This posting is here to collect cyber security news in July 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in July 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
243 Comments
Tomi Engdahl says:
Catalin Cimpanu / The Record:
Coop, one of Sweden’s largest supermarket chains, shuts down nearly all of its 800 stores after one of its contractors was hit in the Kaseya ransomware attack — Coop, one of Sweden’s largest supermarket store chains, has shut down nearly 800 stores across the country after one of its contractors …
Supermarket chain Coop closes 800 stores following Kaseya ransomware attack
https://therecord.media/supermarket-chain-coop-closes-800-stores-following-kaseya-ransomware-attack/
Coop, one of Sweden’s largest supermarket store chains, has shut down nearly 800 stores across the country after one of its contractors was hit by ransomware in the aftermath of the Kaseya security incident on Friday.
The stores were closed on Friday afternoon after cash registers and self-serving stations went down and prevented Coop employees from processing in-store payments.
Stores have remained closed today, on Saturday, and the company was hoping to have them re-open on Sunday, July 4, according to in-store posters.
Only five of Coop’s 800+ stores have not been affected, according to a message the Swedish company posted on its website.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/12344-kiristyshaittaohjelmilla-hyokataan-teollisuuden-ohjausjarjestelmiin
Tomi Engdahl says:
ISA, FBI share guidance for victims of Kaseya ransomware attack https://www.bleepingcomputer.com/news/security/cisa-fbi-share-guidance-for-victims-of-kaseya-ransomware-attack/
CISA and the Federal Bureau of Investigation (FBI) have shared guidance for managed service providers (MSPs) and their customers impacted by the REvil supply-chain ransomware attack that hit the systems of Kaseya’s cloud-based MSP platform.
Tomi Engdahl says:
Biden announces investigation into international ransomware attack https://www.theguardian.com/technology/2021/jul/03/kaseya-ransomware-attack-us-sweden
Joe Biden said on Saturday he had directed US intelligence agencies to investigate a sophisticated ransomware attack that hit hundreds of American businesses as the Fourth of July holiday weekend began and aroused suspicions of Russian gang involvement
Tomi Engdahl says:
Swedish watchdog to investigate Klarna for bank secrecy breach https://www.reuters.com/technology/swedish-watchdog-investigate-klarna-bank-secrecy-breach-2021-07-05/
STOCKHOLM, July 5 (Reuters) – Sweden’s financial watchdog said on Monday it was investigating payments firm Klarna over a potential breach of banking secrecy laws in connection with an IT incident at the firm in May.
Tomi Engdahl says:
Ransomware attacks driving cyber reinsurance rates up 40% https://www.zdnet.com/article/ransomware-attacks-driving-cyber-reinsurance-rates-up-40/
London-based reinsurance broker Willis Re told Reuters on Thursday that cyber reinsurance rates are skyrocketing due to a spate of devastating ransomware attacks on major companies in recent months.
Tomi Engdahl says:
QNAP fixes critical bug in NAS backup, disaster recovery app https://www.bleepingcomputer.com/news/security/qnap-fixes-critical-bug-in-nas-backup-disaster-recovery-app/
Taiwan-based network-attached storage (NAS) maker QNAP has addressed a critical security vulnerability enabling attackers to compromise vulnerable NAS devices’ security.
Taiwan-based network-attached storage (NAS) maker QNAP has addressed a critical security vulnerability enabling attackers to compromise vulnerable NAS devices’ security.
The improper access control vulnerability tracked as CVE-2021-28809 was found by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs in HBS 3 Hybrid Backup Sync, QNAP’s disaster recovery and data backup solution.
The security issue is caused by buggy software that does not correctly restrict attackers from gaining access to system resources allowing them escalate privileges, execute commands remotely, or read sensitive info without authorization.
HBS backdoor account exploited by Qlocker ransomware
QNAP fixed another critical security vulnerability found in the HBS 3 Hybrid Backup Sync backup and disaster recovery app in April.
Tomi Engdahl says:
White House to formally attribute Hafnium Exchange attacks in the coming weeks’
https://therecord.media/white-house-to-formally-attribute-hafnium-exchange-attacks-in-the-coming-weeks/
The White House is preparing to formally attribute the Hafnium attacks on Microsoft Exchange servers in the coming weeks; a top US official said last week.
Tomi Engdahl says:
Scale, Details of Massive Kaseya Ransomware Attack Emerge
https://www.securityweek.com/scale-details-massive-kaseya-ransomware-attack-emerge
Cybersecurity teams worked feverishly Sunday to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit.
