Cybersecurity researchers on Thursday took the wraps off a new, ongoing espionage campaign targeting corporate networks in Spanish-speaking countries, specifically Venezuela, to spy on its victims.

Dubbed "Bandidos" by ESET owing to the use of an upgraded variant of Bandook malware, the primary targets of the threat actor are corporate networks in the South American country spanning across manufacturing, construction, healthcare, software services, and retail sectors.

Written in both Delphi and C++, Bandook has a history of being sold as a commercial remote access trojan (RAT) dating all the way back to 2005. Since then, numerous variants have emerged on the threat landscape and put to use in different surveillance campaigns in 2015 and 2017, allegedly by a cyber-mercenary group known as Dark Caracal on behalf of government interests in Kazakhstan and Lebanon.

In a continuing resurgence of the Bandook Trojan, Check Point last year disclosed three new samples — one of which supported 120 commands — that were utilized by the same adversary to hit government, financial, energy, food industry, healthcare, education, IT, and legal institutions located in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey, and the U.S.

The latest attack chain commences with prospective victims receiving malicious emails with a PDF attachment, which contains a shortened URL to download a compressed archive hosted on Google Cloud, SpiderOak, or pCloud and the password to extract it. Extracting the archive reveals a malware dropper that decodes and injects Bandook into an Internet Explorer process.

Interestingly, the latest variant of Bandook analyzed by ESET contains 132 commands, up from the 120 commands reported by Check Point, implying that the criminal group behind the malware are advancing their malicious tools with improved capabilities and striking power.

"Especially interesting is the ChromeInject functionality," said ESET researcher Fernando Tavella. "When the communication with the attacker's command and control server is established, the payload downloads a DLL file, which has an exported method that creates a malicious Chrome extension. The malicious extension tries to retrieve any credentials that the victim submits to a URL. These credentials are stored in Chrome's local storage."

Some of the main commands that the payload is capable of processing include listing directory contents, manipulating files, taking screenshots, controlling the cursor on the victim's machine, installing malicious DLLs, terminating running processes, downloading files from a specific URL, exfiltrating the results of the operations to a remote server, and even uninstalling itself from the infected machines.

If anything, the development is yet another sign that adversaries can still leverage old crimeware solutions to facilitate attacks.

"[Bandook's] involvement in different espionage campaigns [...] shows us that it is still a relevant tool for cybercriminals," the researchers opined. "Also, if we consider the modifications made to the malware over the years, it shows us the interest of cybercriminals to keep using this piece of malware in malicious campaigns, making it more sophisticated and more difficult to detect."

Source

A cyber-espionage group has been observed increasingly targeting Indian government personnel as part of a broad campaign to infect victims with as many as four new custom remote access trojans (RATs), signaling a "boost in their development operations."

Attributed to a group tracked as SideCopy, the intrusions culminate in the deployment of a variety of modular plugins, ranging from file enumerators to browser credential stealers and keyloggers (Xeytan and Lavao), Cisco Talos said in a report published Wednesday.

"Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India," researchers Asheer Malhotra and Justin Thattil said. "These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections."

First documented in September 2020 by Indian cybersecurity firm Quick Heal, SideCopy has a history of mimicking infection chains implemented by the Sidewinder APT to deliver its own set of malware — in an attempt to mislead attribution and evade detection — while constantly retooling payloads that include additional exploits in its weaponry after a reconnaissance of the victim's data and environment.

The adversary is also believed to be of Pakistani origin, with suspected ties to the Transparent Tribe (aka Mythic Leopard) group, which has been linked to several attacks targeting the Indian military and government entities. Past campaigns undertaken by the threat actor involve using government and military-related lures to single out Indian defense units and armed forces personnel and deliver malware capable of accessing files, clipboard data, terminating processes, and even executing arbitrary commands.

The latest wave of attacks leverages a multitude of TTPs, including malicious LNK files and decoy documents, to deliver a combination of bespoke and commercially available commodity RATs such as CetaRAT, DetaRAT, ReverseRAT, MargulasRAT, njRAT, Allakore, ActionRAT, Lillith, and Epicenter RAT. Apart from military themes, SideCopy has also been found employing calls for proposals and job openings related to think tanks in India to target potential victims.

"The development of new RAT malware is an indication that this group of attackers is rapidly evolving its malware arsenal and post-infection tools since 2019," Malhotra and Thattil noted. The improvements demonstrate an effort to modularize the attack chains, while also demonstrating an increase in sophistication of the group's tactics, the researchers said.

Besides deploying full-fledged backdoors, SideCopy has also been observed utilizing plugins to carry out specific malicious tasks on the infected endpoint, chief among which is a Golang-based module called "Nodachi" that's designed to conduct reconnaissance and steal files targeting a government-mandated two-factor authentication solution called Kavach, which is required to access email services.

The goal, it appears, is to steal access credentials from Indian government employees with a focus on espionage, the researchers said, adding the threat actor developed droppers for MargulasRAT that masqueraded as installers for Kavach on Windows.

Malware researcher @0xrb, who is also independently tracking the campaign, reached out to The Hacker News with two more IPs used by SideCopy attackers to connect to the command-and-control server — 103[.]255.7.33 and 115[.]186.190.155 — both of which are located in the city of Islamabad, lending credence to the threat actor's Pakistani provenance.

"What started as a simple infection vector by SideCopy to deliver a custom RAT (CetaRAT), has evolved into multiple variants of infection chains delivering several RATs," the researchers concluded. "The use of these many infection techniques — ranging from LNK files to self-extracting RAR EXEs and MSI-based installers — is an indication that the actor is aggressively working to infect their victims."

Source

 

Researchers have bypassed Microsoft's emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed.

 

Last night, Microsoft released an out-of-band KB5004945 security update that was supposed to fix the PrintNightmare vulnerability that researchers disclosed by accident last month.

 

After the update was released, security researchers Matthew Hickey, co-founder of Hacker House, and Will Dormann, a vulnerability analyst for CERT/CC, determined that Microsoft only fixed the remote code execution component of the vulnerability.

 

However, malware and threat actors could still use the local privilege escalation component to gain SYSTEM privileges on vulnerable systems for older Windows versions, and for newer versions if the Point and Print policy was enabled.

 

Today, as more researchers began modifying their exploits and testing the patch, it was determined that exploits could bypass the entire patch entirely to achieve both local privilege escalation (LPE) and remote code execution (RCE).

 

According to Mimikatz creator Benjamin Delpy, the patch could be bypassed to achieve Remote Code Execution when the Point and Print policy is enabled.

 

Dormann also confirmed this patch bypass on Twitter. 

 

To bypass the PrintNightmare patch and achieve RCE and LPE, a Windows policy called 'Point and Print Restrictions' must be enabled, and the "When installing drivers for a new connection" setting configured as "Do not show warning on elevation prompt."

This policy is located under Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions.

 

When enabled, the 'NoWarningNoElevationOnInstall' value will be set to 1 under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint key.

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
"NoWarningNoElevationOnInstall"=dword:00000001

 

Hickey told BleepingComputer that he is still advising admins and users to disable the Print Spooler service to protect their Windows servers and workstations until a working patch is released.

 

"We're still advising our clients to disable the printer spooler wherever its not required until a fix arrives that addresses this issue appropriately," Hickey told BleepingComputer.

