The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- REvil deeds. Kaseya’s breach suggests that supply chain attacks are a future to plan for, today.
- PrintNightmare patched… in parts. Microsoft release incomplete patch for Print Spooler vulnerability.
- App attack. Apps from Google Play store trick users into paying for non-existent services and divulging personal credentials.
- Never enough. TrickBot operators add modifications to their malware arsenal.
- Trumped. Attackers compromise and access user data on pro-Trump social media platform.
REvil ransomware group exploits Kaseya zero-day vulnerability
The REvil ransomware group exploited a zero-day vulnerability in Kaseya’s VSA to compromise Managed Service Providers (MSPs). The VSA is a remote monitoring and management software for client networks. The exploit allowed the hackers to bypass authentication before leveraging the VSA’s functionality to deploy ransomware to client endpoints.
REvil claim to have encrypted over one million systems and is publicly demanding victims pay USD 70 million for the universal decryptor. However, they may be open to negotiation. Separate threat actors are now capitalising on the news of the Kaseya ransomware incident by targeting potential victims with payloads disguised as VSA security updates.
SO WHAT? All on-premises Kaseya VSA servers should be disconnected and left offline until patches for the vulnerability are available. Going forward, consider which MSPs you use and run exercises to determine how their exploitation could affect your organisation.
PrintNightmare vulnerability patched… in parts
Microsoft has released a security update to fix one part of the PrintNightmare zero-day vulnerability. The patch has fixed the remote code execution (RCE) exploit that affects the Windows Print Spooler service. The released updates cover all Windows systems still in support.
Microsoft’s security update has not fixed the local privilege escalation (LPE) variant. This means attackers are still able to locally exploit the vulnerability and run commands with system privileges.
SO WHAT? Install the RCE security updates immediately, and until the LPE variant has been patched, either stop and disable the Print Spooler service, or disable inbound remote printing through Group Policy. Seek further guidance here.
Fraudulent apps on Google Play store trick users into making payments and providing credentials
- Scammers have stolen over USD 350,000 from thousands of victims via fake cryptocurrency mobile applications. 172 paid Android applications have been identified, 25 of which were available on the Google Play store. Victims lost money from buying the apps and then paying for additional services and non-existent upgrades.
- Meanwhile, Google removed nine other Android applications from its Play store after attackers leveraged the apps to steal users’ Facebook login credentials. The apps provided functioning services but were also designed to steal credentials by coercing users to log into their Facebook accounts.
SO WHAT? Malicious and fraudulent applications can be an attractive way for attackers to steal money and sensitive information. Make sure to check the reliability of the app developer before downloading.
Operators of the TrickBot malware botnet update their arsenal
Researchers suggest TrickBot operators may resume their bank fraud attacks. Having abandoned these operations for over a year, TrickBot has been recently pushing an updated module of its e-banking credential-stealing malware.
Security researchers also suspect TrickBot operators are behind the new Diavol ransomware strain. So far, Diavol’s deployment has only been reported once in the wild.
SO WHAT? Although ransomware attacks have taken centre stage, it’s important for users to still stay aware of and protect themselves against other types of attacks, such as banking credential theft and subsequent banking fraud.
Pro-Trump social media platform compromised
Attackers compromise the pro-Trump social media platform, GETTR, stealing tens of thousands of users’ data. The attackers exploited poorly configured APIs to scrape the user data.
The site launched publicly with an abundance of unresolved security issues that attackers immediately exploited. Attackers shared the scraped data on RaidForums, which included usernames, email addresses, birth years, locations, and more.
SO WHAT? All public applications should undergo rigorous security testing prior to being made public, so that vulnerabilities are identified and mitigating controls are implemented.