Cyber security news July 2021

This posting is here to collect cyber security news in July 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

243 Comments

  1. Tomi Engdahl says:

    NSA, CISA, NCSC, FBI: Russian military cyber-unit Fancy Bear (APT28) behind large-scale brute-force attacks https://therecord.media/fbi-nsa-russian-military-cyber-unit-behind-large-scale-brute-force-attacks/
    US and UK cybersecurity agencies said today that a Russian military cyber unit has been behind a series of brute-force attacks that have targeted the cloud IT resources of government and private sector companies across the world. Direct link to the advisory:
    https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF

    Reply
  2. Tomi Engdahl says:

    This major ransomware attack was foiled at the last minute https://www.zdnet.com/article/this-ransomware-attack-was-foiled-at-the-last-minute-heres-how-they-spotted-it/
    A ransomware gang installed remote desktop software on over 100 machines across a network, and their plans to encrypt the network were only foiled at the last minute when cybersecurity experts were called into a company after suspicious software was found on its network.

    Reply
  3. Tomi Engdahl says:

    Mongolian certificate authority hacked eight times, compromised with malware https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/
    Researchers at Avast noticed that the official website of MonPass, a major certification authority (CA) in Mongolia in East Asia that was backdoored with Cobalt Strike binaries.

    Reply
  4. Tomi Engdahl says:

    Microsoft finds new NETGEAR firmware vulnerabilities that could lead to identity theft and full system compromise https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
    Microsoft released a report about finding vulnerabilities in the NETGEAR Router (DGN-2200v1)

    Reply
  5. Tomi Engdahl says:

    Using CVE-2020-9971 to escape Microsoft Office’s app sandbox https://perception-point.io/using-cve-2020-9971-to-escape-microsoft-offices-app-sandbox/
    Researchers demonstrate how they were able to weaponize a Word document with a published macOS/iOS privilege escalation exploit, lift the app sandbox restrictions and gain higher privileges

    Reply
  6. slope game says:

    Avast researchers discovered a backdoored Cobalt Strike binary on the official website of MonPass, a major certification authority (CA) in Mongolia in East Asia.

    Reply
  7. Tomi Engdahl says:

    Windowsin taustapalvelussa vakava haavoittuvuus – ”kytke pois käytöstä mahdollisimman pian”
    https://www.talouselama.fi/uutiset/windowsin-taustapalvelussa-vakava-haavoittuvuus-kytke-pois-kaytosta-mahdollisimman-pian/01b58cf7-6db2-482f-ad12-e4dd3a3fd0d8

    Windows Print Spoolerissa eli taustatulostuspalvelussa on todettu kriittinen haavoittuvuus, tiedottaa Kyberturvallisuuskeskus. Haavoittuvuus mahdollistaa esimerkiksi toimialueen haltuunoton ja ohjeet haavoittuvuuden hyväksikäytölle leviävät verkossa. Kyberturvallisuuskeskus pitääkin varmana, että ohjeet ovat jo päätyneet hyökkääjien käyttöön.

    Haavoittuvuus koskee laajasti Windows-versioita 7:stä 10:een ja Windows Server 2008:sta 2019:een. Tällä hetkellä ei ole tiedossa korjausvaihtoehtoja eikä haavoittuvuutta korjaavaa päivitystä ole vielä julkaistu. Kyberturvallisuuskeskuksen tiedotteen mukaan onkin tärkeää sammuttaa Print Spooler ja kytkeä se pois käytöstä.

    Haavoittuvuuden kerrotaan koskettavan organisaatioita ja näiden it-ylläpitäjiä. Yksityishenkilöiden tulee asentaa korjauspäivitys, kun se on julkaistu.

