image
So much for darkened servers at the headquarters of DarkSide or REvil ransomware groups. Turns out, we’ve got either their rebranded versions or two new ransomware gangs to contend with. The first new group to appear this month was Haron, and the second is named BlackMatter. As Ars Technica‘s Dan Goodin points out, there may be more still out there. They’re both claiming to be focused on targets with deep pockets that can pay ransoms in the millions of dollars. They’re also virtue-signaling a la DarkSide, with similar language about sparing hospitals, critical infrastructure, nonprofits, etc. BlackMatter also promised free decryption if its affiliates screw up and kill kittens or freeze files at, say, pipeline companies, as happened when Colonial Pipeline was attacked by DarkSide in May. Haron & Its Cut-and-Paste Ransom Note The first sample of the Haron malware was submitted to VirusTotal on July 19. Three days later, the South Korean security firm S2W Lab reported on the group in a post that laid out similarities between Haron and Avaddon. Avaddon is yet another prolific ransomware-as-a-service (RaaS) provider that evaporated in June rather than face the legal heat that followed Colonial Pipeline and other big ransomware attacks. At the time, Avaddon released its decryption keys to BleepingComputer – 2,934 in total – with each key belonging to an individual victim. According to law enforcement, the average extortion fee Avaddon demanded was about $40,000, meaning the…

Source

image
Researchers will release a reboot of a controversial tool that crawls the web to identify back-end vulnerabilities in websites in the hopes that companies will quickly fix them and reduce security risks. However, experts have mixed feelings about the tool called PunkSpider, created by the analytics firm QOMPLX. They fear the tool could be hijacked by hackers to exploit vulnerabilities before companies have time to patch them. Alejandro Caceres, director of computer network exploitation at QOMPLX, and hacker Jason Hopper will introduce a revamped version of PunkSpider at the upcoming DEF CON gathering next week. QOMPLX cited the rise of ransomware as one of the reasons for a reboot of PunkSpider, which provides “a simple and massively scalable monitoring tool that quickly identifies gaps in collective defenses by highlighting which websites can easily fall prey to attackers,” according to a press release. The tool can provide internet users and the cyber community a “shared perspective” on the specific dangers of the web, the company said. “We want everyone to be able to answer a simple question: how dangerous is the internet I use?” said Jason Crabtree, CEO of QOMPLX, said in a press statement “Our extensive research revealed a large but unfortunately not surprising number of basic vulnerabilities across the web. The common exploits that PunkSpider detects serve as a key proxy for risk overall, and frankly if website owners are not fixing the fundamentals it’s unlikely…

Source

image
This week, Microsoft rushed out a fix for a Windows NT LAN Manager exploit dubbed “PetitPotam” that forces remote Windows systems to reveal password hashes that can be easily cracked. The frenzy begs the question: Why is securing Microsoft Active Directory (AD) such a nightmare? When security researcher Gilles Lionel first identified the bug last week, he also published proof-of-concept (PoC) exploit code to demonstrate the attack. The PoC demonstrated how a PetitPotam attack can be chained to an exploit targeting Windows Active Directory Certificate Services (AD CS), which provides public key infrastructure (PKI) functionality. Attack paths in AD are a huge issue for enterprises. It’s not just PetitPotam; AD was also part of the problem during the SolarWinds attacks. SpecterOps researchers Lee Christensen and Will Schroeder, who recently published a report on abusing AD CS titled Certified Pre-Owned (PDF) that they’ll also be doing a session on at Black Hat next week, are trying to get the security community to think about the AD problem in terms of “misconfiguration debt”: as in, incremental misconfigurations that build up over time, such that attackers are virtually guaranteed to find an attack path to their objective on any network. It’s a serious situation. AD is used by over 90 percent of the Fortune 1000 for identity and access management. Organizations need solutions that can simplify protection: solutions that can cut through the haze to gain better visibility…

