Search This Blog

Latest News

Numando: a Banking Trojan Targeting Brazil Abuses YouTube for Spreading

  ESET researchers have continued their investigation on the Latin American banking trojans with Numando, primarily targeting Brazil and sel...

All the recent news you need to know

Links Detected Between MSHTML Zero-Day Attacks and Ransomware Operations

 

The exploitation of a recently fixed Windows zero-day vulnerability was attributed to known ransomware operators, according to Microsoft and threat intelligence firm RiskIQ.

The existence of the zero-day, called CVE-2021-40444, was revealed on September 7, when Microsoft released countermeasures and cautioned that the vulnerability had been exploited in targeted attacks using specially designed Office documents. 

The vulnerability connected to Office's MSHTML browser engine can and has been misused for remote code execution. As part of its Patch Tuesday updates, Microsoft delivered upgrades on September 14th. 

Microsoft announced the acquisition of RiskIQ in July and posted separate blog posts detailing the attacks exploiting CVE-2021-40444. 

The first exploitation efforts were discovered in mid-August. But Microsoft observed a massive spike in exploitation attempts when the proof-of-concept (PoC) code and other details were made public after the initial announcement. 

As per the company, several threat actors, including ransomware-as-a-service affiliates, have used the public PoC code, but some of the exploitation attempts are part of testing rather than criminal operations. 

The company initially saw less than ten exploitation attempts and leveraged CVE-2021-40444 to deliver custom Cobalt Strike Beacon loaders. Microsoft has identified the attackers as DEV-0413 — DEV is allotted to emerging threat groups or unusual activity. To deliver the malware, they apparently used emails referencing contracts and legal agreements to get the targets to open documents formatted to abuse the MSHTML vulnerability.

Surprisingly, the Cobalt Strike infrastructure utilised in the assaults has earlier been linked to cybercrime organisations known for targeting big corporations with ransomware like Conti and Ryuk. These threat actors are tracked as Wizard Spider (CrowdStrike), UNC1878 (FireEye), DEV-0193, and DEV-0365 (Microsoft).

RiskIQ stated in its blog post, “Despite the historical connections, we cannot say with confidence that the threat actor behind the zero-day campaign is part of WIZARD SPIDER or its affiliates, or is even a criminal actor at all, though it is possible. If the threat actors were part of these groups, it means they almost surely purchased the zero-day exploit from a third party because they have not previously shown the ability to develop exploit chains of this complexity.” 

The company added, “Instead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact, be traditional espionage. This goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.” 

RiskIQ states that the cyberspies could have gained access to the ransomware infrastructure, or they may have been allowed by the ransomware operators to utilise their infrastructure. Only one group might be involved in espionage and cybercrime, or the two groups use the same bulletproof hosting provider. 

According to Microsoft, the initial malicious document in attacks abusing CVE-2021-40444 emerges from the internet, and it should be labelled as the "mark of the web." 

Microsoft Office should open the document in Protected Mode unless the user specifically allows modification, limiting the misuse. However, if the attackers figure out a means to keep the document from being a “mark of the web,” they may utilise the vulnerability to execute the payload on the page without requiring user input.

Lubbock County Denies Data Leak, Says Data Temporarily Attainable Under New Software System

 

Earlier this month, the personal court records for residents of Lubbock County, located in the US state of Texas, were exposed when the county transitioned to a new computer software system. The exposed data contained non-disclosure orders, criminal cases, and civil and family law records. 

According to the county’s official website, Lubbock County Defense Lawyers Association and county officials are not on the same page concerning how to define the incident.

In a news release from the County, Judge Curtis Parrish said: “On Tuesday, September 14, 2021, Lubbock County Information and Technology Department became aware that certain court records that were previously unavailable for review by the public had become viewable under Lubbock County’s new software system. Some of these records include non-disclosure orders, criminal cases, civil and family law records. This access portal has now been blocked temporarily until we can identify which court records maybe [sic] accessed by the parties, attorneys, and the general public.

This was not a data breach [sic], or an issue where the computer system was compromised. Lubbock County will continue to review policies concerning all court records, in our effort to make these documents accessible to the attorneys and the public.” 

However, an earlier release by the Lubbock County Defense Lawyers Association characterized the incident as a data breach. The association said it became aware of the situation on September 10. 

“This data includes information on individuals who have had criminal cases expunged or non-disclosure orders signed in their criminal case. This breach affected cases at all levels and in all courts in Lubbock County. Some individuals’ data have been removed from the public access system, while other individuals’ data are still available,” said Lubbock County Defense Lawyers Association in their news release. 