    Reply
  8. Tomi Engdahl says:

    Researchers accidentally publish ‘PrintNightmare’ Stuxnet-style zero-day
    https://www.itnews.com.au/news/researchers-accidentally-publish-printnightmare-stuxnet-style-zero-day-566767

    Users advised to disable Print Spooler service on Windows.
    Researchers from a Hong Kong based security vendor accidentally published a proof-of-concept for a new and unpatched vulnerability affecting the Print Spooler service on all current versions of Windows, sparking concerns that ransomware criminals could add the bug to their arsenals.

    The exploit allows for both local privilege escalation and remote code execution and was published on Github by researchers from Sangfor ahead of their presentation at the Black Hat security conference.

    Reply
  9. Tomi Engdahl says:

    Major Linux RPM problem uncovered
    Red Hat has used RPM for software package distribution for decades, but we now know RPM contained a nasty hidden security bug since Day One. It’s now been unveiled and a repair patch has been submitted.
    https://www.zdnet.com/article/major-linux-rpm-problem-uncovered/

    Reply
  10. Tomi Engdahl says:

    Carrier suspected of injecting ads into two-factor SMS messages
    https://www.xda-developers.com/carrier-injecting-ads-two-factor-sms/

    An unidentified carrier in Australia is suspected of injecting advertisements into two-factor SMS messages, according to Chris Lacy, the developer of Action Launcher. The text shows a Google sign-in verification code in the Google Messages app, which funnily enough, even flagged the text as spam.

    Reply
  11. Tomi Engdahl says:

    Leaked print spooler exploit lets Windows users remotely execute code as system on your domain controller
    Kill this service immediately
    https://www.theregister.com/2021/06/30/windows_print_spool_vuln_rce/

    Reply
  12. Tomi Engdahl says:

    Microsoft warns of Windows ‘PrintNightmare’ vulnerability that’s being actively exploited
    The Windows Print Spooler strikes again
    https://www.theverge.com/2021/7/2/22560435/microsoft-printnightmare-windows-print-spooler-service-vulnerability-exploit-0-day

    Reply
  13. Tomi Engdahl says:

    While Microsoft hasn’t rated the vulnerability, it allows attackers to remotely execute code with system-level privileges, which is as critical and problematic as you can get in Windows.

    Researchers at Sangfor published the PoC, in what appears to have been a mistake, or a miscommunication between the researchers and Microsoft. The test code was quickly deleted, but not before it had already been forked on GitHub.

    https://www.theverge.com/2021/7/2/22560435/microsoft-printnightmare-windows-print-spooler-service-vulnerability-exploit-0-day

    https://mobile.twitter.com/edwardzpeng/status/1409810304091889669

    Reply
  14. Tomi Engdahl says:

    Russian Hackers Are Trying to Brute-Force Hundreds of Networks
    While SolarWinds rightly drew attention earlier this year, Moscow’s Fancy Bear group has been on a password-guessing spree this whole time.
    https://www.wired.com/story/fancy-bear-russia-brute-force-hacking/

    “There’s nothing we could ever do to get Moscow to stop spying.”

    JOHN HULTQUIST, MANDIANT

    Reply
  15. Tomi Engdahl says:

    Windowsin taustapalvelussa kriittinen haavoittuvuus – ”kytke pois käytöstä mahdollisimman pian”
    Janne Laakso1.7.202113:37|päivitetty2.7.202108:07HAAVOITTUVUUDETWINDOWSTIETOTURVA
    Kyberturvallisuuskeskus tiedottaa Windowsin taustatulostuspalvelun haavoittuvuudesta, jonka hyväksikäyttöä pidetään hyvin todennäköisenä.
    https://www.tivi.fi/uutiset/windowsin-taustapalvelussa-kriittinen-haavoittuvuus-kytke-pois-kaytosta-mahdollisimman-pian/f944767f-6a0b-4e00-8ea9-0acb545255d8

    Windows Print Spoolerissa eli taustatulostuspalvelussa on todettu kriittinen haavoittuvuus, tiedottaa Kyberturvallisuuskeskus. Haavoittuvuus mahdollistaa esimerkiksi toimialueen haltuunoton ja ohjeet haavoittuvuuden hyväksikäytölle leviävät verkossa. Kyberturvallisuuskeskus pitääkin varmana, että ohjeet ovat jo päätyneet hyökkääjien käyttöön.

