August 2, 2021

by | Aug 2, 2021 | Open Source News

Title: BlackMatter Ransomware Gang Rises from the Ashes of DarkSide, REvil
Date Published:  July 31, 2021

https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/

Excerpt:  “A new ransomware gang named BlackMatter is purchasing access to corporate networks while claiming to include the best features from the notorious and now-defunct REvil and DarkSide operations.  Last week, both Recorded Future and security researcher pancak3 shared that a new threat actor named ‘BlackMatter’ had posted to hacking forums where they want to purchase access to corporate networks.  In the post, the threat actor stated that they want to buy access to networks in the USA, Canada, Australia, and Great Britain, except for networks associated with medical and government entities.”

Title: Remote Print Server Gives Anyone Windows Admin Privileges on a PC
Date Published:  July 31, 2021

https://www.bleepingcomputer.com/news/microsoft/remote-print-server-gives-anyone-windows-admin-privileges-on-a-pc/

Excerpt:  “A researcher has created a remote print server allowing any Windows user with limited privileges to gain complete control over a device simply by installing a print driver.  In June, a security researcher accidentally revealed a zero-day Windows print spooler vulnerability known as PrintNightmare (CVE-2021-34527) that allowed remote code execution and elevation of privileges.  While Microsoft released a security update to fix the vulnerability, researchers quickly figured out ways to bypass the patch under certain conditions.”

Title: PwnedPiper Critical Bug Set Impacts Major Hospitals in North America
Date Published:  August 2, 2021

https://www.bleepingcomputer.com/news/security/pwnedpiper-critical-bug-set-impacts-major-hospitals-in-north-america/

Excerpt:  “Pneumatic tube system (PTS) stations used in thousands of hospitals worldwide are vulnerable to a set of nine critical security issues collectively referred to as PwnedPiper.  PTS solutions are part of a hospital’s critical infrastructure as they are used to quickly deliver items like blood, tissue, lab samples, or medication to where they’re needed.  The flaws are in some of SwissLog’s TransLogic Pneumatic Tube System, an automated material transport solution for carrying medical items across longer distances in medium to large hospitals.”

Title: CISA Launches US Federal Vulnerability Disclosure Platform
Date Published:  August 2, 2021

https://www.helpnetsecurity.com/2021/08/02/us-federal-vulnerability-disclosure/

Excerpt:  “Bug hunters who want to help the US federal government secure their online assets can now source all the relevant information from a vulnerability disclosure policy (VDP) platform offered by the Cybersecurity and Infrastructure Security Agency (CISA).  “Through this crowdsourcing platform, Federal Civilian Executive Branch (FCEB) agencies will now be able to coordinate with the security research community in a streamlined fashion and those reporting incidents enjoy a single, usable website to facilitate submission of findings. The platform encourages collaboration and information sharing between the public and private sectors by allowing uniquely skilled researchers to submit vulnerability reports, which agencies will use to understand and address vulnerabilities that were previously unidentified,” Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA, explained.”

Title: WordPress Download Manager Plugin Was Affected by Two Flaws
Date Published:  August 2, 2021

https://securityaffairs.co/wordpress/120724/breaking-news/wordpress-download-manager-plugin-flaws.html

Excerpt:  “Researchers from Wordfence team discovered a vulnerability, tracked as CVE-2021-34639, affecting the WordPress Download Manager plugin that could allow attackers to execute arbitrary code under specific configurations.  The flaw could allow authors and other users with the upload_files capability to upload files with php4 extensions as well as other potentially executable files.  “Prior to our findings, the WordPress Download Manager plugin patched a vulnerability allowing authors and other users with the upload_files capability to upload files with php4 extensions as well as other potentially executable files. While the patch in question was sufficient to protect many configurations, it only checked the very last file extension, so it was still possible to perform a “double extension” attack by uploading a file with multiple extensions.” reads the analysis published by Wordfence. “For instance, it was possible to upload a file titled info.php.png. This file would be executable on certain Apache/mod_php configurations that use an AddHandler or AddType directive.””

