Welcome to #WakeUpWednesday. We want to make the Netherlands digitally safe and resilient. That is why Tesorion will now give you a short overview every Wednesday in a post about vulnerabilities or hacks that have received national or international attention. We want to wake up as many people as possible and make them aware of possible risks in the field of cyber security.
We will of course report directly on important vulnerabilities and options to mitigate them. Our #WakeUpWednesday is a kind of retrospective.
Since the beginning of this month, patches have been released by a large number of vendors. The latest patch Tuesday from Microsoft provided updates for several critical vulnerabilities. Updates have also become available for Gitlab, Google Chrome, Adobe, Android, Citrix, Dell and Cisco, for example. Installing updates is one of the essential measures to keep cybercriminals out.
Recently, about 280,000 WordPress sites were attacked by a zero-day vulnerability in the WPGateway plugin. By exploiting this vulnerability, cybercriminals can gain complete control over the website. No update is available yet, users are advised to uninstall the plugin until the issue is resolved.
Furthermore, a warning to be alert for attacks with ChromeLoader malware. This malware steals passwords and personal information and can also install additional malware, including ransomware. ChromeLoader is spread through rogue links in YouTube, Twitter comments and rogue advertisements.
There is currently a trend in the gamer community whereby gamers are being targeted via YouTube videos with links offering cheats and cracks for a number of popular games. Downloading the rar files causes malware, RedLine stealer, to be installed. In addition, it provides access to the victim’s YouTube account in order to further spread the malware through that account. Being aware of what is being downloaded and installed is therefore essential.
In addition to new ransomware variations, ransomware organizations are also changing the method of encryption. Instead of fully encrypting a file, parts are encrypted. As a result, the file is still unusable, but the time it takes to encrypt it becomes much shorter. The Agenda ransomware offers several options in how files are partially encrypted.
The Lampion malware is currently being spread through phishing campaigns using WeTransfer. Be aware of the sender of any request and be alert when downloading documents, even if they are sent via WeTransfer.
Operational technology is increasingly being targeted by cybercriminals. With their disclosure over the Internet, equipment also becomes vulnerable. In that context, several vulnerabilities have been found in medical equipment used to administer medication or nutrition to patients. Measures such as shielding the network via a firewall, network segmentation and timely patching are also necessary for OT equipment!
Malware is spread in very creative ways. For example, a photograph taken by the James Webb Telescope is used as a lure in a Golang-based malware campaign.
Phishing emails with a Microsoft Office attachment act as the entry point to the attack chain. If the attachment is opened, it retrieves a hidden VBA macro, which in turn is automatically executed if the recipient enables macros.
Go seems to be growing in popularity among cybercriminals given its platform-independent support for the programming language. This allows cybercriminals to effectively use a common codebase to attack different operating systems. Be aware of the sender of the mail and the attachment and be careful about enabling macros.
Another new malware written in Go is the BianLian ransomware. This ransomware was first seen in mid-July. The cybercriminals behind this ransomware claim that 15 organizations have now been victimized. By the way, BianLian is separate from the banking trojan of the same name!
Furthermore, a new ransomware strain written in Golang has been discovered. This ransomware, called Agenda, targets healthcare and educational institutions in Indonesia, Saudi Arabia, South Africa and Thailand. A characteristic of Agenda is that it can reboot systems in safe mode and has multiple modes to run.
Finally, QNAP is urging users of its Photo Station software to update their NAS device immediately. The reason is that a vulnerability in this software is being exploited by cybercriminals behind the Deadbolt ransomware.
Make sure you know what systems and applications are being used within your organization and install updates as soon as possible. Further, make sure your employees are aware of the importance of updating. Not only for their business devices, but with the intertwining of business and private, also the private environment.
Critical vulnerabilities still allow cybercriminals to gain access to systems and data. Alternatively, these vulnerabilities can be exploited by cybercriminals to increase their privileges within your systems.
Last Friday, the CISA (U.S. Cybersecurity and Infrastructure Security Agency ) added ten new, actively exploited vulnerabilities, to its list. These vulnerabilities include: CVE-2022-26352 – dotCMS Unrestricted Upload of File Vulnerability, CVE-2022-24706 – Apache CouchDB Insecure Default Initialization of Resource Vulnerability, CVE-2022-24112 – Apache APISIX Authentication Bypass Vulnerability and CVE-2022-22963 – VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability.
In addition, a critical vulnerability was discovered in Atlassian Bitbucket Server and Atlassian Data Center. More information on versions and updates is available on the Atlassian Confluence website.
Furthermore, a detailed blog has been published regarding two vulnerabilities in WatchGuard Firebox and XTM appliances. The vulnerabilities in question are CVE-2022-31789 and CVE-2022-31790. Software patches for both vulnerabilities were published by Watchguard in June 2022. The vulnerabilities and associated software patches are discussed in more detail in the following security advisories from the manufacturer:
The blog contains sufficient detail to exploit the software vulnerabilities. Therefore, the advice is to apply the software patches as soon as possible.
Finally, Lockbit, a group that deals with ransomware attacks, has warned against the use of triple extortion, a triple extortion tactic. In doing so, the battle between attackers and victims hardens. If the ransom for the hostage data is not paid, the threat is not only to publish the data, but also to carry out a DDoS attack on the already affected organization. This puts even more pressure on the victims to pay up.