Source

image
To date, the No More Ransom repository of ransomware decryptors has helped more than 6 million victims recover their files, keeping nearly a billion euros out of the hands of cybercriminals, according to a Monday release. Launched five years ago, No More Ransom is maintained via cooperation between the European Cybercrime Centre and several cybersecurity and other types of companies, including Kaspersky, McAfee, Barracuda and AWS. Its purpose is to keep victims from handing over the cash that helps fuel more ransomware attacks, according to Europol. “The general advice is not to pay the ransom,” No More Ransom advises. “By sending your money to cybercriminals you’ll only confirm that ransomware works, and there’s no guarantee you’ll get the decryption key you need in return.” Instead, the group directs victims to their Crypto Sheriff tool. There, victims can enter either the URL, onion or Bitcoin address given by the attacker to pay the ransom. The tool searches the No More Ransom database, where the offerings have grown from an initial four decryptors back in 2016 to the current roster of 121 tools to decrypt 152 ransomware families. It’s also free and available in 37 languages, according to the group. If no decryptor is available for a given ransomware infection, keep checking back: No More Ransom regularly adds new unlock tools. Don’t Pay the Ransom: Here’s Why Ransomware victims are increasingly reluctant to pay ransom demands. A Threatpost poll from June found 80…

Source

image
Zimbra webmail server has two flaws that could let an attacker paw through the inbox and outbox of all the employees in all the enterprises that use the immensely popular collaboration tool, researchers say. In a Tuesday writeup, SonarSource called it a “drastic” situation, given Zimbra’s popularity and the highly sensitive nature of the scads of messages that it handles. According to Zimbra’s site, its email and collaboration tools are used by over 200,000 businesses, over a thousand government and financial institutions, and hundreds of millions of users to exchange emails every day. “When attackers get access to an employee’s email account, it often has drastic security implications,” according to the report. “Besides the confidential information and documents that are exchanged, an email account is often linked to other sensitive accounts that allow a password reset. Think about it, what could an attacker do with your inbox?” Well, they’d freely romp through accounts, for one. SonarSource researchers discovered two vulnerabilities in the open-source Zimbra code that can be chained together to give attackers unrestricted access to Zimbra mail servers and to all sent and received emails of all employees. Malicious Email Could Carry Crafted JavaScript Payload Discovered by Simon Scannell, a vulnerability researcher at SonarSource, the first flaw could be triggered just by opening a malicious email containing a JavaScript payload. If a victim were to open such a riggedd…

Source

image
There are three new, unpatched zero-day vulnerabilities in Kaseya Unitrends that include remote code execution (RCE) and authenticated privilege escalation on the client-side. The Dutch Institute for Vulnerability Disclosure (DIVD) on Monday issued a public advisory warning that the service and clients should be kept off the internet until there’s a patch. Kaseya Unitrends is a cloud-based enterprise backup and disaster recovery technology that’s delivered as either disaster recovery-as-a-service (DRaaS) or as an add-on for the Kaseya Virtual System/Server Administrator (VSA) remote management platform. The flaws are in versions earlier than 10.5.2. Do not expose this service or the clients (running default on ports 80, 443, 1743, 1745) directly to the internet until Kaseya has patched these vulnerabilities. —DIVD advisory DIVD experts disclosed the three flaws last week. DIVD Chairman Victor Gevers told BleepingComputer that it’s only found a small number of vulnerable servers, but those vulnerable instances are located “in sensitive industries.” Gevers explained the advisory was originally shared with 68 government CERTs as an amber alert under a coordinated disclosure. One of the recipients went on to share it with an organization’s Financial Services service desk. From there, an employee published DIVD’s amber alert on an online analyzing platform, where it became public. “An employee uploaded the TLP: AMBER labeled directly to an online analyzing platform and shared…

Source

image
Apple patched a zero-day flaw on Monday, found in both its iOS and macOS platforms that’s being actively exploited in the wild and can allow attackers to take over an affected system. The memory-corruption flaw, tracked as CVE-2021-30807, is found in the IOMobileFrameBuffer extension which exists in both iOS and macOS, but has been fixed according to specific device platform. Apple released three updates, iOS 14.7., iPadOS 14.7.1 and macOS Big Sur 11.5.1 to patch the vulnerability on each of the platforms Monday. Exploiting CVE-2021-30807 can allow for threat actors “to execute arbitrary code with kernel privileges,” Apple said in documentation describing the updates. “Apple is aware of a report that this issue may have been actively exploited,” the company said. Apple addressed the issue in each of the updates with “improve memory handling,” the company said. iOS devices that should be updated immediately are: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). Though Apple attributed the discovery of the bug to an “anonymous researcher,” a security researcher at the Microsoft Security Response Center (MSRC) came forward separately on Monday and tweeted that he had discovered the vulnerability some time ago but hadn’t yet found the time to report it to Apple. “So, as it turns out, an LPE vulnerability I found 4 months ago in IOMFB is now patched in iOS 14.7.1 as…