 

0patch has also released a free micropatch for PrintNightmare that has so far been able to block attempts at exploiting the vulnerability.

 

However, they are warning against installing Microsoft's July 6th patch as it not only doesn't protect against the vulnerabilities but modifies the 'localspl.dll' file so 0Patch's patch no longer works.

 

"If you're using 0patch against PrintNightmare, DO NOT apply the July 6 Windows Update! Not only does it not fix the local attack vector but it also doesn't fix the remote vector. However, it changes localspl.dll, which makes our patches that DO fix the problem stop applying," tweeted the 0Patch service.

 

"We've decided not to port our PrintNightmare patches to the localspl.dll version brought by Microsoft's out-of-band update from July 6, but will rather wait for Patch Tuesday that'll hopefully fix the flawed IsLocalFile function, then we'll port our patches to block local attacks"

 

BleepingComputer has contacted Microsoft about the security update but has not heard back at this time.

Microsoft's incomplete PrintNightmare patch fails to fix vulnerability

 

The Tor Project has released Tor Browser 10.5 with V2 onion URL deprecation warnings, a redesigned Tor connection experience, and an improved anti-censorship feature.

 

Last year, the Tor Project announced that they were deprecating the use of V2 onion URLs in favor of the newer V3 URLs to provide more robust cryptography, longer URLs to prevent brute-forcing of hidden sites, and cleaner code.

 

As part of this announcement, Tor warned that V2 URLs would be deprecated using the following timeline:

 

• September 15th, 2020: 0.4.4.x: Tor will start warning onion service operators and clients that v2 is deprecated and will be obsolete in version 0.4.6.
• July 15th, 2021: 0.4.6.x: Tor will no longer support v2 and support will be removed from the code base.
• October 15th, 2021: We will release new Tor client stable versions for all supported series that will disable v2.

 

To warn Tor website admins of the upcoming changes, the Tor Browser will now display a message when visiting version 2 Onion sites that their URLs would soon be deprecated, and the site will soon be unreachable unless they upgrade to version 3.

For website administrators of Tor sites using V2 URLs, you should read the Tor V2 Onion Services Deprecation FAQ for more information on how to upgrade to V3 URLs.

Snowflake added as a Tor bridge

The Tor Browser allows users to utilize 'Bridges' to bypass government or ISP censorship in various countries.

 

Bridges are Tor relays operated by volunteers that are not added to the public Tor directory. Users can then request a bridge to use in the Tor browser to bypass censorship in their country.

 

Tor users can now configure the Bridges features to utilize the SnowFlake proxy network to bypass censorship.

Snowflake is a pluggable transport that allows users to create Tor Bridges that bypass censorship easily. Unlike other Tor Bridges, Snowflake proxies can be made by simply installing a Chrome or Firefox extension, allowing a much larger audience to help people get access to the Internet under government censorship.

 

"Snowflake uses the highly effective domain fronting technique to make a connection to one of the thousands of snowflake proxies run by volunteers. These proxies are lightweight, ephemeral, and easy to run, allowing us to scale Snowflake more easily than previous techniques," explains Tor's censorship FAQ.

 

"For censored users, if your Snowflake proxy gets blocked, the broker will find a new proxy for you, automatically."

 

If you want to try out these features, simply use the Tor Browser autoupdate feature to upgrade to version 10.5 or download it directly from the Tor Browser download page.

Tor Browser adds new anti-censorship feature, V2 onion warnings

Frontpaged: Tor Browser 10.5

Email fatigue among users opens doors for cybercriminals

 

Scammers tricked at least 93,000 people into buying fake Android cryptocurrency mining applications, as revealed by researchers from California-based cybersecurity firm Lookout.

 

The 172 paid Android applications, tracked as two separate families dubbed BitScam (83,800 installs) and CloudScam (9,600 installs), were advertised by the cybercriminals to victims as providing cloud cryptocurrency mining services.

 

Twenty-five of these fake apps were available in the Google Play Store, while those sold on third-party app stores could be side-loaded by victims on their Android devices.

Fake app upgrades also used to scam victims

Lookout researchers revealed in a report published today that the apps didn't include any cloud cryptomining functionality.

 

Instead, the scammers filled up their wallets by selling the fake apps without actually providing any of the advertised services.

 

The scammers used the fake Android apps to steal a total of over $350,000 ($300K in app sales and $50K in fake upgrades) from thousands of victims worldwide who bought the apps and paid for additional services and non-existent upgrades.

 

"These apps were able to fly under the radar because they don’t actually do anything malicious," Lookout mobile app security researcher Ioannis Gasparis said.

 

"They are simply shells set up to attract users caught up in the cryptocurrency craze and collect money for services that don’t exist."

Dozens of fake cryptomining apps still for up for sale

Targets were lured into spending even more money on the apps using the promise of additional services and app upgrades, purchasable via cryptocurrency transfers straight to the scammers' crypto wallets or via the Play Store.

 

"Both CloudScam and BitScam also offer subscriptions and services related to crypto mining that users can pay for via the Google Play in-app billing
system," Lookout explains.

 

"What makes BitScam different is that its apps also accept Bitcoin and Ethereum as payment options."

 

Even though Google has already removed all the fake BitScam and CloudScam cryptomining apps found on the Play Store apps, Lookout says that dozens of them are still up for sale on third-party app stores around the web.

 

A list of all BitScam and CloudScam apps, indicators of compromise (IOCs), additional technical details, and info on the number of Play Store installs per app are available in the Lookout report.

Tens of thousands scammed using fake Android cryptomining apps

An analysis of off-the-shelf packages hosted on the NuGet repository has revealed 51 unique software components to be vulnerable to actively exploited, high-severity vulnerabilities, once again underscoring the threat posed by third-party dependencies to the software development process.

In light of the growing number of cyber incidents that target the software supply chain, there is an urgent need to assess such third-party modules for any security risks and minimize the attack surface, ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News.

NuGet is a Microsoft-supported mechanism for the .NET platform and functions as a package manager designed to enable developers to share reusable code. The framework maintains a central repository of over 264,000 unique packages that have collectively produced more than 109 billion package downloads.

"All identified precompiled software components in our research were different versions of 7Zip, WinSCP and PuTTYgen, programs that provide complex compression and network functionality," Zanki explained. "They are continuously updated to improve their functionality and to address known security vulnerabilities. However, sometimes it happens that other software packages get updated but still keep using several years old dependencies containing known vulnerabilities."

In one instance, it was found that "WinSCPHelper" — a remote server file management library and which has been downloaded more than 35,000 times — use an old and vulnerable WinSCP version 5.11.2, whereas WinSCP version 5.17.10 released earlier this January addresses a critical arbitrary execution flaw (CVE-2021-3331), thus exposing users of the package to the vulnerability.

Furthermore, the researchers established that more than 50,000 software components extracted from NuGet packages were statically linked to a vulnerable version of "zlib" data compression library, rendering them vulnerable to a number of known security issues such as CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, and CVE-2016-9843.

Some of the packages that were observed to have a zlib vulnerability are "DicomObjects" and "librdkafka.redist", each of which have been downloaded no less than 50,000 and 18.2 million times. A matter of more concern is that "librdkafka.redist" is listed as a dependency for several other popular packages, counting Confluent's .NET Client for Apache Kafka (Confluent.Kafka), which, in turn, has been downloaded more than 17.6 million times to date.