Updating systems and applications remains important to keep cybercriminals out. Apple has released an update to fix two actively attacked zero-day leaks that allow attackers to gain full control of a system. If possible, the advice is to install the updates as soon as possible.
Research shows that more than 80,000 Hikvision cameras are still vulnerable. An update to fix this vulnerability was released almost a year ago. Thousands of systems, in use by some 2,300 organizations in more than 100 countries, still appear to be vulnerable.
If your organization is hit by a ransomware attack, the first priority is to repel it and limit the damage as much as possible. In doing so, it is important not only to take measures to prevent a new attack from the outside, but also to investigate whether there may be traces of other attackers. In this case, an organization was hit by three different groups in the space of two weeks.
In recent weeks there have been many reports of ransomware attacks in the media. Artis, home shopping chain Casa, dental chain Colosseum Dental Benelux, supermarket chain 7-Eleven and the British water company South Staffordshire Water: these days every organization that has data is interesting for cybercriminals. In the case of the water company, the attackers claim to have far-reaching control over the systems that allow them to alter the chemical composition of the water.
We also see a lot of activity on the development side. BlueSky Ransomware is an emerging family that uses various techniques to circumvent security measures. BlueSky targets Windows systems and uses “multithreading” to encrypt files even faster. Therefore, make sure that you have basic measures arranged such as network segmentation, creating and being able to restore backups and installing available updates.
In addition, new functionality has been added to the SOVA malware to encrypt Android devices. The SOVA malware targets more than 200 apps for banking, crypto trading and digital wallets, stealing user data and cookies.
Furthermore, Palo Alto has issued an alert regarding a critical vulnerability, CVE-2022-0028, in its PAN OS that is currently being exploited. This is a software flaw that allows a specific misconfiguration. This allows an attacker to use the firewall to execute a reflective DOS on another target on the Internet.
Finally, VMware has published an advisory regarding a number of vulnerabilities. By combining two of these vulnerabilities, there is a chance of an unauthenticated remote code execution. Patches are available, the advice is to install them as soon as possible.
All devices connected to the Internet are vulnerable to an attack by cybercriminals. This includes VoIP servers and phones. Elastix VoIP phone servers and VoIP phones that use Digium software are vulnerable to a campaign designed to exfiltrate data by downloading and executing scripts or malware that allows cybercriminals to gain control over (parts of) the system.
Besides servers, cell phones and PCs, PLCs (Programmable Logic Controllers) and HMIs (Human Machine Interface) are also vulnerable to Sality malware. Cybercriminals have managed to infect these industrial control systems. Sality creates a peer-to-peer botnet for password cracking and cryptocurrency mining, for example.
Furthermore, there is a phishing campaign kit active targeting PayPal users that attempts to steal from users a large set of personal information. This kit is hosted through legitimate WordPress websites that have been hacked.
In addition, there is a large-scale attack on WordPress sites using the Kaswara Modern WPBakery Page Builder Add-on. This contains security vulnerability CVE-2021-24284 that allows unauthenticated attackers to upload malicious PHP files to gain control of the website. As there is no security update available and the add-on is now no longer offered, the advice is to remove this plug-in.
In all cases, it is important to use multifactor authentication and good network segmentation as much as possible.
When spreading malware, methods such as sending an attachment in the mail, through updates outside the official stores or through logging into dubious websites are often thought of. PennyWise is a malware that poses as a Bitcoin mining application that can be downloaded from YouTube. While watching the YouTube video, viewers are persuaded to download a secure file. However, that file does not contain the Bitcoin software but the PennyWise malware. Therefore, be alert when it comes to downloading and installing software and only use the regular stores.
Updating software remains essential. Microsoft released new patches for 84 vulnerabilities last Tuesday, including for a critical vulnerability (CVE-2022-2294), which is currently being actively exploited.
Furthermore, a new phishing campaign has been spotted that takes advantage of the attention to the recently published Follina vulnerability. This campaign is used to spread Rozena malware. The starting point for this attack chain, observed by Fortinet, is an infected Office document that, when opened, connects to a Discord CDN URL to retrieve an HTML file (“index.htm”). This HTML file in turn invokes the diagnostic utility using a PowerShell command after which the next step in the attack chain is taken. Therefore, make sure your people are aware of the type of emails they receive and which attachments they open.
A new type of ransomware called Session Manager is currently active. This rogue session manager is disguised as a module for Internet Information Services (IIS) and exploits one of the ProxyLogon flaws in Microsoft Exchange servers. The use of this backdoor and the fact that this ransomware is so far poorly detectable by virus scanners enable cyber criminals to operate undisturbed. Updating systems and setting up multi-factor authentication are important to keep cybercriminals out.
In addition, the FBI is warning about the MedusaLocker ransomware. This ransomware is brought into organizations by cybercriminals through vulnerable rdp connections and by employees opening infected email attachments. Some measures you can take right now to reduce the risk: disable unused ports, make sure systems are updated as soon as possible and make sure employees are alert to phishing messages.
The latest research data from WatchGuard Threat Lab shows that the number of ransomware detections in the first quarter of 2022 is double the total reported volume in 2021. Therefore, make sure your organization has basic cyber hygiene in place and is prepared for a cyber incident.
The annual Cybersecurity Beeld Nederland (CSBN), drawn up in collaboration with the National Cyber Security Centre (NCSC), shows that the digital resilience of many organizations in the Netherlands is still insufficient. Making and testing backups or introducing multi-factor authentication are basic measures that have not yet (yet) been adequately implemented in every organisation.