An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.
REvil was demanding ransoms of up to $5 million, the researchers said. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in cryptocurrency.
Tomi Engdahl says:
IT Software Firm Kaseya Hit By Supply Chain Ransomware Attack
https://www.securityweek.com/it-software-firm-kaseya-hit-supply-chain-ransomware-attack
Supply chain cyberattack could have wide blast radius through compromised MSPs
Software maker Kaseya Limited is urging users of its VSA endpoint management and network monitoring tool to immediately shut down VSA servers to prevent them from being compromised in a widespread ransomware attack.
According to Kaseya, the attack began around 2PM ET on Friday. The company said that while the incident only appears to impact on-premises customers, SaaS servers have also been shut down as a precautionary measure.
While the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) had not yet issued an official alert as of early Saturday, the agency said late Friday that it was “taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software.”
Timing of the attack is certainly no coincidence, as IT and security teams are likely to be understaffed and slower to respond due to the 4th of July holiday weekend in the United States.
“While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability,” the company said.
Tomi Engdahl says:
Hackers Compromise Mongolian Certificate Authority to Spread Malware
https://www.securityweek.com/hackers-compromise-mongolian-certificate-authority-spread-malware
Tomi Engdahl says:
Joshua Zitser / Insider:
GETTR, the new pro-Trump social platform, acknowledges it was hacked on its July 4 launch, with the usernames of prominent accounts being defaced — – GETTR, founded by former Trump aide Jason Miller, was hacked on the day of its official launch. — The accounts of Miller …
https://www.businessinsider.com/gettr-trump-allies-get-accounts-hacked-july-4-launch-day-2021-7?op=1&scrolla=5eb6d68b7fedc32c19ef33b4&r=US&IR=T
Tomi Engdahl says:
Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says
https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/
Tomi Engdahl says:
At least 150 people fatally shot in more than 400 shootings over the Fourth of July weekend
https://edition.cnn.com/2021/07/05/us/us-shootings-july-fourth-weekend/index.html
Tomi Engdahl says:
Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says
https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/
Tomi Engdahl says:
https://mobile.twitter.com/edwardzpeng/status/1409810304091889669
Tomi Engdahl says:
https://appleinsider.com/articles/21/07/04/open-source-audacity-deemed-spyware-over-data-collection-changes
Tomi Engdahl says:
https://9to5google.com/2021/06/29/google-verification-code-sms-ad/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisco-asa-vulnerability-actively-exploited-after-exploit-released/
Tomi Engdahl says:
https://www.wired.com/story/atm-hack-nfc-bugs-point-of-sale/
Tomi Engdahl says:
https://www.theregister.com/2021/06/25/dell_supportassist_biosconnect_vulns_rce/
Tomi Engdahl says:
https://mspoweruser.com/dells-bios-software-open-to-remote-exploit-affecting-millions-of-laptops/
Tomi Engdahl says:
https://www.zdnet.com/article/chachi-golang-a-new-go-trojan-focuses-on-attacking-us-schools/
Tomi Engdahl says:
https://fosspost.org/audacity-is-now-a-spyware/
Tomi Engdahl says:
Kaseya Rules Out Supply-Chain Attack; Says VSA 0-Day Hit Its Customers Directly https://thehackernews.com/2021/07/kaseya-rules-out-supply-chain-attack.html
While initial reports raised speculations that the ransomware gang might have gained access to Kaseya’s backend infrastructure and abused it to deploy a malicious update to VSA servers running on client premises, in a modus operandi similar to that of the devastating SolarWinds hack. It has since emerged that a never-before-seen security vulnerability (CVE-2021-30116) in the software was leveraged to push ransomware to Kaseya’s customers. Lisäksi:
https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
Tomi Engdahl says:
Kaseya: Roughly 1, 500 businesses hit by REvil ransomware attack https://www.bleepingcomputer.com/news/security/kaseya-roughly-1-500-businesses-hit-by-revil-ransomware-attack/
Kaseya says the REvil supply-chain ransomware attack breached the systems of roughly 60 of its direct customers using the company’s VSA on-premises product. “Of the approximately 800, 000 to 1, 000, 000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1, 500 have been compromised.”. Lisäksi:
https://www.kaseya.com/potential-attack-on-kaseya-vsa/. Lisäksi:
https://threatpost.com/kaseya-patches-zero-day-exploits/167548/
Tomi Engdahl says:
Global ransomware attack affecting a service platform for small and medium-size segment in Sweden https://www.tietoevry.com/en/newsroom/all-news-and-releases/other-news/2021/global-ransomware-attack-affecting-a-service-platform-for-small-and-medium-size-segment-in-sweden/
On late afternoon Friday 2nd of July, a service platform for a small and medium-size segment of customers was subject to a ransomware attack which was related to the global criminal attack towards Kaseya.