"Companies developing software solutions need to become more aware of such risks, and need to become more involved in their handling," Zanki said. "Both the inputs and final outputs of the software development process need to be checked for tampering and code quality issues. "Transparent software development is one of the keystones needed to enable early detection and prevention of software supply-chain attacks."

Source

Pseudonymous engineer claims people were coming to his house

Efforts to wrest control of the open-source Audacity audio editing project from corporate owner Muse Group have hit a stumbling block after the maintainer of one of the more popular forks stepped down over alleged physical harassment.

The trouble began when the two-decade-old Audacity project was acquired by Muse Group in May, a freshly launched parent company holding commercial services Ultimate Guitar, MuseScore, and others. Audacity seemed like a natural enough fit, and new maintainer Martin "Tantacrul" Keary promised it would remain both free and open source.

Days later, the company added telemetry to the software, which uploaded unspecified metrics to third-party servers including Google in the US and Yandex in Russia. The fact the telemetry was optional did little to pacify critics, and it was was quickly reversed. Then came a change to the privacy agreement, which included an attempt to prevent under-13s from using the software – on the face of it an apparent breach of the GNU General Public Licence 2 under which the software is published.

The responses to these moves was entirely predictable: the project was forked, multiple times, taking the source code from either before the telemetry was introduced or after it was removed and spinning it into a new project under a different name – outside Muse Group's control.

Since the introduction of telemetry, the Audacity project has been forked more than 50 times – including into the Tenacity project, created by pseudonymous programmer "cookiengineer." It's this fork which attracted the attention of notorious anonymous forum 4chan, resulting in what cookiengineer claims is real-world harassment – and his abandoning of the project.

Doorstep harassment prompts departure

"I really thought long about this, and I haven't slept in two days due to ongoing harassments of 4chan," cookiengineer claimed in a post to the Tenacity GitHub Issues page some 13 hours ago. "As the first people were literally arriving at my place of living, where they knocked on my doors and windows to scare us, I am hereby officially stepping down as a maintainer of this project.

"The safety of my family is worth more than an open source project. They found out my address via a YouTube video where someone was posting my nickname combined with my real legal name (which meanwhile got taken down due to my asking). The incident happened shortly 23:00 CEST [21:00 UTC], today; and the police took over this case."

The cause of the alleged harassment? A disagreement over the project's name. Being unable to use the Audacity trademark, now owned by Muse Group, cookiengineer ran a poll to find a new name for the fork. Those on 4chan who can never pass up an opportunity to influence the outcome of a poll took it into their hands to ensure Sneedacity, a reference to a throwaway Simpsons gag in which a store is signposted "Sneed's Feed & Seed, formerly Chuck's", won.

When cookiengineer deleted the poll and picked Tenacity as the project's name instead, it didn't go over well. The initial response from involved 4chan members, who are by nature of the board anonymous, seemed entirely measured: forking the Audacity project themselves, and creating the Sneedacity of which they had felt robbed.

A tale of two forks – and 4chan

If things had ended there, the two projects could have lived side-by-side – but cookiengineer claims 4chan members took things considerably further, including into physical harassment. While a search of the forum shows no evidence of cookiengineer's address details being shared nor calls for physical violence, there were several calls for action to see him banned from GitHub, multiple threads on the topic are filled with vitriol – mostly aimed at cookiengineer, but with the 4channer responsible for Sneedacity targeted too.

"They are cyber terrorists, not cringe cancel kiddos," cookiengineer alleged in his announcement. "They physically tried to harm me in real life, and this has gotten out of hand. They are physically harming people, in real life. Be aware of anything you do BEFORE trying to do the right thing.

"I am in contact with GitHub and the German BKA (federal police) as of now, therefore I will not disclose any more information publicly about what happened to anyone. Evidence has been gathered, submitted and will be acted upon. I will not legally let go of this."

The Tenacity project will appoint a new maintainer, should anyone still want the job. Muse Group, meanwhile, is potentially wondering just what it has got itself into. ®

Source

"On the internet, nobody knows you're a dog!"

These words from Peter Steiner's famous cartoon could easily be applied to the recent ransomware attack on Florida-based software supplier Kaseya.

Kaseya provides software services to thousands of clients around the world. It's estimated between 800 and 1,500 medium to small businesses may be impacted by the attack, with the hackers demanding US$50 million (lower than the previously reported US$70 million) in exchange for restoring access to data being held for ransom.

The global ransomware attack has been labelled the biggest on record. Russian cybercriminal organisation REvil is the alleged culprit.

Despite its notoriety, nobody really knows what REvil is, what it's capable of or why it does what they does—apart from the immediate benefit of huge sums of money. Also, ransomware attacks often involve vast distributed networks, so it's not even certain the individuals involved would know each other.

Ransomware attacks are growing exponentially in size and ransom demand—changing the way we operate online. Understanding who these groups are and what they want is critical to taking them down.

Here, we list the top five most dangerous criminal organisations currently online. As far as we know, these rogue groups aren't backed or sponsored by any state.

DarkSide

DarkSide is the group behind the Colonial Pipeline ransom attack in May, which shut down the US Colonial Pipeline's fuel distribution network, triggering gasoline shortage concerns.

The group seemingly first emerged in August last year. It targets large companies that will suffer from any disruption to their services—a key factor, as they're then more likely to pay ransom. Such companies are also more likely to have cyber insurance which, for criminals, means easy moneymaking.

DarkSide's business model is to offer a ransomware service. In other words, it carries out ransomware attacks on behalf of other, hidden perpetrator/s so they can lessen their liability. The executor and perpetrator then share profits.

Groups that offer cybercrime-as-a-service also provide online forum communications to support others who may want to improve their cybercrime skills.

This might involve teaching someone how to combine distributed denial-of-service (DDoS) and ransomware attacks, to put extra pressure on negotiations. The ransomware would prevent a business from working on past and current orders, while a DDoS attack would block any new orders.

REvil

The ransomware-as-a-service group REvil is currently making headlines due to the ongoing Kaseya incident, as well as another recent attack on global meat processing company JBS. This group has been particularly active in 2020-2021.

In April, REvil stole technical data on unreleased Apple products from Quanta Computer, a Taiwanese company that assembles Apple laptops. A ransom of US$50 million was demanded to prevent public release of the stolen data. It hasn't been revealed whether or not this money was paid.

Clop

The ransomware Clop was created in 2019 by a financially-motivated group responsible for yielding half a billion US dollars.

The Clop group's speciality is "double-extortion". This involves targeting organisations with ransom money in exchange for a decryption key that will restore the organisation's access to stolen data. However, targets will then have to pay extra ransom to not have the data released publicly.

Historical examples reveal that organisations which pay a ransom once are more likely to pay again in the future. So hackers will tend to target the same organisations again and again, asking for more money each time.

Syrian Electronic Army

Far from a typical cybercrime gang, the Syrian Electronic Army has been launching online attacks since 2011 to promote political propaganda. With this motive, they have been dubbed a hactivist group.

While the group has links with Bashar al-Assad's regime, it's more likely made up of online vigilantes trying to be media auxiliary for the Syrian army.

Their technique is to distribute fake news through reputable sources. In 2013, a single tweet sent by them from the official account of the Associated Press, the world's leading news agency, had the effect of wiping billions from the stock market.