    Haavoittuvuus koskee laajasti Windows-versioita 7:stä 10:een ja Windows Server 2008:sta 2019:een. Tällä hetkellä ei ole tiedossa korjausvaihtoehtoja eikä haavoittuvuutta korjaavaa päivitystä ole vielä julkaistu.

    Reply
  16. Tomi Engdahl says:

    Russian Hackers Are Trying to Brute-Force Hundreds of Networks
    While SolarWinds rightly drew attention earlier this year, Moscow’s Fancy Bear group has been on a password-guessing spree this whole time.
    https://www.wired.com/story/fancy-bear-russia-brute-force-hacking/

    Reply
  17. Tomi Engdahl says:

    Google Assistant Records Audio Even When You’re Not Using It, Company Reportedly Admits
    https://www.techtimes.com/articles/262271/20210701/google-ai-assistant-records-company-admits.htm

    Reply
  18. Tomi Engdahl says:

    Microsoft warns of critical PowerShell 7 code execution vulnerability https://www.bleepingcomputer.com/news/security/microsoft-warns-of-critical-powershell-7-code-execution-vulnerability/
    Microsoft warns of a critical.NET Core remote code execution vulnerability in PowerShell 7 caused by how text encoding is performed in.NET 5 and.NET Core.

    Reply
  19. Tomi Engdahl says:

    Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software https://thehackernews.com/2021/07/mongolian-certificate-authority-hacked.html
    In yet another instance of software supply chain attack, unidentified hackers breached the website of MonPass, one of Mongolia’s major certificate authorities, to backdoor its installer software with Cobalt Strike binaries.

    Reply
  20. Tomi Engdahl says:

    Hacked Data for 69K LimeVPN Users Up for Sale on Dark Web https://threatpost.com/hacked-data-limevpn-dark-web/167492/
    LimeVPN has confirmed a data incident, and meanwhile its website has been knocked offline. The VPN provider known as LimeVPN has been hit with a hack affecting 69, 400 user records, according to researchers.
    A hacker claims to have stolen the company’s entire customer database before knocking its website offline (Threatpost confirmed that as of press time, the website was down).

    Reply
  21. Tomi Engdahl says:

    US insurance giant AJG reports data breach after ransomware attack https://www.bleepingcomputer.com/news/security/us-insurance-giant-ajg-reports-data-breach-after-ransomware-attack/
    Arthur J. Gallagher (AJG), a US-based global insurance brokerage and risk management firm, is mailing breach notification letters to potentially impacted individuals following a ransomware attack that hit its systems in late September.

    Reply
  22. Tomi Engdahl says:

    New Mirai-Inspired Botnet Could Be Using Your KGUARD DVRs in Cyber Attacks https://thehackernews.com/2021/07/new-mirai-inspired-botnet-could-be.html
    Cybersecurity researchers on Thursday revealed details about a new Mirai-inspired botnet called “mirai_ptea” that leverages an undisclosed vulnerability in digital video recorders (DVR) provided by KGUARD to propagate and carry out distributed denial-of-service (DDoS) attacks.

    Reply
  23. Tomi Engdahl says:

    US chemical distributor shares info on DarkSide ransomware data theft https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/
    World-leading chemical distribution company Brenntag has shared additional info on what data was stolen from its network by DarkSide ransomware operators during an attack from late April 2021 that targeted its North America division.

    Reply
  24. Tomi Engdahl says:

    Swedish Coop supermarkets shut due to US ransomware cyber-attack
    https://www.bbc.com/news/technology-57707530

    Some 500 Coop supermarket stores in Sweden have been forced to close due to an ongoing “colossal” cyber-attack affecting organisations around the world.