The Kaseya software is used by a local TietoEVRY operation unit in Sweden and hence a limited number of customers have been affected. The impact on consumers and general public has been narrow, even if the impact to the affected customers business may be serious.
Tomi Engdahl says:
IoT/ICS Armageddon: hacking devices like there’s no tomorrow (part 1) https://www.redtimmy.com/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1/
The truth is that hacking OT devices wasn’t challenging enough. Today, like five years ago, the security in the area is running 10/15 years behind the traditional IT sector. In a few words:
Tomi Engdahl says:
ZLD4.65 & 5.02 Firmware release
https://community.zyxel.com/en/discussion/11061/zld4-65-5-02-firmware-release
Zyxel has been tracking the recent activity of threat actors targeting Zyxel security appliances and has released firmware patches to defend against it. The patches also include additional security enhancements based on users’ feedback and security researchers’ advice, which we strongly recommend users install immediately.
Tomi Engdahl says:
Pro-Trump social media site Gettr hacked https://www.cnet.com/news/pro-trump-social-media-app-gettr-hacked/
A social media site launched last week by a senior adviser to former President Donald Trump was briefly hacked on Sunday, with account profiles being defaced with pro-Palestinian messages. Lisäksi:
https://www.bleepingcomputer.com/news/security/hacker-dumps-private-info-of-pro-trump-gettr-social-network-members/.
Lisäksi:
https://therecord.media/gettr-leaks-email-addresses-and-user-details-in-api-security-snafu/
Tomi Engdahl says:
Kaspersky Password Manager: All your passwords are belong to us https://donjon.ledger.com/kaspersky-password-manager/
The password generator included in Kaspersky Password Manager had several problems. The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time.
Tomi Engdahl says:
Microsoft 365 to let SecOps lock hacked Active Directory accounts https://www.bleepingcomputer.com/news/security/microsoft-365-to-let-secops-lock-hacked-active-directory-accounts/
Microsoft is updating Microsoft Defender for Identity to allow security operations (SecOps) teams to block attacks by locking a compromised user’s Active Directory account.
Tomi Engdahl says:
Western Digital Users Face Another RCE
https://threatpost.com/rce-0-day-western-digital-users/167547/
Say hello to one more zero-day and yet more potential remote data death for those who can’t/won’t upgrade their My Cloud storage devices.
Tomi Engdahl says:
Hackers Demand $70 Million as Kaseya Ransomware Victim Toll Nears 1,500 Firms
https://www.securityweek.com/hackers-demand-70-million-kaseya-ransomware-victim-toll-nears-1500-firms
Tomi Engdahl says:
Microsoft Ships Emergency Patch for Critical Windows ‘PrintNightmare’ Vulnerability
https://www.securityweek.com/microsoft-ships-emergency-patch-critical-windows-printnightmare-vulnerability
Microsoft late Tuesday pushed out an emergency patch to cover the Windows ‘PrintNightmare’ security flaw.
The out-of-band update comes more than a week after the publication of proof-of-concept exploit code sent Windows network administrators scrambling to apply pre-patch mitigations.
The issue caused major headaches in security research circles because the exploit targets CVE-2021-1675, a vulnerability that was patched by Microsoft on June 8 and originally misdiagnosed as a low-risk privilege escalation issue.
https://www.securityweek.com/windows-admins-scrambling-contain-printnightmare-flaw-exposure
Tomi Engdahl says:
https://www.securityweek.com/british-airways-settles-class-action-over-2018-data-breach
Tomi Engdahl says:
Researcher Describes Potential Impact of Recently Patched SonicWall NSM Flaw
https://www.securityweek.com/researcher-describes-potential-impact-recently-patched-sonicwall-nsm-flaw
A researcher at Positive Technologies has described the potential impact of a recently addressed command injection vulnerability affecting SonicWall’s Network Security Manager (NSM) product.
NSM is a firewall management application that provides the ability to monitor and manage all network security services from a single interface, as well as to automate tasks to improve security operations. The product is available for on-premises deployments or as a SaaS offering.