The developments within cybersecurity are moving at lightning speed. Cybercriminals are constantly inventing new ways to penetrate organizations. All equipment with a link to the Internet is vulnerable, including cameras, climate control systems and systems for Internet telephony. Recently, a zeroday vulnerability in a Mitel VoIP server was used to carry out a ransomware attack. A software update for the vulnerability is available. The advice is to update these systems as soon as possible.
Another development is the use of a malware tool that allows cybercriminals to build rogue Windows shortcut (.LNK) files. This tool, Quantum Lnk Builder, allows spoofing of a large number of extensions and offers various possibilities for infecting systems. Quantum Lnk Builder is believed to be affiliated with Lazarus, however, Bumblebee and Emotet also seem to be using .LNK files more and more when attempting to infect a system.
It is important that everyone in the organization knows how to deal with potential phishing emails. A new method is by approaching organizations with an email claiming that the organization is infringing on copyright. In one case, a zip file is sent along with what appears to be a pdf. In practice, however, the file turns out to install ransomware. In the other case, a link is sent along that spreads malware.
Now that multifactor authentication (mfa) is becoming commonplace in more and more organizations, it is becoming more difficult for cybercriminals to log in with stolen user data. By abusing Webview2 apps and stealing the authentication cookies of the intended victim, cybercriminals still try to bypass mfa. Mfa is a good way to create a barrier and make accounts extra secure, however, it also requires users to pay attention when applying it.
In a number of cases, a ransomware attack skips the ‘encryption’ step and focuses mainly on stealing information and the threat of publishing it. Be prepared and make sure you have implemented at least the basic measures.
Installing updates is one way to fix vulnerabilities as quickly as possible. This is especially true for vulnerabilities in operating systems. A vulnerability in FreeBSD systems allows cybercriminals to completely take over systems via wifi. An update for this vulnerability is available. The advice is to install this update as soon as possible.
For an actively exploited vulnerability in Ninja forms, a WordPress plugin for contact forms, an update is being forced by WordPress to fix this vulnerability. Cybercriminals could execute arbitrary code on the website or delete arbitrary files via the vulnerability.
Further, the advice to install the security updates for Citrix Application Delivery Management. These updates fix a problem where cybercriminals could reset admin passwords. This includes all supported versions of Citrix ADM server and Citrix ADM agent (for example, Citrix ADM 13.0 for 13.0-85.19 and Citrix ADM 13.1 for 13.1-21.53).
Finally, Microsoft sees that the BlackCat Ransomware group is still attacking Microsoft Exchange systems that have not yet been updated. According to FBI figures, at least 60 organizations have been victimized between November 2021 and March 2022. Updating systems is an essential step in keeping cybercriminals out.
Many organizations use IT suppliers to a greater or lesser extent, for example to supply software. IT suppliers are thus connected to a large number of different organizations. These connections mean that these suppliers are becoming increasingly popular with cybercriminals. To illustrate, in 2021 there were 28 reports of data breaches at IT suppliers, resulting in 18,000 reports from organizations doing business with these IT suppliers. With the basics in place, we provide some tools to improve cybersecurity within your organization. Also ask your IT vendor about how they handle data and what measures they have in place to reduce the risk of a cyber incident.
The United States Cybersecurity and Infrastructure Agency (CISA) has added 36 new vulnerabilities to the overall list. These 36 vulnerabilities are currently being actively exploited and are located in software and systems from Cisco, Netgear, Adobe and Microsoft, among others. We recommend checking whether your systems are vulnerable and updating them as soon as possible.
Several vulnerabilities have also been found in the A8Z3 thermal imaging camera that allow the device to be taken over by cybercriminals. Several vulnerabilities have also been discovered in the LenelS2 HID Mercury access control system that, for example, allow remote unlocking and locking of doors.
Furthermore, researchers have discovered new Linux malware, Symbiote. This malware infects all running processes on compromised systems, stealing user data and giving cybercriminals access. The malware is difficult to trace, however by monitoring anomalous DNS requests this malware could be discovered.
Finally, the Emotet banking trojan is once again causing a stir. This malware makes use of various Office attachments and in its renewed version is able to bypass the security scanners of email gateways. In addition, it steals credit card data. Therefore, make sure that users store login data and confidential information, such as credit card data, in a password safe, for example.
The developments in the field of cybercrime are moving fast. This makes it a great challenge for many organisations to keep up with all the (possible) threats. A new initiative to bundle this information and distribute it quickly is cyberteletext: teletext as we all know it, but with the latest vulnerabilities and the latest news on cyber security.
Last week a warning was issued for a vulnerability in Atlassian Confluence. Updates are available. The advice is to install them as soon as possible. If patching is not possible, Atlassian has described a number of additional mitigating measures.
Google has remedied some vulnerabilities in Android by making patches available. The vulnerabilities CVE-2022-20130 and CVE-2022-20127 make it possible to use Android phones remotely and execute code. There are updates for Android 10, 11, 12 and 12L.
Recently, a new type of phishing campaign has been identified. Microsoft Word documents containing VBA macros are emailed as attachments. These macros then run shellcode contained in the document properties to install SVCReady malware. This malware can collect system information, take screenshots and download documents, among other things. It remains important to stay alert to phishing.