    Coop Sweden says it closed more than half of its 800 stores on Friday after point-of-sale tills and self-service checkouts stopped working.

    The supermarket was not itself targeted by hackers – but is one of a growing number of organisations affected by an attack on a large software supplier the company uses indirectly.

    A spokeswoman for Coop Sweden told the BBC: “We first noticed problems in a small number of stores on Friday evening around 6:30pm so we closed those stores early. Then overnight we realised it was much bigger and we took the decision not to open most of our stores this morning so that our teams could work out how to fix it.

    Reply
  25. Tomi Engdahl says:

    Coop supermarket closes 500 stores after Kaseya ransomware attack
    https://thedigitalnews.org/2021/07/03/coop-supermarket-closes-500-stores-after-kaseya-ransomware-attack/

    Swedish supermarket chain Coop has shut down approximately 500 stores after they were affected by an REvil ransomware attack targeting managed service providers through a supply-chain attack.

    Last night, the supermarket chain closed its stores after the REvil ransomware gang targeted managed service providers (MSPs) and their customers in a massive supply-chain attack through Kaseya VSA, a remote patch management and monitoring uite.

    Soon after the attack, Coop posted a notice stating all of their stores except for five had been shut down after cash registers no longer functioned due to an “IT attack” on one of their suppliers.

    https://koliasa.com/coop-supermarket-closes-500-stores-after-kaseya-ransomware-attack/

    Reply
  26. Tomi Engdahl says:

    Coop Sweden says it closed more than half of its 800 stores on Friday after point-of-sale tills and self-service checkouts stopped working.
    https://www.bbc.com/news/technology-57707530

    Sweden: 800 supermarkets suddenly closed after a hacker attack – economy
    https://debatepost.com/sporting/2021/07/04/sweden-800-supermarkets-suddenly-closed-after-a-hacker-attack-economy/

    The Swedish supermarket chain Coop, one of the largest grocery stores in the country, had to close EVERY of its 800 branches on Saturday.

    Reason: a large-scale cyber attack! The attack blocked the cash register systems, said a company spokeswoman.

    An employee rejects customers in front of a closed Coop branchPhoto: picture alliance / TT NYHETSBYR? N
    The state railways and a pharmacy chain also reported disruptions. Defense Minister Peter Hultqvist (62) spoke of a very dangerous attack.

    “In another geopolitical situation, state actors could attack us in this way to cripple society and wreak havoc,” the minister said on television.

    “A huge and devastating attack”
    According to the TT news agency, the target of the attack in Sweden was software from the US provider Kaseya used in many companies. He had already stated on Friday that his VSA software might have been hacked.

    The tool is used by IT service providers to manage the computer systems of corporate customers. Kaseya recommended that VSA users shut down their servers immediately.

    According to the US security service provider Huntress, eight IT service providers and around 200 corporate customers were affected in the USA. “This is a huge and devastating attack on supply chains,” said Huntress manager John Hammond.

    Reply
  27. Tomi Engdahl says:

    Android Apps with 5.8 million Installs Caught Stealing Users’ Facebook Passwords https://thehackernews.com/2021/07/android-apps-with-58-million-installs.html
    Google intervened to remove nine Android apps downloaded more than 5.8 million times from the company’s Play Store after the apps were caught furtively stealing users’ Facebook login credentials. “The applications were fully functional, which was supposed to weaken the vigilance of potential victims. With that, to access all of the apps’
    functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts, ” researchers from Dr. Web said

    Reply
  28. Tomi Engdahl says:

    Norway Law Forces Influencers to Label Retouched Photos on Instagram https://www.vice.com/en/article/g5gd99/norway-law-forces-influencers-to-label-retouched-photos-on-instagram
    Legislators in Norway have passed new regulations requiring influencers and advertisers to label retouched photos in a bid to fight unrealistic beauty standards.