Title: GhostEmperor, A New Chinese-speaking Threat Actor Targets Southeast Asia
Date Published:  August 1, 2021

https://securityaffairs.co/wordpress/120721/apt/ghostemperor-chinese-speaking-threat-actor.html

Excerpt:  “Kaspersky spotted a new Chinese-speaking threat actor, tracked as GhostEmperor, that is targeting Microsoft Exchange vulnerabilities in attacks aimed at high-profile victims.  The long-running operation carried out by the group mostly targeted entities in Southeast Asia, including several government entities and telecom companies.   GhostEmperor used a loading scheme that relies on a component of the Cheat Engine open-source project, which allows it to bypass the Windows Driver Signature Enforcement mechanism.  “The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named “Cheat Engine.”” reads the announcement published by Kaspersky “This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020.””

Title: Ransomware Operators Love Them: Key trends in the Initial Access Broker Space
Date Published:  August 2, 2021

https://www.zdnet.com/article/ransomware-operators-love-them-key-trends-in-the-initial-access-broker-space/

Excerpt:  “The Initial Access Broker market continues to expand, with fees a drop in the ocean in comparison to the potential rewards of a successful ransomware attack.  Initial Access Brokers (IABs) are individuals or groups who have managed to quietly obtain access to a corporate network or system through means including, but not limited to, stolen credentials, brute-force attacks, or by exploiting vulnerabilities.  In recent years, ransomware-as-a-service (RaaS) groups have taken an interest in these brokers, as by employing them directly or paying them a fee in return for access to a target system, they are able to avoid the first step of intrusion: the time-consuming process required to find a vulnerable endpoint.”

Title: Microsoft: Watch Out for This ‘Sneakier than Usual’ Phishing Attack
Date Published:  August 2, 2021

https://www.zdnet.com/article/microsoft-watch-out-for-this-sneakier-than-usual-phishing-attack/

Excerpt:  “Microsoft’s Security Intelligence team has issued an alert to Office 365 users and admins to be on the lookout for a “crafty” phishing email with spoofed sender addresses.  Microsoft put out an alert after observing an active campaign targeting Office 365 organizations with convincing emails and several techniques to bypass phishing detection, including an Office 365 phishing page, Google cloud web app hosting, and a compromised SharePoint site that urges victims to type in their credentials. ”

Title: FBI Finds Over 100 Active Ransomware Variants
Date Published:  August 2, 2021

https://heimdalsecurity.com/blog/fbi-finds-over-100-active-ransomware-variants/

Excerpt:  “The Federal Bureau of Investigation (FBI) has issued an official statement warning that over 100 active ransomware variants are busy launching attacks on U.S. businesses, schools, and other organizations.  The statement comes in the context of several high-profile ransomware attacks, including the ones on Colonial Pipeline and Kaseya.  According to the Bureau, cybercriminals have enhanced their capabilities to increase the scale, impact, and prevalence of ransomware attacks.  Ransomware-as-a-service, which relies on an aggregator – a person or a group that sells or rents malware to interested parties, has decreased the barrier to entry and technological savvy needed to carry out and benefit from these compromises and increased the number of criminals conducting ransomware campaigns. There are more than 100 variants under investigation, the majority of which have already been used in multiple ransomware campaigns.  Another prominent tactic observed by the FBI is the ‘double extortion’ trend, where actors encrypt, steal, and threaten to leak or sell victims’ data.”

Title: SolarWinds Attackers Breached Email of US Prosecutors, Says Department of Justice
Date Published:  August 2, 2021

https://www.zdnet.com/article/solarwinds-attackers-breached-email-of-us-prosecutors-says-department-of-justice/

Excerpt:  “The US Justice Department (DoJ) has revealed the extent to which hackers had access to officials’ emails due to the SolarWinds breach it disclosed in January.  The FBI, CISA, ODNI, and the NSA that month said it was most likely Kremlin-backed hackers that tainted a software update from enterprise IT vendor, SolarWinds. Since then, the US and UK have officially blamed Russian intelligence services for the attack and US president Joe Biden announced sanctions against Russia over it.  The DoJ said in an updated statement that it was treating the source of attack as an Advanced Persistent Threat (APT) that gained much broader access to the department’s Microsoft Office 365 (O365) email systems than the 3% of non-classified email it initially thought was accessed.”