Tracked as CVE-2021-20026 and featuring a CVSS score of 8.8, the vulnerability was patched in May 2021. The security hole affects the on-premises versions of SonicWall NSM only and can be exploited through specially crafted HTTP requests sent to the vulnerable application.
An attacker looking to exploit the vulnerability needs to be authenticated to the vulnerable application. The attacker could then execute commands on the underlying operating system with root privileges.
Tomi Engdahl says:
In Crosshairs of Ransomware Crooks, Cyber Insurers Struggle
https://www.securityweek.com/crosshairs-ransomware-crooks-cyber-insurers-struggle
In the past few weeks, ransomware criminals claimed as trophies at least three North American insurance brokerages that offer policies to help others survive the very network-paralyzing, data-pilfering extortion attacks they themselves apparently suffered.
Cybercriminals who hack into corporate and government networks to steal sensitive data for extortion routinely try to learn how much cyber insurance coverage the victims have. Knowing what victims can afford to pay can give them an edge in ransom negotiations. The cyber insurance industry, too, is a prime target for crooks seeking its customers’ identities and scope of coverage.
Before ransomware evolved into a full-scale global epidemic plaguing businesses, hospitals, schools and local governments, cyber insurance was a profitable niche industry. It was accused of fueling the criminal feeding frenzy by routinely recommending that victims pay up, but kept many from going bankrupt.
Now, the sector isn’t just in the criminals’ crosshairs. It’s teetering on the edge of profitability, upended by a more than 400% rise last year in ransomware cases and skyrocketing extortion demands. As a percentage of premiums collected, cyber insurance payouts now top 70%, the break-even point.
Fabian Wosar, chief technical officer of Emsisoft, a cybersecurity firm specializing in ransomware, said the prevailing attitude among insurers is no longer: Pay the criminals. It’s likely to be cheaper for all involved.
“The ransomware groups got way too greedy too quickly. So the cost-benefit equation the insurers initially used to figure out whether or not they should pay a ransom — it’s just not there anymore,” he said.
Tomi Engdahl says:
Scale, Details of Massive Kaseya Ransomware Attack Emerge
https://www.securityweek.com/scale-details-massive-kaseya-ransomware-attack-emerge
Cybersecurity teams worked feverishly Sunday to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit.
An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.
REvil was demanding ransoms of up to $5 million, the researchers said. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in cryptocurrency.
Earlier, the FBI said in a statement that while it was investigating the attack its scale “may make it so that we are unable to respond to each victim individually.” Deputy National Security Advisor Anne Neuberger later issued a statement saying President Joe Biden had “directed the full resources of the government to investigate this incident” and urged all who believed they were compromised to alert the FBI.
Biden suggested Saturday the U.S. would respond if it was determined that the Kremlin is at all involved.
Tomi Engdahl says:
Bloomberg:
Sources: state-backed Russian hacking group APT29 breached the RNC last week, possibly via IT provider Synnex; RNC says there’s is no indication it was hacked — – Hackers part of ‘Cozy Bear,’ people familiar with matter say — RNC official says ‘no indication’ computer systems hacked
https://www.bloomberg.com/news/articles/2021-07-06/russian-state-hackers-breached-republican-national-committee
Tomi Engdahl says:
Clothilde Goujard / Politico:
EU’s new law will let tech companies scan their platforms for child sexual abuse material for the next three years without fear of violating EU’s privacy laws — The European Parliament on Tuesday approved a controversial law that would allow digital companies to detect and report child sexual abuse …
EU Parliament lets companies look for child abuse on their platforms, with reservations
Privacy-conscious lawmakers say the rules are ‘legally flawed’ and endanger privacy.
https://www.politico.eu/article/european-parliament-platforms-child-sexual-abuse-reporting-law/
Tomi Engdahl says:
Raphael Satter / Reuters:
Kaseya’s CEO says between 800 and 1,500 businesses have been affected globally by the ransomware attack centered on Kaseya — Between 800 and 1,500 businesses around the world have been affected by a ransomware attack centered on U.S. information technology firm Kaseya, its chief executive said on Monday.
Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says
https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/
Tomi Engdahl says:
Hackers Scrape 90,000 GETTR User Emails, Surprising No One
https://www.vice.com/en/article/dyv44m/hackers-scrape-90000-gettr-user-emails-surprising-no-one?utm_source=motherboardtv_facebook&utm_medium=social
Just days after its launch, hackers have already found a way to take advantage of GETTR’s buggy API to get the username, email address, and location of thousands of users.