Cybersecurity companies from the US are warning against Chinese hackers. By exploiting vulnerabilities in telecom suppliers, they try to intercept and steal network traffic. They then try to obtain log-in data and use this to log in. Eventually, the attackers can forward the network traffic to their own infrastructure. The advice is to keep all systems up-to-date. A patch management system can help with this.
VMware has released security updates to address vulnerabilities in Workspace ONE Access, Identity Manager, vRealize Automation, Cloud foundation and vRealize Suite Lifecycle Manager. The vulnerabilities allow cyber criminals to gain administrator rights. A proof of concept is available for vulnerability CVE-2022-22972. The advice is to install the available security updates as soon as possible.
Microsoft also warns of a new vulnerability, CVE-2022-30190. To exploit this Microsoft Office RCE vulnerability (Follina) as a cybercriminal, a user must open a Word document. These documents are often shared by e-mail, therefore the advice is, as with phishing, to make users aware of the risk you run when opening files from the mail if they come from an unknown sender or if it is a file that you don’t expect. A service update and article with guidance are available, although at this moment there is no patch available yet.
The annual Verizon Data Breach Investigation Report (DBIR) shows that globally, web application attacks are increasingly responsible for cybersecurity incidents in healthcare. The healthcare sector is increasingly being attacked by cybercriminals and is also more often the victim of ransomware attacks. Most of the attacks have a financial motive, according to the report.
Ransomware groups are known for taking your files hostage. Recently we hear about a group that pretends to have other motives. RansomHouse is a ransomware group that uses a different business model, focusing primarily on data exfiltration. The motivation for this group is that they want to use extortion to point out to organizations that they are not investing enough in the security of their data, networks and systems or that they are not respecting their bug bounty program. The group claims that after payment it will help the affected organization to protect itself against future attacks. In addition, the affected organization receives a report describing which vulnerabilities were used and how they were used to gain entry.
The 2022 SaaS Security Survey Report identifies the risks and dangers associated with the use of SaaS solutions. In particular, configuration errors are cited as the cause of cybersecurity incidents. One of the reasons for this is that several departments have access to the security settings, without the people being trained or having cybersecurity as their focus area.
Cisco warns of an actively attacked vulnerability in IOS XR router software, which allows attackers to access the Redis database and modify information there, write arbitrary files to the container file system, and retrieve information about the Redis database. An update is available, the advice is to install it as soon as possible.
Educational institutions with a WordPress website that use the Premium tool ‘School Management’ are currently vulnerable due to a backdoor in this plug-in. The plug-in provides educational institutions with capabilities such as scheduling distance education, attendance tracking, expense tracking, enrolling new students, and document management. The vulnerability allows cybercriminals to run arbitrary PHP code, can let them access or alter the website’s contents, elevate privileges and assume complete control of the site. An update is available (version 9.9.7), please update to the most recent version as soon as possible.
Last week a political agreement was reached on new European regulations in the field of cybersecurity, NIS 2. Important changes are that the regulations will also apply to medium-sized and large organizations and that the number of sectors that are considered critical has been expanded. Some aspects mentioned in NIS 2 are patching vulnerabilities, risk management measures and the period within which incidents must be reported to the authorities.
A critical vulnerability in Zyxel firewalls allows cybercriminals to execute arbitrary code remotely. This includes downloading malware or misusing other vulnerabilities to penetrate the network. The vulnerability applies to both firewalls and VPNs. We have now received the first signals that this vulnerability is also actively being used by cyber criminals. An update is available, our advice is to update this equipment as soon as possible.
The update advice also applies to SonicWall SMA1000 series 6200, 6210, 7200, 7210 and 8000 devices with firmware versions 12.4.0 and 12.4.1. Cybercriminals can access internal resources and send potential victims to rogue websites.
Linux and Solaris (Unix) systems are also under attack by cybercriminals. For example, malware called BPFdoor has recently been discovered, which has been targeting Linux and Solaris systems undetected for the past five years. The malware allows cybercriminals to remotely connect to a Linux shell to gain full access to an infected system. The malware has gone undetected for so long because the comand & control connection is initiated from outside. A firewall offers no protection against this malware and the malware can respond to commands from any IP address. A set of technical indicators (Yara rules, hashes) is now available with which you can scan a Linux or Solaris system.
Cybercriminals are constantly developing new ways to spread malware. In addition, we now also see that cyber criminals don’t stick to one specific way when spreading. This flexibility, combined with an increasing freedom of choice, means that organizations must be constantly alert and avoid tunnel vision when implementing cybersecurity measures.
Mandiant has researched worldwide trends in cybersecurity incidents, such as ways to distribute malware, and published them in an annual report. They state, among other things, that we have all become better at detecting incidents more quickly. In response to our efforts, attackers will of course remain flexible. At 37% of the time, attackers still most often enter by exploiting a vulnerability. Phishing is a lot less popular method with only 11%. The statistics on supply-chain attacks are striking. We now know last year’s attack on Kaseya. These attacks are rapidly gaining popularity, at 17% from 1% the year before.
We continue to see that exploiting vulnerabilities is a common way for attackers to get in. It is therefor extremely important to ensure that the management of hardware and software within your organization is in order. That is, keeping a good record of what hardware and software is in use, and ensuring that it is kept up-to-date. Qualys can help you with this. By ensuring that timely action is taken on security updates, you reduce the attack surface within your organization.
There is also a warning about Raspberry Robin, where malware is spread via USB sticks. Make sure your employees are aware of the risks associated with using unknown external equipment.