The Syrian Electronic Army exploits the fact that most people online have a tendency to interpret and react to content with an implicit sense of trust. And they're a prime example of how the boundaries between crime and terror groups online are less distinct than in the physical world.

FIN7

If this list could contain a "super villain", it would be FIN7. Another Russian-based group, FIN7 is arguably the most successful online criminal organisation of all time. Operating since 2012, it mainly works as a business.

Many of its operations have been undetected for years. Its data breaches have exploited cross-attack scenarios, wherein the data breach serves multiple purposes. For example, it may enable extortion through ransom while also allowing the attacker to use data against victims, such as by reselling it to a third party.

In early 2017, FIN7 was alleged to be behind an attack targeting companies providing filings to the US Security and Exchange Commission. This confidential information was exploited and used to obtain ransom which was then invested on the stock exchange.

As such, the groups made huge sums of money by trading on confidential information. The insider trading scheme facilitated by hacking went on for many years—which is why it's not possible to quantify the exact amount of economic damage. But it's estimated to be well over US$1 billion.

Organised crime vs organised criminals

When it comes to complex criminal organisations, techniques evolve and motives vary.

The way they organise themselves and commit crimes online is very different from your local offline gang. Ransomware can be launched from anywhere in the world, so it's very difficult to prosecute these criminals. Matters are made even more complicated when several parties coordinate across borders.

It's no wonder the challenge for law enforcement agencies is significant. It's crucial that authorities investigating an attack are sure it was indeed perpetrated by who they suspect. But to know this, they need all the help they can get.

Source

Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA security updates.

Cobalt Strike is a legitimate penetration testing tool and threat emulation software that's also used by attackers for post-exploitation tasks and to deploy so-called beacons that allow them to gain remote access to compromised systems.

The end goal of such attacks is either that of harvesting and exfiltrating sensitive data or delivering second-stage malware payloads.

"Interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans," the Cisco Talos Incident Response (CTIR) team said in a September quarterly report.

Spam emails bundle malicious attachments and links

The malspam campaign spotted by Malwarebytes Threat Intelligence researchers uses two different tactics to deploy the Cobalt Strike payloads.

Malicious emails sent as part of this malspam campaign come with a malicious attachment and an embedded link designed to look like a Microsoft patch for the Kaseya VSA zero-day exploited in the REvil ransomware attack.

"A malspam campaign is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike," the Malwarebytes Threat Intelligence team said.

"It contains an attachment named 'SecurityUpdates.exe' as well as a link pretending to be security update from Microsoft to patch Kaseya vulnerability!"

The attackers gain persistent remote access to the targets systems once they run the malicious attachment or download and launch the fake Microsoft update on their devices.

Kaseya phishing email sample (Malwarebytes)

Colonial Pipeline attack also exploited in Cobalt Strike phishing

Last month, threat actors also used fake systems updates claiming to help detect and block ransomware infections following the Colonial Pipeline attack.

Just as with this month's malspam campaign, the June phishing campaign was also pushing malicious payloads designed to deploy the Cobalt Strike penetration testing tool, which would have allowed the attackers to compromise the recipients' systems.

As INKY researchers who spotted the attacks said, the phishing emails came with a deadline for installing the fake updates to add a sense of urgency.

The payload download pages were also customized using the target company's graphics to make them appear trustworthy.

These two campaigns highlight that threat actors in the phishing business keep track of the latest news for pushing lures relevant to recent events to boost their campaigns rates of success.

The highly-publicized REvil ransomware attack that hit the Kaseya MSP software provider and approximately 60 out of 35,000 of their direct customers and 1,500 out of 1,000,000 downstream businesses makes for a perfect lure theme.

Since Kaseya says that it failed to deploy a fix for the VSA zero-day exploited by REvil, many of its customers might fall for this pishing campaign's tricks in their effort to protect their networks from attacks.

Source

Why the Password Isn't Dead Quite Yet

(May require free registration to view)

Microsoft releases mandatory Windows updates to fix PrintNightmare exploit [Update] 

 

Earlier last week, Microsoft acknowledged that it was investigating a critical vulnerability in Windows 10 that when exploited could let attackers run arbitrary code on the victim’s system. The vulnerability, tracked under CVE-2021-34527, is present in the Windows Print Spooler service and is termed print "PrintNightmare" that can allow for remote code execution (RCE). As the vulnerability was still being investigated, the Redmond firm listed two possible workarounds to mitigate the risks caused by the bug.

 

Today, the firm has provided an update in the Microsoft Security Response Center (MSRC) listing for the vulnerability noting that it is rolling out a patch for the latest Windows 10 versions to address the issue. The update, KB5004945, is currently rolling out to the three most recent Windows 10 versions, 2004, 20H2, and 21H1, bumping them to Windows 10 builds 19041.1083, 19042.1083, and 19043.1083, respectively. Since these versions are based on the same codebase, the updates are identical for all the versions. The changelog and documentation for the update are yet to go live.

Considering that these are security updates to fix a critical vulnerability, they are mandatory updates and are downloaded automatically through Windows Update. Users can also manually download the patch from the Update Catalog here. Future patches, such as the upcoming Patch Tuesday updates, will contain these fixes.

 

There is no word from the firm on how the vulnerability affects older versions of the OS, though it notes that it has completed the investigation of the issue. The updates today are only rolling out to the three most recent and fully supported Windows 10 versions, but it will not be surprising to see a patch being made available for older versions still being supported for Enterprise and Education customers sooner, as the firm notes that supported Windows versions that do not receive an update today will get one "shortly after July 6".

 

For those unaware, the PrintNightmare vulnerability is caused by the Print Spooler service not restricting access to a function that is used to install printer drivers remotely. An attacker that gains unrestricted access can execute arbitrary code with SYSTEM privileges, examples of which are already available on the web. Considering the severity of the vulnerability, it is best for all users to update to the latest build as soon as possible.

 

Update: The patches are available for most supported Windows 10, Windows 8.1, and Windows 7 (ESU users). You can either update via Windows Update, or head to the MSRC document to find links to the requisite Update Catalog pages. The company has also provided the KB article links, but as is the case these days, those pages are yet to be updated. Windows 10 version 1607, Windows Server 2012, and Windows Server 2016 are yet to receive updates.