Source

image
Full transparency: Curtis Simpson, CISO at Armis, the enterprise IoT security company, was fundamentally a black hat at the age of 12, before he even knew what a black hat was. One day he got flooded over IRC and was fascinated: What just happened? And how did it happen? He’s since spent the vast majority of his career as a white hat. It was an easy transition, he told us in a recent Threatpost podcast: You take the attacker mindset, where “you think about the tactics and techniques that you would typically apply, and then reverse-engineer those when you think about a program.” That mindset comes in handy in the space of OT and ICS: in other words, the world of operational technology (OT), – the computing systems used to manage industrial operations – and industrial control systems (ICS). In this space, where ​​OT and ICS are powering some of the most critical infrastructure in the world – be it supply chain facilities or warehouse operations – a proliferation of legacy systems mean that outdated infrastructure is rife. “Most of the tech, the OT and ICS tech that exists in an enterprise or in critical industry, is decades old,” Simpson explains, “The interesting thing we’re seeing now, and why we’re seeing so many vulnerabilities being disclosed, is because those vulnerabilities have always been there.” The reality is that researchers and attackers weren’t really looking for those vulnerabilities at the level they are today, Simpson explains. “What we’re seeing is an…

Source

image
The Babuk ransomware gang’s new rebrand isn’t going so well. It seems the cybercriminal group has been a victim of a ransomware attack of its own. Babuk’s latest endeavor, a Dark Web ransomware forum called RAMP, was crippled by a spammer over the weekend who overloaded the site with same-sex pornographic GIFs, according to Recorded Future. The attacker told Babuk they wanted $5,000. Babuk told them to pound sand, refused to pay and deleted the original post. But even after wiping the forum several times, Recorded Future said the attacker was still able to bombard the forum with pornographic GIFs. Malware source code detector vx-underground also picked up on the feud, calling it “Ransomware group drama.” “RAMP, the forum started by Babuk ransomware group, has seen a surge of flooding and spamming. An unknown individual is stating they have 24 hours to pay $5,000 or else,” vx underground posted. “Ransomware actors are ransoming other ransomware actors.” Ransomware group drama. RAMP, the forum started by Babuk ransomware group, has seen a surge of flooding and spamming. An unknown individual is stating they have 24 hours to pay $5,000 or else. Ransomware actors are ransoming other ransomware actors. pic.twitter.com/Iu1vfQtBLL — vx-underground (@vxunderground) July 23, 2021 Babuk’s Reboot Stalls Babuk has had a rough few months. After hitting the Washington D.C. police department in April with a ransomware attack, the group vowed to retire in a short goodbye note. If they…

Source

image
Microsoft was quick to respond with a fix to an attack dubbed “PetitPotam” that could force remote Windows systems to reveal password hashes that could then be easily cracked. To thwart an attack, Microsoft recommends system administrators stop using the now deprecated Windows NT LAN Manager (NTLM). Security researcher Gilles Lionel first identified the bug on Thursday and also published proof-of-concept (PoC) exploit code to demonstrate the attack. The following day, Microsoft issued an advisory that included workaround mitigations to protect systems. The PetitPotam bug is tied to the Windows operating system and the abuse of a remote access protocol called Encrypting File System Remote Protocol (MS-EFSRPC). The protocol is designed to allow Windows systems to access remote encrypted data stores, allowing for management of the data while enforcing access control policies. The PetitPotam PoC is a form of manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system. Next, an attacker uses the file-sharing protocol Server Message Block (SMB) to request access to a remote system’s MS-EFSRPC interface. According to Lionel, this forces the targeted computer to initiate an authentication procedure and share its authentication details via NTLM. NTLM: Persona Non Grata Protocol Because the NTLM protocol is an insufficient authentication protocol that’s nonetheless used to relay authentication details, hashed passwords can be scooped up by an attacker and…

Source