The NSA and FBI, along with cybersecurity agencies from multiple countries, have compiled an overview of the key vulnerabilities exploited in 2021. Unfortunately, these vulnerabilities are still causing victims today. The overview includes Proxylogon and Log4Shell. In addition to these most commonly used vulnerabilities, new vulnerabilities are regularly added that pose a potential threat to your organization.
Another vulnerability that is currently being actively exploited is the vulnerability in VMware Workspace One. Therefore, make sure you stay informed about new updates and install them as soon as possible.
Updating systems and software does not only apply to the business environment, but also to devices that are intended for home or personal use. The government has now obliged sellers of digital products to keep them working and safe. This means that there will also be software updates for smart TVs, printers and cameras, for example. Also in this case: make sure you know which equipment is connected to the internet and update this equipment as soon and if possible.
Furthermore, Onyx ransomware seems to destroy files larger than 2MB instead of encrypting them. According to researchers, the data in the files is overwritten with worthless data during encryption, so that decryption no longer yields the original file information even after the ransom has been paid. Since the same encryption routine has been seen with Chaos ransomware, it seems that overwriting is not a flaw in the encryption but a deliberate choice. Therefore, always ensure that you take action timely when a new vulnerability is published.
Among other things, cyber criminals use vulnerabilities in software to penetrate organizations. At least eighty zero-day vulnerabilities were used in 2021, more than a doubling compared to 2020. Three quarters of the zero-days discovered last year exploited vulnerabilities in products from Apple, Google and Microsoft. Therefore, install the available patches as soon as they are published.
Cisco, QNAP and Oracle, among others, released updates last week. In the case of Cisco to address a serious vulnerability in the Cisco Umbrella Virtual Appliance (VA). This vulnerability allowed attackers to remotely steal administrative credentials. QNAP has released an update for its NAS systems related to Apache HTTP vulnerabilities. Oracle has announced and fixed 520 new vulnerabilities in its April update.
Research further shows that malware groups still heavily use phishing to infiltrate. With new measures against the use of macros in Microsoft Office documents, these groups are looking for ways to get around these cybersecurity measures. Make sure your people are prepared for these phishing scams.
Several updates were released last week for critical vulnerabilities that are being actively exploited. Google released an emergency patch for an actively attacked zero-day vulnerability in Chrome, and Microsoft Windows and VMware Workspace ONE Access have also released patches. The advice is of course to install available patches as soon as possible.
In previous Wakeup Wednesday posts, we reported various variants of malware targeting mobile phones. Research by Proofpoint shows that in February there was a 500% increase in the number of attempts to deliver malware for mobile devices in Europa. Malware for mobile devices is becoming more sophisticated. This involves recording telephone and video calls, audio and video recordings stored on the device and destroying data stored on the device. Be alert for messages containing links, voice messages, or notifications for updating apps outside the regular app stores.
Mobile phone play an increasingly prominent role in our lives, both professionally and privately. Therefore, be aware of malware that targets Android devices. The Android malware Octo is a new version of ExoCompact, the source code of which was leaked in 2018. The most dangerous thing about the updated variant is that the cybercriminal can remotely take control of the device and perform malicious actions via the victim’s device. Only update apps with versions released through official channels, such as the App Store or Google Play.
Another malware campaign currently seen in practice is aimed at the distribution of the new information-stealing malware META. META is growing in popularity among cybercriminals and is currently actively used in attacks. It is deployed to steal passwords stored in Chrome, Edge and Firefox as well as cryptocurrency wallets. META is distributed in the traditional way, as a mail attachment. Be alert if you receive attachments from strangers and be careful when enabling macros!
Other information-stealing malware currently in active use are FFDroider and Lightning Stealer. These also use passwords stored in Chrome, Edge and Firefox. FFDroider is distributed via cracked versions of installers and freeware with the main purpose of stealing cookies and credentials associated with popular social media and e-commerce platforms. In addition, the stolen information is used to log into the accounts in order to record other personal account-related information. Lightning stealer works in a similar way and can steal Discord tokens, cryptocurrency wallet data, and details related to cookies, passwords, and credit cards.
During the patch Tuesday of April 2022, Microsoft released patches for 119 new vulnerabilities. The most severe vulnerability is a remote code execution vulnerability in the Remote Procedures Call Runtime, registered as CVE-2022-26809. This vulnerability allows an unauthenticated remote attacker to execute code with the same privileges as the RPC service. This service operates in the context of the system user account Network Service.
VMware has published Security Advisory VMSA-2022-0011 related to eight different CVEs in VMware Workspace ONE Access. Three of these CVE’s have a score of 9.8 and are the subject of this writing: one Remote Code Execution and two Authentication Bypass vulnerabilities. The Remote Code Execution vulnerability also exists in the following related VMware products: VMware Identity Manager, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.
Cyber incidents are often caused by critical vulnerabilities that are not adequately addressed, by configuration errors or by users inadvertently sharing their data with third parties.
Zyxel warns of a critical vulnerability that could allow cybercriminals to gain administrative access to the firewall. Install the software updates as soon as possible.
Totolink routers that have not received the latest software updates are vulnerable to a variant of the Mirai botnet. The variant called Beastmode has five new exploits, of which 3 types target various Totolink routers. Here too, the advice is to update the software as soon as possible, where possible.
In addition to the notification for Totolink routers, there is also a warning for users of D-link routers. The vulnerability, designated CVE-2021-45382, resides in D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L. These models are end-of-life, so no new updates are released. It is therefore advised to take these models offline as soon as possible and to replace them with newer routers.