 

Here is the complete list of links posted by the firm:

Product	Severity	Article	Download
Windows Server 2012 R2 (Server Core installation)	Critical	5004954	Monthly Rollup
Windows Server 2012 R2 (Server Core installation)	Critical	5004958	Security Only
Windows Server 2012 R2	Critical	5004954	Monthly Rollup
Windows Server 2012 R2	Critical	5004958	Security Only
Windows Server 2012 (Server Core installation)	Critical
Windows Server 2012	Critical
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)	Critical	5004953	Monthly Rollup
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)	Critical	5004951	Security Only
Windows Server 2008 R2 for x64-based Systems Service Pack 1	Critical	5004953	Monthly Rollup
Windows Server 2008 R2 for x64-based Systems Service Pack 1	Critical	5004951	Security Only
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)	Critical	5004955	Monthly Rollup
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)	Critical	5004959	Security Only
Windows Server 2008 for x64-based Systems Service Pack 2	Critical	5004955	Monthly Rollup
Windows Server 2008 for x64-based Systems Service Pack 2	Critical	5004959	Security Only
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)	Critical	5004955	Monthly Rollup
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)	Critical	5004959	Security Only
Windows Server 2008 for 32-bit Systems Service Pack 2	Critical	5004955	Monthly Rollup
Windows Server 2008 for 32-bit Systems Service Pack 2	Critical	5004959	Security Only
Windows 8.1 for x64-based systems	Critical	5004954	Monthly Rollup
Windows 8.1 for x64-based systems	Critical	5004958	Security Only
Windows 8.1 for 32-bit systems	Critical	5004954	Monthly Rollup
Windows 8.1 for 32-bit systems	Critical	5004958	Security Only
Windows 7 for x64-based Systems Service Pack 1	Critical	5004953	Monthly Rollup
Windows 7 for x64-based Systems Service Pack 1	Critical	5004951	Security Only
Windows 7 for 32-bit Systems Service Pack 1	Critical	5004953	Monthly Rollup
Windows 7 for 32-bit Systems Service Pack 1	Critical	5004951	Security Only
Windows Server 2016 (Server Core installation)	Critical
Windows Server 2016	Critical
Windows 10 Version 1607 for x64-based Systems	Critical
Windows 10 Version 1607 for 32-bit Systems	Critical
Windows 10 for x64-based Systems	Critical	5004950	Security Update
Windows 10 for 32-bit Systems	Critical	5004950	Security Update
Windows Server, version 20H2 (Server Core Installation)	Critical	5004945	Security Update
Windows 10 Version 20H2 for ARM64-based Systems	Critical	5004945	Security Update
Windows 10 Version 20H2 for 32-bit Systems	Critical	5004945	Security Update
Windows 10 Version 20H2 for x64-based Systems	Critical	5004945	Security Update
Windows Server, version 2004 (Server Core installation)	Critical	5004945	Security Update
Windows 10 Version 2004 for x64-based Systems	Critical	5004945	Security Update
Windows 10 Version 2004 for ARM64-based Systems	Critical	5004945	Security Update
Windows 10 Version 2004 for 32-bit Systems	Critical	5004945	Security Update
Windows 10 Version 21H1 for 32-bit Systems	Critical	5004945	Security Update
Windows 10 Version 21H1 for ARM64-based Systems	Critical	5004945	Security Update
Windows 10 Version 21H1 for x64-based Systems	Critical	5004945	Security Update
Windows 10 Version 1909 for ARM64-based Systems	Critical	5004946	Security Update
Windows 10 Version 1909 for x64-based Systems	Critical	5004946	Security Update
Windows 10 Version 1909 for 32-bit Systems	Critical	5004946	Security Update
Windows Server 2019 (Server Core installation)	Critical	5004947	Security Update
Windows Server 2019	Critical	5004947	Security Update
Windows 10 Version 1809 for ARM64-based Systems	Critical	5004947	Security Update
Windows 10 Version 1809 for x64-based Systems	Critical	5004947	Security Update
Windows 10 Version 1809 for 32-bit Systems	Critical	5004947	Security Update

 

Update 2: The KB articles are now live for those interested in reading through the changelog. For Windows 10, the changelog is mostly similar across versions. Here is how the firm details the update:

Addresses a remote code execution exploit in the Windows Print Spooler service, known as “PrintNightmare”, as documented in CVE-2021-34527. After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system’s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the RestrictDriverInstallationToAdministrators registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.

Microsoft releases mandatory Windows updates to fix PrintNightmare exploit [Update]

US warns of action against ransomware gangs if Russia refuses

Audio-edit software Audacity has denied accusations its new privacy policy has transformed it into "possible spyware".

The open-source free tool, with 100 million users worldwide, is popular with podcast and music editors.

Its updated policy says data can be shared with its Russia-based infrastructure company, WSM, as well as regional law enforcement.

Audacity says the only data it exchanges with its users is software updates and error reports.

But since the updated policy was published last week, there have been angry calls from concerned users to uninstall the product or revert to an older version.

And technology website Fosspost described the most recent version as "possible spyware".

"One would not expect an offline desktop application to be collecting such data, phoning home and then handing that data to governments around the world whenever they see fit," it wrote.

Audacity was bought by the Cyprus-based firm Muse Group in April 2021.

Muse head of strategy Daniel Ray told BBC News: "We don't know anything about our users.

"We don't want users' personal information - that doesn't help us."

The company, which bought Audacity in April, intended to release more frequent updates and wanted to alert users, Mr Ray said.

And the policy, "written by lawyers, to be understood by lawyers rather than the average person", was a requirement for any software that sent any form of information back to its creators.

image copyright Getty Images
image caption Audacity has 100 million users worldwide.

It also stated under-13s could no longer use the Audacity app, to comply with data laws, Mr Ray said[.]

But anyone of any age could still use the product in its offline mode.

The policy says Audacity collects "very limited data" about users - no "direct identifiers" such as names or contact details - and an account profile is not required.

But it may share the personal data it does gather with:

• staff members

• law enforcement, government agencies and regulators

• auditors, advisers and legal representatives of the company

• potential buyers of the business

And while European user data is stored in Europe, it may "occasionally" share data with its headquarters in Russia.

This was to monitor signs of potential distributed-denial-of-service (DDOS), when a platform is deliberately flooded with data requests intended to knock it offline, Mr Ray said.

And individual Internet Protocol (IP) addresses were scrambled, using an encryption technique called hashing.

The company was not seeking to monetise the 21-year-old product, Mr Ray said, but it was seeking to "modernise" it.

"Previously, updates were every few years," he said, "we want to do them every few weeks.

"If you don't have ways of informing users about updates they might miss, then you put the burden on the user to keep up with the pace of change".

Source

Law enforcement authorities with the Interpol have apprehended a threat actor responsible for targeting thousands of unwitting victims over several years and staging malware attacks on telecom companies, major banks, and multinational corporations in France as part of a global phishing and credit card fraud scheme.

The two-year investigation, dubbed Operation Lyrebird by the international, intergovernmental organization, resulted in the arrest of a Moroccan citizen nicknamed Dr HeX, cybersecurity firm Group-IB disclosed today in a report shared with The Hacker News.

Dr HeX is said to have been "active since at least 2009 and is responsible for a number of cybercrimes, including phishing, defacing, malware development, fraud, and carding that resulted in thousands of unsuspecting victims," the cybersecurity firm said.

The cyber attacks involved deploying a phishing kit consisting of web pages that spoofed banking entities in the country, followed by sending mass emails mimicking the targeted companies, prompting email recipients to enter login information on the rogue website.

The credentials entered by unsuspecting victims on the fake web page were then redirected to the perpetrator's email. At least three different phishing kits presumably developed by the threat actor have been extracted.

The phishing kits were also "sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims," Interpol said in a statement. "These were then used to impersonate online banking facilities, allowing the suspect and others to steal sensitive information and defraud trusting individuals for financial gain, with the losses of individuals and companies published online in order to advertise these malicious services."

The scripts included in the phishing kit contained the name Dr HeX and the individual's contact email address, using which the cybercriminal was eventually identified and deanonymized, in the process uncovering a YouTube channel as well as another name used by the adversary to register at least two fraudulent domains that were used in the attacks.