The attacks on local governments is a growing concern for law enforcement agencies and government officials. Due to their shoestring budget, local governments rarely have dedicated security experts and that leaves a huge hole in their security. In March 2021, a report from consumer tech information site Comparitech revealed that American government organizations suffered a loss of $18.88 billion due to cyber-attacks. 

Over the past three years, 246 ransomware attacks struck U.S. government organizations. These attacks potentially affected over 173 million people and nearly cost $52.88 billion. The motive of most of these attacks was to halt processes, interrupt services and cause disruption, not to steal data, according to the report.

Secrets from Public Repositories Were Exposed Due to Travis CI Flaw

 

Travis CI, a continuous integration provider located in Berlin, has patched a severe issue that exposed signing keys, API keys, and access credentials, possibly putting thousands of companies at risk. Given the possible consequences, the firm has been criticized for not providing a more detailed description of the security vulnerability. Péter Szilágyi, the Ethereum cryptocurrency project's team head, tweeted, "Anyone could exfiltrate these [secrets] and gain lateral movement into 1000s of orgs."

The flaw, which has been tracked as CVE-2021-41077, has been fixed by Travis CI. It has been recommended that companies update their secrets as soon as possible. On Sept. 7, Szilágyi tweeted, the vulnerability was identified by Felix Lange and reported to Travis CI. Travis CI claims to have started fixing the vulnerability on September 3, indicating that it detected the problem before being contacted, although the timing is unclear. 

"The desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens," the vulnerability description reads. "However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process." 

To put it another way, a public repository cloned from another might submit a pull request to get access to private environmental variables stored in the upstream repository. Encrypted environment variables are not exposed to pull requests from forks owing to the security risk of exposing such information to unknown code, Travis CI said in its documentation. 

According to Geoffrey Huntley, an Australian software and DevOps engineer, Travis CI's vulnerability poses a supply chain risk for software developers and any organization using software from Travis CI projects. "For a CI provider, leaking secrets is up there with leaking the source code as one of the worst things you never want to do," Huntley says. 

Szilágyi further chastised Travis CI for downplaying the event and failing to acknowledge its "gravity," and urged GitHub to ban the company for its weak security posture and vulnerability report methods. 

"After three days of pressure from multiple projects, [Travis CI] silently patched the issue on the 10th," Szilágyi tweeted. "No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen."

City of Yonkers Refuses to Pay Ransom After Attackers Demand $10 million

 

The City of Yonkers has refused to pay the ransom after ransomware attackers demanded a ransom of $10 million to revive the disparate modules that overlay the different departments of the city.

Earlier this month, government employees at the City of Yonkers were restricted from accessing their laptops or computers after the city suffered a computer incursion by ransomware attackers. In the meantime, employees were told to restore as much data as possible manually from backups and this often means keeping pen and paper records that are transferred into databases.

The ransomware outbreak 

Ransomware attacks against the local governments are rising with each passing day. Last year, at least 2,354 governments, healthcare facilities, and schools were targeted by ransomware attackers. The local governments are the lucrative targets because they are less equipped in terms of resources and capabilities. 

A 2020 survey of state chief information security officers discovered that 70 percent listed ransomware as a top concern because of funding hurdles and lack of confidence in localities’ abilities to guard state information assets. And after a ransomware event occurs, only 45 percent of local enforcement agencies felt that they “had access to the resources” to analyze digital evidence linked to the crime. This then allows attackers to operate with more confidence, as the third way found that only 3 out of every 1,000 cybercrimes reported to the FBI result in an arrest. 

In 2019, the City of Baltimore was crippled for more than two weeks before the government’s systems were restored, in a delay that cost the city more than $18 million. Although Baltimore followed the instructions given by cyber security experts and the FBI to not pay the ransom, many people questioned the city’s strategy, given the extent of the damage.

“If we paid the ransom, there is no guarantee [the attackers] can or will unlock our system. There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future,” Mayor Bernard C. Jack Young said while responding to the critics.

“Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action,” he added. 

No more ransom payments

When three more local governments were attacked within a space of few months, it sparked a meeting of the United States Conference of Mayors. The meeting of US mayors resulted in a unanimous decision to stop paying ransom demands.

“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit. The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm,” the mayors wrote.

In the case of the City of Yonkers, the city confirmed that the virus was quarantined on the network, no ransom was paid and the Department of Homeland Security was notified.