Borat, a new remote access trojan (RAT), offers cybercriminals several options for attacking. For example, Borat can be used as ransomware, spyware, for DDoS attacks. Borat offers the attacker the opportunity to choose how to deploy the malware, so be careful about which software is installed and only download applications from reliable sources and websites.
It is nothing new that critical vulnerabilities are used by cybercriminals to gain access to third-party systems and data. However, we see that various vulnerabilities are still being exploited, despite patches being released. Updating systems and applications is an essential part of a good cybersecurity policy.
For example, Log4j is still actively abused by cyber criminals to install backdoors that can be used at a later stage. In addition, Log4j is actively being exploited to install cryptocurrency miners on vulnerable VMware Horizon servers.
A new phishing campaign, aimed at taking over email conversations, is being used to spread the IcedID info-stealing malware. This campaign makes use of vulnerabilities in Microsoft Exchange for which software updates are already available.
Sophos has announced that the critical vulnerability in its firewall software is currently being actively exploited. A hotfix is available, we recommend installing it as soon as possible.
The number of attacks that use zero-day vulnerabilities, vulnerabilities that have not been discovered or exploited before and for which no update is yet available, will double by 2021, according to Rapid7.
We advise you to ensure that your systems have the latest software updates, if possible. Make sure your employees are alert and use network segmentation to ensure that attackers cannot penetrate the entire company network unhindered.
Why do things the hard way? This is why there are many portals that allow users to log in with a Google account, Apple ID or Microsoft account. The popularity means that these types of screens are also popular with cyber criminals. They use them in their phishing campaigns. Recently, a new phishing toolkit has become available that makes it easy to counterfeit Chrome browser screens. Be careful where you log in and use multi-factor authentication if possible.
The FBI warns vital sector organizations about AvosLocker ransomware. These ransomware attacks exploit vulnerabilities in Microsoft Exchange. Updates are available for the vulnerabilities used, including ProxyShell. Make sure your systems have the latest security updates.
Qualys research shows that 30 percent of applications, servers and other systems using Log4j are still vulnerable to cyber attacks. This vulnerability puts you at risk because cyber criminals could take over your system remotely. Therefore, install the security updates if possible or take mitigating measures if updating is not possible.
At the beginning of March 2022, we saw a new variant of the Lorenz ransomware. However, there is a big difference between the files encrypted by this ransomware and files encrypted by an earlier version. The main difference: decryption is not possible after paying the ransom. However, our specialists managed to create a decryptor that can decrypt the files.
Cyber criminals are inventive. Time and again they find new ways to spread malware and gain access to third-party systems. In this #WakeUpWednesday, we give three examples.
For example, contact forms on the website are used to distribute Bazar Backdoor malware. By requesting a quote, a conversation is started. Subsequently, following the initial application, an ISO file is sent during the conversation with additional information that is relevant to the application. By using file sharing services, such as Wetransfer, for this additional information and letting people unpack the files themselves, an attempt is made to circumvent the security.
Additional add-ons for popular online games are also used. In this example, a YouTube channel is promoting an add-on for the popular game Valorant. Users who want to download the add-on are directed to a page where they can download a RAR file. This contains an installation file that does not install the add-on for the game, but RedLine stealer, malware that focuses on stealing passwords, among other things.
We close the list with Escobar, Android malware aimed at stealing Google Authenticator MFA codes. Escobar is the enhanced version of the Aberebot Android banking trojan. In addition to the MFA codes, the malware is also able to take control of the devices by using VNC. The options for recording sound and using the camera also enable the apps to retrieve user data. Of course with the ultimate goal of obtaining enough data to gain control over the bank details.
In addition to IT systems, OT systems are increasingly faced with cybersecurity threats. Research by Dragos shows that the number of vulnerabilities has doubled in 2021 compared to 2020. Ransomware is the biggest threat.
A Linux vulnerability that affects all kernels since version 5.8, including Android, has been disclosed under the name Dirty Pipe (Linux Kernel Exploit). This vulnerability allows data, even if the files are read-only, to be overwritten. This may result in permissions being increased. This allows local users to get root privileges. NAS operating systems from QNAP, QTS and QuTS Hero also use the Linux kernel and are therefore vulnerable.
Finally, we also keep a close eye on developments related to Wiper malware. A new version, RuRansom, is not ransomware, even though the name suggests otherwise. In this case too, it concerns Wiper malware that, for the time being, affects systems with an IP address that can be related to Russia.
Cybercrime can focus on disrupting primary business processes or disrupting critical services. For example, last week not only satellite connections were affected, 5800 wind turbines in Germany and central Europe were also taken offline.
Nvidia has fallen victim to cybercrime in several ways. In addition to the fact that malicious parties have stolen a Terrabyte of data during an incident, two stolen driver certificates are used to spread malware. Even though the certificates have expired, they can still be used in Windows to install drivers. Finally, the stolen data is used to pressure Nvidia to change the firmware for specific series of graphics cards (GeForce RTX 30 Series). The change is intended to support the crypto mining industry, among other things.
Furthermore, various vulnerabilities have been patched in Exchange Server and Android. The vulnerability in Exchange Server (CVE-2022-23277) has an impact score of 8.8 and allows remote code execution. The problem affects Exchange 2013, 2016 and 2019. An authenticated attacker can execute code with elevated privileges by using this vulnerability. Rights can also be increased with the vulnerability in Android. Updates have been made available for Android 10, 11 and 12.