Additionally, Group-IB said it was also able to map the email address to the malicious infrastructure employed by the accused in various phishing campaigns, of which included as many as five email addresses, six nicknames, and his accounts on Skype, Facebook, Instagram, and YouTube.

In all, Dr Hex's digital footprint left a tell-tale trail of malicious activities over a period stretching between 2009 and 2018, during when the threat actor defaced no fewer than 134 web pages, along with finding posts created by the attacker on different underground forums devoted to malware trading and evidence suggesting his involvement in attacks on French corporations to steal financial information.

"The suspect, in particular, promoted so-called Zombi Bot, which allegedly contained 814 exploits, including 72 private ones, a brute-forcer, webshell and backdoor scanners, as well as functionality to carry out DDoS attacks," Group-IB CTO Dmitry Volkov told The Hacker News.

Source

U.S. technology firm Kaseya, which is firefighting the largest ever supply-chain ransomware strike on its VSA on-premises product, ruled out the possibility that its codebase was unauthorizedly tampered with to distribute malware.

While initial reports raised speculations that the ransomware gang might have gained access to Kaseya's backend infrastructure and abused it to deploy a malicious update to VSA servers running on client premises, in a modus operandi similar to that of the devastating SolarWinds hack, it has since emerged that a never-before-seen security vulnerability (CVE-2021-30116) in the software was leveraged to push ransomware to Kaseya's customers.

"The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution," the Miami-headquartered company noted in the incident analysis. "This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya's VSA codebase has been maliciously modified."

In other words, while successful zero-day exploitation on Kaseya VSA software by itself isn't a supply-chain attack, taking advantage of the exploit to compromise managed service providers (MSPs) and breach their customers would constitute as one.

It's, however, unclear as to how the hackers learned of the vulnerabilities. The details of those flaws have not yet been publicly released.

About 60 MSPs and 1,500 downstream businesses around the world have been paralyzed by the ransomware attack, according to the company's CEO Fred Voccola, most of which have been small concerns, like dental practices, architecture firms, plastic surgery centers, and libraries.

Hackers associated with the Russia-linked REvil ransomware-as-a-service (RaaS) group initially demanded $70 million in Bitcoins to release a decryptor tool for restoring all the affected businesses' data, although they have swiftly lowered the asking price to $50 million, suggesting a willingness to negotiate their demands in return for a lesser amount.

"REvil ransomware has been advertised on underground forums for three years and it is one of the most prolific RaaS operations," Kaspersky researchers said Monday, adding "the gang earned over $100 million from its operations in 2020."

The attack chain worked by first deploying a malicious dropper via a PowerShell script which was executed through Kaseya's VSA software.

"This script disables Microsoft Defender for Endpoint protection features and then uses the certutil.exe utility to decode a malicious executable (agent.exe) that drops a legitimate Microsoft binary (MsMpEng.exe, an older version of Microsoft Defender) and malicious library (mpsvc.dll), which is the REvil ransomware. This library is then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique," the researchers added.

The incident has also led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to offer mitigation guidance, urging businesses to enable multi-factor authentication, limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

Source

WASHINGTON, July 5 (Reuters) - Hackers suspected to be behind a mass extortion attack that affected hundreds of companies worldwide late on Sunday demanded $70 million to restore the data they are holding ransom, according to a posting on a dark web site.

The demand was posted on a blog typically used by the REvil cybercrime gang, a Russia-linked group that is counted among the cybercriminal world's most prolific extortionists.

The gang has an affiliate structure, occasionally making it difficult to determine who speaks on the hackers' behalf, but Allan Liska of cybersecurity firm Recorded Future said the message "almost certainly" came from REvil's core leadership.

The group has not responded to an attempt by Reuters to reach it for comment.

REvil's ransomware attack, which the group executed on Friday, was among the most dramatic in a series of increasingly attention-grabbing hacks.

The gang broke into Kaseya, a Miami-based information technology firm, and used their access to breach some of its clients' clients, setting off a chain reaction that quickly paralyzed the computers of hundreds of firms worldwide.

An executive at Kaseya said the company was aware of the ransom demand but did not immediately return further messages seeking comment.

About a dozen different countries were affected, according to research published https://www.welivesecurity.com/2021/07/03/kaseya-supply-chain-attack-what-we-know-so-far by cybersecurity firm ESET.

In at least one case, the disruption spilled out into the public domain when Swedish Coop grocery store chain had to close hundreds of stores on Saturday because its cash registers had been knocked offline as a consequence of the attack.

Earlier on Sunday, the White House said it was reaching out to victims of the outbreak "to provide assistance based upon an assessment of national risk."

The impact of the intrusion is still coming into focus.

Those hit included schools, small public-sector bodies, travel and leisure organizations, credit unions and accountants, said Ross McKerchar, chief information security officer at Sophos Group Plc.

McKerchar's company was one of several that had blamed https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses REvil for the attack, but Sunday's statement was the group's first public acknowledgement that it was behind the campaign.

Ransom-seeking hackers have tended to favor more focused shakedowns against single, high-value targets like Brazilian meatpacker JBS, whose production was disrupted last month when REvil attacked its systems. JBS said it ended up paying https://jbsfoodsgroup.com/articles/jbs-usa-cyberattack-media-statement-june-9 the hackers $11 million.

Liska said he believed the hackers had bitten off more than they could chew by scrambling the data of hundreds of companies at a time and that the $70 million demand was an effort to make the best of an awkward situation.

"For all of their big talk on their blog, I think this got way out of hand," he said. (Reporting by Raphael Satter; Editing by Kim Coghill, Robert Birsel)

Source

Businesses are set to suffer over $206 billion in losses from identity fraud in the period between 2021 and 2025, according to new figures.

A study from Juniper Research has highlighted growing issues for merchants, especially since the arrival of the global coronavirus pandemic. To put the huge figure into perspective; Juniper’s number is equivalent to nearly 10 times Amazon’s net income for the 2020 financial year.

There has been a surge in synthentic identity and account takeover fraud, which can compromise entire accounts and the payment data of customers. However, the research indicates that merchants do have the potential for fighting back, by enlisting the help of machine-learning-based fraud prevention platforms to combat the wave of increasingly sophisticated criminal attacks.

Central to the problem is the sale of physical goods that have been purchased remotely through e-commerce outlets, with the fallout of resulting online payment fraud accounting for over 47% of fraud losses so far this year.

Payment fraud

However, business owners are fighting back and attempting to counter the growing threat of identity fraud by improving their fraud detection and prevention systems. Spending on boosting these is expected to be over $11.8 billion globally by 2025, up from $9.3 billion in 2021.

The Juniper Research findings show that businesses will increasingly need the help of fraud protection and prevention vendors who can help them tackle the growing range of online payment options available through e-commerce channels. 

Business owners are also having to reshape their online shopping outlets to work in tandem with developing payment trends, such as open banking. Along with creating more robust e-commerce payment solutions, business are also being advised to invest in additional measures, including identity theft software and password managers.

Research co-author Nick Maynard explains: “Given the large amounts of online payment transactions globally, it is essential that this transactional data is leveraged to continually detect fraudulent transactions. Payment providers who can use this data to identify new fraud sources and tactics will be those who prove to be the most resilient to this significant market loss.”

Source

Audacity privacy policy changes have ruffled more than a few feathers

An update to the privacy policy for audio editor Audacity has raised concerns the open source software may be used to siphon off a wealth of user data under its new ownership.