    Reply
  29. Tomi Engdahl says:

    Telnet service left enabled and without a password on SIMATIC HMI Comfort Panels https://therecord.media/telnet-service-left-enabled-and-without-a-password-on-simatic-hmi-comfort-panels/
    Siemens SIMATIC HMI Comfort Panels, devices meant to provide visualization of data received from industrial equipment, are exposing their Telnet service without any form of authentication, security researchers have discovered.

    Reply
  30. Tomi Engdahl says:

    Kaseya zero-day involved in ransomware attack, patches coming https://therecord.media/kaseya-zero-day-involved-in-ransomware-attack-patches-coming/
    Remote management software vendor Kaseya said it identified and is currently mitigating a vulnerability that was abused in a recent incident that saw ransomware deployed on the networks of thousands of companies worldwide. Lisäksi:
    https://www.reuters.com/technology/cyber-attack-against-us-it-provider-forces-swedish-chain-close-800-stores-2021-07-03/

    Reply
  31. Tomi Engdahl says:

    Mysterious Node.js malware puzzles security researchers https://therecord.media/mysterious-node-js-malware-puzzles-security-researchers/
    Almost four months after it was first spotted in the wild, the infosec community is still scratching its head in regards to the purpose of a new malware strain named Lu0bot.

    Reply
  32. Tomi Engdahl says:

    Detection and Mitigation Advice for PrintNightmare https://www.lares.com/blog/detection-and-mitigation-advice-for-printnightmare/
    PrintNightmare(CVE-2021-34527) was released as a proof of concept this week on Github. This post highlights how the exploit PoCs released on Github work and how the specific vulnerability can be fixed and detected. The vulnerability itself was found and published by Zhipeng Huo (@R3dF09), Piotr Madej, and Yunhai Zhang

    Reply
  33. Tomi Engdahl says:

    https://www.securityweek.com/microsoft-confirms-printnightmare-new-windows-security-flaw
    Microsoft late Thursday acknowledged a severe security vulnerability in the Print Spooler utility that ships by default on Windows and warned that the bug exposes users to computer takeover attacks.

    Reply
  34. Tomi Engdahl says:

    https://www.securityweek.com/microsoft-confirms-printnightmare-new-windows-security-flaw
    Microsoft made it clear this new vulnerability (CVE-2021-32527) is similar but distinct from the vulnerability the CVE-2021-1675 flaw that addressed a different vulnerability in RpcAddPrinterDriverEx().
    “The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update,” the company said. “This is an evolving situation and we will update the CVE as more information is available.”

    Reply
  35. Tomi Engdahl says:

    Vulnerabilities in WAGO Devices Expose Industrial Firms to Remote Attacks
    https://www.securityweek.com/vulnerabilities-wago-devices-expose-industrial-firms-remote-attacks

    Several critical and high-severity vulnerabilities have been identified in programmable logic controller (PLC) and human-machine interface (HMI) products made by WAGO, a German company specializing in electrical connection and automation solutions.

    According to an advisory published this week by Germany’s CERT@VDE, which coordinates cybersecurity issues related to industrial automation, WAGO’s PFC100 and PFC200 PLCs, its Edge Controller product, and Touch Panel 600 HMIs are affected by four memory-related flaws impacting the iocheckd service I/O-Check.

    Critical vulnerabilities found in WAGO PLCsThe security holes can allow an attacker to cause a denial of service (DoS) condition and in some cases even execute arbitrary code. Each vulnerability can be exploited by sending specially crafted packets containing OS commands to the targeted device.

    Uri Katz, protocol researcher at industrial cybersecurity firm Claroty, has been credited for reporting the flaws to the vendor.

    “By chaining the shared memory overflow vulnerability (CVE-2021-34566) and the out-of-bound read vulnerability (CVE-2021-34567), we were able to create a full blown pre-auth remote code execution to take over any WAGO PFC100/200 device remotely,” Katz told SecurityWeek.

    Katz noted that there are a few hundred WAGO PFC devices exposed to the internet, which means they can be remotely targeted by malicious actors.