Install the available software updates as soon as possible. Also be aware of updates that are made available for all kinds of other systems that you have connected to the internet at home.
Over the past week we have noticed that the situation considering Ukraine has escalated both physically and digitally. The Tesorion Threat Intelligence team has been monitoring various open source sources since mid-January. We see that the attacks within the Ukraine are drastically increasing and that Wiper malware has been detected, among other things. The purpose of this malware is to completely disable the affected computers. This is different from ransomware, where files are encrypted and the attackers make ransom demands. With this wiper, the files are destroyed and there is often no turning back. Therefore, be extra vigilant with e-mail messages, phone calls and approaches via social media.
The Dutch fraud helpdesk states that in the first six weeks of 2022, more than 10.5 million euros in damage has already been suffered due to CEO fraud, fake telephone calls and misuse of company names. In addition to training the cyber awareness of employees, it is also important as an organization to know what is being published about your organization, especially on the deep and dark web. Think, for example, of stolen login details with which cyber criminals can gain access to your systems.
Research by Fortinet shows, among other things, that ransomware is not only increasing, but also becoming more aggressive and devastating. In addition, the Global Threat Landscape Report shows that Linux systems are also increasingly being targeted. Make sure your organization is prepared, pay attention to increasing the cyber awareness of your employees.
The widely used Microsoft Teams now also appears to be used by hackers. They use the platform to spread malware. By logging in with data obtained through phishing or bought on the dark web, the hacker can share a file. As soon as this file is opened by another user, the malware starts working, with all its consequences. Make sure your employees are resilient and alert when it comes to phishing and opening unknown files.
A malicious app has been found in the Google Play Store. The app Fast Cleaner pretends to be an app that will clean up the device and thus improve battery life, while in reality it installs banking malware during an invisible update. There have already been more than 50,000 downloads of this app, despite reviews pointing out its malicious intent. Be vigilant about the apps you install and don’t simply trust everything.
The popular WordPress plugin Updraft Plus suffers from a critical vulnerability (known as CVE-2022-0633) that allows all website users to download the latest database backup that may contain privacy-sensitive information. Normally this backup should only be available to a select group of users, but due to this vulnerability all users with the least privileges can also download it. Because of the critical situation, WordPress has forced the update (version 1.22.3 or 2.22.3) on millions of websites.
In last week’s update we already mentioned the vulnerability in Adobe Commerce and Magento Open Source. After this, another vulnerability was discovered with a CVSS score of 9.8 (CVE-2022-24078). It also appears that the Log4j vulnerability, which came to light at the end of 2021, is still being abused. Furthermore, VMware recently made updates available for 6 vulnerabilities with a CVSS score ranging between 5.3 and 8.8. We keep emphasising, keep your software and devices up-to-date to stay ahead of cyber attacks.
Last week the news came out that the well-known ransomware group Conti and the TrickBot group have joined forces. This strengthens their position and gives them the opportunity to develop better malware. Ransomware attacks continue to keep us busy, so protect your organisation against them.
Several companies have made updates available in the past week due to critical vulnerabilities. It is important to always keep your devices and software up to date, part of having your basics in order.
First of all, Apple released an update last week. It is about fixing a vulnerability, known as CVE-2022-22620, in WebKit. This is a basic component commonly used in browsers. After exposure to malicious web content, code can be executed on Apple devices using this vulnerability. Update your devices to the latest software versions to avoid being vulnerable. Adobe also released an update to patch a critical vulnerability known as CVE-2022-24086. It concerns a vulnerability in Adobe Commerce and Magento Open Source. Lastly, Google has also released an update for the Chrome browser. The update will be installed automatically in the course of time, but this can already be done manually. Several vulnerabilities are hereby fixed, some of which have also been labelled critical.
A German group of hackers, the Chaos Computer Club, recently found more than 50 data leaks at various companies and organisations, including the Dutch Ministry of Health, Welfare and Sport. By means of various vulnerabilities, including database servers without authentication and unsecured MySQL servers, the hackers were able to access all kinds of personal data. All data breaches have been reported to the companies concerned and most of them have taken action to resolve the vulnerabilities. The group did not make use of the data found, but unfortunately this often happens. Make sure you protect your data, for example by using encryption, and do not become a victim of a data breach.
With the attacks on several companies in the oil industry and an attack on freight handler Swissport, there is currently a lot of activity in the field of ransomware again. The impact of the attacks on business processes is significant. Loading and unloading ships is not possible or is subject to significant delays. Also at Swissport, part of the IT systems for scheduling personnel, aircraft and freight are temporarily unavailable.
In recent weeks, much has been said and written about the mandatory app for Olympic athletes, counselors and journalists. In addition to the advice to leave your own devices at home and not to take them to China, it is good to be aware of possible risks in the field of cybersecurity.
Be aware of the information you share, including on business platforms such as LinkedIn. Information such as your job description, information about systems and applications used can be used by cyber criminals. According to the AIVD, for example, Chinese and Russian secret services have approached thousands of employees at Dutch high-tech companies with the aim of corporate espionage.
Updating applications and systems is essential for your cybersecurity. For example, the Apache Log4j vulnerability is currently being actively exploited. Furthermore, a vulnerability in Microsoft Defender allows cybercriminals to evade malware detection.