Audacity was purchased earlier this year by a company called Muse Group, which owns various music and audio software, such as Ultimate Guitar, MuseScore and Tonebridge.

When the acquisition was announced, Muse Group promised the software would remain free and open source. However, sections of the community believe the new privacy policy runs counter to philosophies and ambitions of the open source movement; some have gone as far as to call Audacity “spyware”.

Under the new privacy policy, Audacity will collect information such as OS version, CPU and error codes, but also the location of the user. According to the policy, this information is required for analytics purposes and to improve the application, although it’s unclear where location data slots into this picture.

The policy goes on to state that Audacity will collect “data necessary for law enforcement, litigation and authorities’ requests”, but does not expand on what type of information this clause might cover, leading to speculation it could be used to justify an unacceptable breach of user privacy.

Audacity outcry

Ever since the Audacity acquisition, relations between Muse Group and the open source community have been strained.

The company ruffled feathers with a new Contributor License Agreement (CLA) for Audacity, which contributors were required to sign if they wanted to continue to work on the project. This new agreement also stipulated that Muse Group must be given unrestricted rights to all contributions.

A significant portion of the community felt the new CLA compromised the values of the open source ecosystem, built around the concepts of transparency and collaboration, by allowing Muse Group to use code submitted by contributors in other non-open source projects.

For others, the privacy policy update was the final straw. Contributors have taken to both GitHub and Reddit to call for a fork of the software, which would see developers break away to develop a new audio editor, using Audacity code as the backbone.

TechRadar Pro asked Muse Group for specific details about the data collection activities covered by the privacy policy and for a perspective on the community outcry, but the company has not yet responded.

Source

'Fork.' What did you think we meant?

A few more litres of accelerant were poured onto Audacity critics' fire late last week as an update to the sound editor's privacy agreement seeped out to the consternation of users.

Eyebrows began rising on 2 July, and continued skywards with an update on 3 July as the implications of the refeshed privacy policy became clear.

Gems such as the collection of "Data necessary for law enforcement, litigation and authorities' requests (if any)" on the grounds of "Legitimate interest of WSM Group to defend its legal rights and interests" set teeth a-gnashing within the application's community of users.

A ban on the use of the app by the under-13s (more to do with consent to data collection than audio pr0n, we'd wager) is also in the terms as well as "All your personal data is stored on our servers in the European Economic Area (EEA). However, we are occasionally required to share your personal data with our main office in Russia and our external counsel in the USA."

The Russia-based WSM Group, owner of Audacity did, however, insist: "We have put in place appropriate safeguards (which includes the European Commission’s Standard Contractual Clauses) to ensure that whenever your Personal Data is transferred outside the EEA to countries that are not deemed adequate by the European Commission, your Personal Data receives an adequate level of protection in accordance with the GDPR."

Oh, and that data might also be shared with a potential buyer (or its advisors) as part an acquisition.

The Audacity: Audio tool finds new and exciting ways to annoy contributors with a Contributor License Agreement
Audacity's new management hits rewind on telemetry plans following community outrage

Audacity 'scared and excited' to be bought and brought under Muse Group's roof, promises to stay free and open source
'A massive middle finger': Open-source audio fans up in arms after Audacity opts to add telemetry capture
The Audacity app itself does not yet require the creation of an account, nor the input of personal or contact information and such terms will not come as a surprise to users of other apps in the group (such as MuseScore, which insists on parental consent for "data processing" for the under 13s.)

Audacity fans, already jumpy about the whole telemetry fiasco and Contributor License Agreement (CLA) have reacted in predictable fashion to the change. The words "GPL violations" and "unacceptable" have been bandied around, as well as the inevitable f-bomb: "fork".

Indeed, this latest change to the world of Audacity may be an indicator of the direction of travel. While the company did not respond to The Register's request for comment, it would seem that users unhappy with the alterations being made by the app's new owners have little alternative but to consider alternatives. ®

Bootnote

The Register this morning ran a profile feature looking at the music software before we, or the writer of that feature, became aware of the changes made. As we pointed out this morning, "if Muse Group's stewardship takes a wrong turn, there's always the fork button."

Source

Threat actors behind the infamous TrickBot malware have been linked to a new ransomware strain named "Diavol," according to the latest research.

Diavol and Conti ransomware payloads were deployed on different systems in a case of an unsuccessful attack targeting one of its customers earlier this month, researchers from Fortinet's FortiGuard Labs said last week.

TrickBot, a banking Trojan first detected in 2016, has been traditionally a Windows-based crimeware solution, employing different modules to perform a wide range of malicious activities on target networks, including credential theft and conduct ransomware attacks.

Despite efforts by law enforcement to neutralize the bot network, the ever-evolving malware has proven to be a resilient threat, what with the Russia-based operators — dubbed "Wizard Spider" — quickly adapting new tools to carry out further attacks.

Diavol is said to have been deployed in the wild in one incident to date. The source of intrusion remains unknown as yet. What's clear, though, is that the payload's source code shares similarities with that of Conti, even as its ransom note has been found to reuse some language from Egregor ransomware.

"As part of a rather unique encryption procedure, Diavol operates using user-mode Asynchronous Procedure Calls (APCs) without a symmetric encryption algorithm," the researchers said. "Usually, ransomware authors aim to complete the encryption operation in the shortest amount of time. Asymmetric encryption algorithms are not the obvious choice as they [are] significantly slower than symmetric algorithms."

Another aspect of the ransomware that stands out is its reliance on an anti-analysis technique to obfuscate its code in the form of bitmap images, from where the routines are loaded into a buffer with execute permissions.

Prior to locking files and changing the desktop wallpaper with a ransom message, some of the major functions carried out by Diavol include registering the victim device with a remote server, terminating running processes, finding local drives and files in the system to encrypt, and preventing recovery by deleting shadow copies.

Wizard Spider's nascent ransomware effort also coincides with "new developments to the TrickBot webinject module," as detailed by Kryptos Logic Threat Intelligence team, indicating that the financially motivated cybercrime group is still actively retooling its malware arsenal.

"TrickBot has brought back their bank fraud module, which has been updated to support Zeus-style webinjects," cybersecurity researcher Marcus Hutchins tweeted. "This could suggest they are resuming their bank fraud operation, and plan to expand access to those unfamiliar with their internal webinject format."

Source

Microsoft provides further mitigations for PrintNightmare exploit, awards it "high" severity  

Microsoft provides further mitigations for PrintNightmare exploit, awards it "high" severity

Tip: check out our Audacity alternatives here.

Audacity Controversy continues with newly published Privacy Notice

Another holiday weekend in the U.S., another ransomware attack that has paralyzed businesses around the world.

This time it's affecting an untold number of small and big companies that use IT software from a company called Kaseya.

High-profile ransomware attacks in May hit the world's largest meat-packing company and the biggest U.S. fuel pipeline, underscoring how gangs of extortionist hackers can disrupt the economy and put lives and livelihoods at risk.

WHAT IS RANSOMWARE? HOW DOES IT WORK?

Ransomware scrambles the target organization's data with encryption. The criminals leave instructions on infected computers for negotiating ransom payments. Once paid, they provide decryption keys for unlocking those files.

Ransomware crooks have also expanded into data-theft blackmail. Before triggering encryption, they sometimes quietly copy sensitive files and threaten to post them publicly unless they get their ransom payments.