Tomi Engdahl says:
New Right-Wing Social Media Site GETTR Plagued By Hacker, Porn, Sonic The Hedgehog
https://www.huffp.st/SCP63bi
The new right-wing social media site GETTR was briefly hacked on the day of its official launch and has also been inundated with porn and images of Sonic the Hedgehog.
Tomi Engdahl says:
The European Parliament approved the ePrivacy Derogation, allowing providers of e-mail and messaging services to automatically search all personal messages of each citizen for presumed suspect content and report suspected cases to the police. The European Pirates Delegation in the Greens/EFA group strongly condemns this automated mass surveillance, which effectively means the end of privacy in digital correspondence. Pirate Party MEPs plan to take legal action.
CHATCONTROL: EUROPEAN PARLIAMENT APPROVES MASS SURVEILLANCE OF PRIVATE COMMUNICATIONS
https://www.patrick-breyer.de/en/chatcontrol-european-parliament-approves-mass-surveillance-of-private-communications/
Today, the European Parliament approved the ePrivacy Derogation, allowing providers of e-mail and messaging services to automatically search all personal messages of each citizen for presumed suspect content and report suspected cases to the police. The European Pirates Delegation in the Greens/EFA group strongly condemns this automated mass surveillance, which effectively means the end of privacy in digital correspondence. Pirate Party MEPs plan to take legal action.
Tomi Engdahl says:
Audacity 3.0 called spyware over data collection changes by new owner
https://appleinsider.com/articles/21/07/04/open-source-audacity-deemed-spyware-over-data-collection-changes
There is already a fork, without the spyware. But the author is searching a new maintainer, in case someone is interested:
https://github.com/binaergewitter/audiocity
This is apparently not true. https://arstechnica.com/gadgets/2021/07/no-open-source-audacity-audio-editor-is-not-spyware/
Tomi Engdahl says:
Out-of-Band (OOB) Security Update available for CVE-2021-34527 https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/
Today Microsoft released an Out-of-Band (OOB) security update for CVE-2021-34527, which is being discussed externally as PrintNightmare.
This is a cumulative update release, so it contains all previous security fixes and should be applied immediately to fully protect your systems..
Lisäksi:https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare.
Lisäksi:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527.
Lisäksi:
https://www.darkreading.com/endpoint/microsoft-releases-emergency-patch-for-printnightmare-flaw.
Lisäksi:
https://www.bleepingcomputer.com/news/security/microsoft-pushes-emergency-update-for-windows-printnightmare-zero-day/.
Lisäksi:
https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html.
Lisäksi: https://isc.sans.edu/diary/rss/27610
Tomi Engdahl says:
Fake Kaseya VSA Security Update Drops Cobalt Strike https://threatpost.com/fake-kaseya-vsa-update-cobalt-strike/167587/
A malware spam campaign is milking the Kaseya ransomware attacks against its Virtual System/Server Administrator (VSA) platform to spread a link pretending to be a Microsoft security update, along with an executable file that’s dropping Cobalt Strike, researchers warn.
Lisäksi:
https://www.bleepingcomputer.com/news/security/fake-kaseya-vsa-security-update-backdoors-networks-with-cobalt-strike
Kaseya VSA Limited Disclosure
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
Last weekend we found ourselves in the middle of a storm. A storm created by the ransomware attacks executed via Kaseya VSA, using a vulnerability which we confidentially disclosed to Kaseya, together with six other vulnerabilities. Lisäksi:
https://csirt.divd.nl/cases/DIVD-2021-00011/
Tomi Engdahl says:
EU Passes Emergency Law Allowing Tech Companies To Screen Messages For Child Abuse https://www.forbes.com/sites/emmawoollacott/2021/07/07/eu-passes-emergency-law-allowing-tech-companies-to-screen-messages-for-child-abuse/
The European Parliament has approved emergency measures allowing internet companies to scan users’ private messages for material containing child sex abuse.
Tomi Engdahl says:
Tens of thousands scammed using fake Android cryptomining apps https://www.bleepingcomputer.com/news/security/tens-of-thousands-scammed-using-fake-android-cryptomining-apps/
Scammers tricked at least 93, 000 people into buying fake Android cryptocurrency mining applications, as revealed by researchers from California-based cybersecurity firm Lookout. Lisäksi:
https://blog.lookout.com/lookout-unearths-android-crypto-mining-scams