We continue to emphasize that installing security updates is extremely important. However, criminals also abuse this by making fake updates for software containing malware or ransomware. Microsoft Edge users, for example, were confronted with a fake update, just like Adobe, Google Chrome and Firefox. So always make sure that you only download updates from the supplier itself and not from another party.
Ransomware is a major threat to the continuity of business processes and thus to the existence of an organization. In addition to holding the data hostage, organizations are put under pressure by the threat that the data will be made public. To reinforce that threat even more, social media is now also being used. This puts even more pressure on organizations to pay the ransom.
Another rather daring and unorthodox method that has recently been deployed is to call individuals whose details have been found in the data set held hostage. They were put under pressure with the aim of motivating the organization whose data had been held hostage to pay.
Data is valuable, also for cyber criminals. No organization is spared, as became apparent from the hack on the Red Cross. Data from more than 500,000, often vulnerable people, were stolen.
In addition, cyber criminals have managed to use more than 2,000 corporate email accounts in various spyware campaigns. Kaspersky’s investigations revealed that the spyware was distributed via an email attachment. If the employee opens the attachment and the spyware successfully infects the system, the username and password of the employee in question are sent to the cyber criminal. The attacker can gain access to the system with the stolen data and then further spread the spyware among the employee’s contacts.
Known vulnerabilities used by cyber criminals at a later date are not new. In early December, we warned about critical vulnerabilities in the SonicWall SMA 100 series. A warning was issued this week that these vulnerabilities are currently being actively exploited. There is no workaround available, the advice is to update the software as soon as possible.
Logging is important, for example, to find out how cyber criminals got in. Nevertheless, Cisco research shows that due to a lack of logging, the attack vector is unknown in most incidents. Where the attack vector is known, in most cases the cause appears to be phishing, or applications that are accessible via the internet. Train the cyber awareness of your employees and ensure that vulnerabilities in the software are fixed as soon as an update is available.
In the #WakeUpWednesday we regularly report incidents where there is a need and urgency around patching. Incidents are also regularly discussed where increasing awareness can help increase cyber security.
Over the past week, Apache Foundation, which includes management of Apache Log4j, OpenOffice and Apache web server, warned against the use of end-of-life software. As a result, users are still being attacked through old vulnerabilities in Apache software that is no longer supported and/or maintained.
Updates have also been released for the LUKS encryption software for Linux. Making backups and making sure that they cannot be changed afterwards is one of the basic measures within cybersecurity. The LUKS encryption software contained a critical vulnerability (CVE-2021-4122) that allowed decryption without entering the passphrase.
Due to the combination of a weak administrator password and the use of a weak encryption algorithm, private data of nearly 7 million end users of the Open Subtitles website has been stolen and made public. The email addresses have been added to the data leak search engine Have I Been Pwned.
The Log4j vulnerability has an impact on many systems. For example, the British health service warns against abuse of the vulnerability in VMware Horizon. The software uses Apache Tomcat which in turn uses Log4j. Despite the fact that VMware patches were released in December, attackers are actively looking for systems that are not yet equipped with the available patches.
A new vulnerability has been discovered affecting H2 database consoles. This vulnerability also exploits the remote loading of JNDI classes, the same source of the Log4Shell vulnerability. Because this H2 database engine is also widely used, just like with Log4j, the reach is large. The vulnerability (CVE-2021-42392) affects H2 database versions 1.1.100 to 2.0.204. The advice is to update to version 2.0.206 as soon as possible.
During the January patch Tuesday, Microsoft released patches for 96 new vulnerabilities. The most severe vulnerability is a remote code execution vulnerability in http.sys, registered as CVE-2022-21907. This vulnerability allows an unauthenticated attacker to execute code on an affected system by sending a specially crafted request or response. We advise to check if your products are listed and apply the required patches or workaround as soon as possible.
It is no surprise that cybercriminals are always looking for new methods to penetrate organizations. Nowadays, for example, USB sticks are sent that are very similar in terms of stick and packaging to those of reputable organizations. However, the USB sticks sent contain malware in order to start malicious actions.
The makers of Flubot malware, an Android trojan that targets financial data, have launched a number of new campaigns to spread their malware. Be alert for messages related to, for example: updating Adobe flash player, false notifications for software updates that go outside the playstore, messages about package deliveries, etc. Most characteristic is that these messages contain a link that cannot be traced back to the organization in question.
2022 is off to a good start, also in the field of cybersecurity. Google has released a security update for Chrome. Among other things, this new update resolves a critical vulnerability that could allow an attacker to execute arbitrary code on a user’s system without requiring further user action. Executing code naturally enables an attacker to install malware on your computer that can, for example, be used to steal credit card and login details.
Cyber criminals have carried out a supply chain attack on more than 100 companies by adding skimmer code to a video player of a cloud video hosting service. When an organization used the video player on, for example, a website, the malicious code was also added. As a result, the site was infected and credit card data could be stolen.
Cyber security has many aspects. One of the basic measures is to create and restore backups. Determining a backup strategy is therefore part of a business continuity plan. Therefore, make sure that you know how long your organization (part) may be unavailable (Recovery Time Objective) and how much data loss is acceptable (Recovery Point Objective). Test this process regularly to avoid unpleasant surprises. For example, in December Kyoto University lost 77TB of research data due to an error in its backup system.
Get to know what's going on! Subscribe now
Would you like to know about vulnerabilities, national or international hacks every Wednesday? Then subscribe to this newsletter.