WHAT'S A SUPPLY-CHAIN ATTACK?

The latest attack affecting Kaseya customers combines a ransomware operation with what's known as a supply-chain attack, which typically involves sneaking malicious code into a software update automatically pushed out to thousands of organizations.

Kaseya says the ransomware affected its product for remotely monitoring networks; but because many of its clients are providers of broader IT management services, a large number of organizations is likely to be affected.

"What makes this attack stand out is the trickle-down effect, from the managed service provider to the small business," said John Hammond of the security firm Huntress Labs. "Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to any size or scale business."

Until now, the best-known recent supply-chain attack was attributed to elite Russian hackers and targeted software provider SolarWinds. But the motive was different; it was a massive intelligence operation targeting government agencies and others, not an attempt to extort money.

HOW DO RANSOMWARE GANGS OPERATE?

The criminal syndicates that dominate the ransomware business are mostly Russian-speaking and operate with near impunity out of Russia and allied countries. Though barely a blip three years ago, the syndicates have grown in sophistication and skill. They leverage dark web forums to organize and recruit while hiding their identities and movements with sophisticated tools and cryptocurrencies like Bitcoin that make payments—and their laundering—harder to track.

Most experts have tied the Kaseya attack to a group known as REvil, the same ransomware provider that the FBI linked to an attack on JBS SA, a major global meat processor, amid the Memorial Day holiday weekend.

Active since April 2019, the group provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion's share of ransoms.

WHO IS AFFECTED?

The scale of the attack affecting Kaseya is not yet clear, but it's already been blamed for closing stores across a grocery chain in Sweden because their cash registers weren't working.

Last year alone in the U.S., ransomware gangs hit more than 100 federal, state and municipal agencies, upwards of 500 health care centers, 1,680 educational institutions and untold thousands of businesses, according to the cybersecurity firm Emsisoft. Dollar losses are in the tens of billions. Accurate numbers are elusive. Many victims shun reporting, fearing the reputational blight.

Source

Businesses around the world rushed Saturday to contain a ransomware attack that has paralyzed their computer networks, a situation complicated in the U.S. by offices lightly staffed at the start of the Fourth of July holiday weekend.

It's not yet known how many organizations have been hit by demands that they pay a ransom in order to get their systems working again. But some cybersecurity researchers predict the attack targeting customers of software supplier Kaseya could be one of the broadest ransomware attacks on record.

It follows a scourge of headline-grabbing attacks over recent months that have been a source of diplomatic tension between U.S. President Joe Biden and Russian President Vladimir Putin over whether Russia has become a safe haven for cybercriminal gangs.

Biden said Saturday he didn't yet know for certain who was responsible but suggested that the U.S. would respond if Russia was found to have anything to do with it.

"If it is either with the knowledge of and or a consequence of Russia then I told Putin we will respond," Biden said. "We're not certain. The initial thinking was it was not the Russian government."

Cybersecurity experts say the REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack that targeted the software company Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers.

"The number of victims here is already over a thousand and will likely reach into the tens of thousands," said cybersecurity expert Dmitri Alperovitch of the Silverado Policy Accelerator think tank. "No other ransomware campaign comes even close in terms of impact."

The cybersecurity firm ESET says there are victims in least 17 countries, including the United Kingdom, South Africa, Canada, Argentina, Mexico, Kenya and Germany.

In Sweden, most of the grocery chain Coop's 800 stores were unable to open because their cash registers weren't working, according to SVT, the country's public broadcaster. The Swedish State Railways and a major local pharmacy chain were also affected.

Kaseya CEO Fred Voccola said in a statement that the company believes it has identified the source of the vulnerability and will "release that patch as quickly as possible to get our customers back up and running."

Voccola said fewer than 40 of Kaseya's customers were known to be affected, but experts said the ransomware could still be affecting hundreds more companies that rely on Kaseya's clients that provide broader IT services.

John Hammond of the security firm Huntress Labs said he was aware of a number of managed-services providers—companies that host IT infrastructure for multiple customers—being hit by the ransomware, which encrypts networks until the victims pay off attackers.

"It's reasonable to think this could potentially be impacting thousands of small businesses," said Hammond, basing his estimate on the service providers reaching out to his company for assistance and comments on Reddit showing how others are responding.

At least some victims appeared to be getting ransoms set at $45,000, considered a small demand but one that could quickly add up when sought from thousands of victims, said Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft.

Callow said it's not uncommon for sophisticated ransomware gangs to perform an audit after stealing a victim's financial records to see what they can really pay, but that won't be possible when there are so many victims to negotiate with.

"They just pitched the demand amount at a level most companies will be willing to pay," he said.

Voccola said the problem is only affecting its "on-premise" customers, which means organizations running their own data centers. It's not affecting its cloud-based services running software for customers, though Kaseya also shut down those servers as a precaution, he said.

The company added in a statement Saturday that "customers who experienced ransomware and receive a communication from the attackers should not click on any links—they may be weaponized."

Gartner analyst Katell Thielemann said it's clear that Kaseya quickly sprang to action, but it's less clear whether their affected clients had the same level of preparedness.

"They reacted with an abundance of caution," she said. "But the reality of this event is it was architected for maximum impact, combining a supply chain attack with a ransomware attack."

Supply chain attacks are those that typically infiltrate widely used software and spread malware as it updates automatically.

Complicating the response is that it happened at the start of a major holiday weekend in the U.S., when most corporate IT teams aren't fully staffed.

That could also leave those organizations unable to address other security vulnerabilities, such a dangerous Microsoft bug affecting software for print jobs, said James Shank, of threat intelligence firm Team Cymru.

"Customers of Kaseya are in the worst possible situation," he said. "They're racing against time to get the updates out on other critical bugs."

Shank said "it's reasonable to think that the timing was planned" by hackers for the holiday.

The U.S. Chamber of Commerce said it was affecting hundreds of businesses and was "another reminder that the U.S. government must take the fight to these foreign cybercriminal syndicates" by investigating, disrupting and prosecuting them.

The federal Cybersecurity and Infrastructure Security Agency said in a statement that it is closely monitoring the situation and working with the FBI to collect more information about its impact.

CISA urged anyone who might be affected to "follow Kaseya's guidance to shut down VSA servers immediately." Kaseya runs what's called a virtual system administrator, or VSA, that's used to remotely manage and monitor a customer's network.

The privately held Kaseya is based in Dublin, Ireland, with a U.S. headquarters in Miami.

REvil, the group most experts have tied to the attack, was the same ransomware provider that the FBI linked to an attack on JBS SA, a major global meat processor forced to pay a $11 million ransom, amid the Memorial Day holiday weekend in May.

Active since April 2019, the group provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion's share of ransoms.

U.S. officials have said the most potent ransomware gangs are based in Russia and allied states and operate with Kremlin tolerance and sometimes collude with Russian security services.

Alperovitch said he believes the latest attack is financially motivated and not Kremlin-directed.

However, he said it shows that Putin "has not yet moved" on shutting down cybercriminals within Russia after Biden pressed him to do so at their June summit in Switzerland.

Asked about the attack during a trip to Michigan on Saturday, Biden said he had asked the intelligence community for a "deep dive" on what happened. He said he expected to know more by Sunday.

Source