    Reply
  36. Tomi Engdahl says:

    Most Coop stores are still closed. Their solution primarily seems to be to change payment system subcontractor to their inhouse system temporarily (?).

    https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/

    Reply
  37. Tomi Engdahl says:

    REvil Used 0-Day in Kaseya Ransomware Attack, Demands $70 Million Ransom
    https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html?m=1

    Amidst the massive supply-chain ransomware attack that triggered an infection chain compromising thousands of businesses on Friday, new details have emerged about how the notorious Russia-linked REvil cybercrime gang may have pulled off the unprecedented hack.

    The Dutch Institute for Vulnerability Disclosure (DIVD) on Sunday revealed it had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware. The non-profit entity said the company was in the process of resolving the issues as part of a coordinated vulnerability disclosure when the July 2 attacks took place.

    More specifics about the flaws were not shared, but DIVD chair Victor Gevers hinted that the zero-days are trivial to exploit. At least 1,000 businesses are said to have been affected by the attacks

    Kaseya VSA is a cloud-based IT management and remote monitoring solution for managed service providers (MSPs), offering a centralized console to monitor and manage endpoints, automate IT processes, deploy security patches, and control access via two-factor authentication.

    REvil Demands $70 Million Ransom
    Active since April 2019, REvil (aka Sodinokibi) is best known for extorting $11 million from the meat-processor JBS early last month, with the ransomware-as-a-service business accounting for about 4.6% of attacks on the public and private sectors in the first quarter of 2021.

    The group is now asking for a record $70 million ransom payment to publish a universal decryptor that can unlock all systems that have been crippled by file-encrypting ransomware.

    Reply
  38. Tomi Engdahl says:

    Catalin Cimpanu / The Record:
    In a post on the REvil dark web blog, the gang takes credit for the Kaseya attack, claims it infected 1M+ systems, and demands $70M in bitcoin for the decryptor — The REvil ransomware gang is asking for a $70 million ransom payment to publish a universal decryptor that can unlock …

    REvil gang asks for $70 million to decrypt systems locked in Kaseya attack
    https://therecord.media/revil-gang-asks-70-million-to-decrypt-systems-locked-in-kaseya-attack/

    The REvil ransomware gang is asking for a $70 million ransom payment to publish a universal decryptor that can unlock all computers locked during the Kaseya incident that took place this past Friday, The Record has learned.

    In a message posted on their dark web blog, the REvil gang officially took credit for the attack for the first time and claimed they locked more than one million systems during the Kaseya incident.

    If honored, the demand would become the highest ransomware payment ever made.

    A Kaseya spokesperson was not on hand to comment if the company would be considering paying the REvil gang’s ransom demand.

    Reply
  39. Tomi Engdahl says:

    Trevor Hunnicutt / Reuters:
    President Biden says he has directed US intelligence agencies to investigate the Kaseya ransomware attack and adds “we’re not certain” who is behind the attack — President Joe Biden said on Saturday he has directed U.S. intelligence agencies to investigate who was behind …

    Biden orders probe of latest ransomware attack
    https://www.reuters.com/technology/biden-says-uncertain-who-is-behind-latest-ransomware-attack-2021-07-03/

    CENTRAL LAKE, Mich., July 3 (Reuters) – President Joe Biden said on Saturday he has directed U.S. intelligence agencies to investigate who was behind a sophisticated ransomware attack that hit hundreds of American businesses and led to suspicions of Russian gang involvement.

    Security firm Huntress Labs said on Friday it believed the Russia-linked REvil ransomware gang was to blame for the latest ransomware outbreak. Last month, the FBI blamed the same group for paralyzing meat packer JBS SA (JBSS3.SA).

    Biden, on a visit to Michigan to promote his vaccination program, was asked about the hack while shopping for pies at a cherry orchard market.

    Biden said “we’re not certain” who is behind the attack. “The initial thinking was it was not the Russian government but we’re not sure yet,” he said.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*