Cybersecurity Updates For Week 17 of 2022

New Nimbuspwn Linux vulnerability gives hackers root privileges

A new set of vulnerabilities collectively tracked as Nimbuspwn could let local attackers escalate privileges on Linux systems to deploy malware ranging from backdoors to ransomware.

Read more:

Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators

On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. Read on to learn more about the impact to GitHub, npm, and our users.

Read more:

Millions of Java Apps Remain Vulnerable to Log4Shell

Four months after the critical flaw was discovered, attackers have a massive attack surface from which they can exploit the flaw and take over systems, researchers found.

Read More:

Other news worth mentioning:

Quantum ransomware seen deployed in rapid network attacks
Over 18.8 million IPs vulnerable to Middlebox TCP reflection DDoS attacks
Cybercriminals Using New Malware Loader ‘Bumblebee’ in the Wild
Synopsys to Acquire White Hat Security in $330M All-Cash Deal
Microsoft Azure Vulnerability Exposes PostgreSQL Databases to Other Customers

Cybersecurity Updates For Week 15 of 2022

Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities

Microsoft’s Patch Tuesday updates for the month of April have addressed a total of 128 security vulnerabilities spanning across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others.

Read more:

Menswear Brand Zegna Reveals Ransomware Attack

Accounting materials from the Italy-based luxury fashion house were leaked online by RansomExx because the company refused to pay.

Read more:

Critical flaw in Elementor WordPress plugin may affect 500k sites

The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites.

Read More:

Other news worth mentioning:

CISA Warns Against Russian Hackers Exploiting a Critical Bug
Black-hat hackers: bad to the bone or just victims of society?
No plain sailing: modern pirates hack superyachts’ cybersecurity
Microsoft Takes Down Domains Used in Cyberattack Against Ukraine
VMware Confirms Workspace One Exploits in the Wild

Cybersecurity Updates For Week 11 of 2022

High-Severity DoS Vulnerability Patched in OpenSSL

OpenSSL updates announced on Tuesday patch a high-severity denial-of-service (DoS) vulnerability related to certificate parsing.

Read more:

CISOs face ‘perfect storm’ of ransomware and state-supported cybercrime

With not just ransomware gangs raiding network after network, but nation states consciously turning a blind eye to it, today’s chief information security officers are caught in a “perfect storm.

Read more:

Agencies Warn on Satellite Hacks & GPS Jamming Affecting Airplanes, Critical Infrastructure

The Russian invasion of Ukraine has coincided with the jamming of airplane navigation systems and hacks on the SATCOM networks that empower critical infrastructure.

Read More:

Other news worth mentioning:

Random number generator enhancements for Linux 5.17 and 5.18
Blockchain blocks identity theft
Leaked Ransomware Docs Show Conti Helping Putin From the Shadows
Meta fined €17 million by Irish regulator for GDPR violations

Cybersecurity Updates For Week 9 of 2022

DORA’s Global Reach and Why Enterprises Need to Prepare

A new cybersecurity regulation is coming to the European financial services sector, and its authority will be felt worldwide.

Read more:

Shadowserver Special Reports – Cyclops Blink

On 2022-03-03 we sent out a second special report with an additional 673 IPs likely infected with Cyclops Blink, observed on 2022-02-24.

Read more:

Free HermeticRansom Ransomware Decryptor Released

A free decryptor is out to unlock a ransomware found piggybacking on the HermeticWiper data wiper malware that ESET and Broadcom’s Symantec discovered targeting machines at financial, defense, aviation and IT services outfits in Ukraine, Lithuania and Latvia last week.

Read More:

Other news worth mentioning:

Conti Ransomware Group Diaries, Part I: Evasion
Conti Ransomware Group Diaries, Part II: The Office
Conti Ransomware Group Diaries, Part III: Weaponry
Russia Releases List of IPs, Domains Attacking Its Infrastructure with DDoS Attacks

Cybersecurity Updates For Week 7 of 2022

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

The individual vulnerabilities documented on this VMSA have severity Important/Moderate but combining these issues may result in higher severity, hence the severity of this VMSA is at severity level Critical.

Read more:

Critical Flaw Uncovered in WordPress Backup Plugin Used by Over 3 Million Sites

Patches have been issued to contain a “severe” security vulnerability in UpdraftPlus, a WordPress plugin with over three million installations

Read more:

New Linux Privilege Escalation Flaw Uncovered in Snap Package Manager

Multiple security vulnerabilities have been disclosed in Canonical’s Snap software packaging and deployment system, the most critical of which can be exploited to escalate privilege to gain root privileges.

Read More:

Other news worth mentioning:

Over 620 Million Ransomware Attacks Detected in 2021
Snyk Acquires Fugue, Enters Cloud Security Market
Microsoft Teams Targeted With Takeover Trojans

Don’t get caught in the cold with ransomware

Before prevention is enabled.

Ransoms is sadly the trend these days. We want to share a cheap and effective way to enable prevention that most probably fail to consider.

Using the ransomware simulator from KnowBe4, RanSim, we could see that our endpoints did no prevention previously.

An easy way to minimize the attack surface for ransomware is to use the built-in feature in Windows 10 and Server 2019 called “Controlled Folder Access”. This can be managed with the following:

  • Windows Security app
  • Microsoft Intune
  • Mobile Device Management (MDM)
  • Microsoft Endpoint Configuration Manager
  • Group Policy
  • PowerShell

More information can be found here:

Our results after we enabled this prevention (and enabled it for RanSims test-folder) look a lot better.

It notes some things that got denied that should not be denied, but testing did not show any impact to the users experience. This only affected this particular untrusted application.

After prevention is enabled

Fake Telenor Ransomware Campaign

Today, a malicious email campaign was launched, targeting Norwegian entities. We have seen a large amount of these malicious mails addressed to our employees, customers and partners, and we would like to discourage you from interacting with this email.

The email itself visually appears to be from Telenor, with the subject line “Faktura Fra Telenor Norge AS, Mobil “. It has a payment date close to the future (10th of February), which is there to cause stress so you don’t think twice before clicking the links. The links will however send you to a malicious site, which aims to infect your computer with a ransomware. The ransomware will encrypt any file it has write access to (even open shared file systems), and then demands payment in order to make the files readable again.

In order to better secure your organisation against these types of threats we advise you to look at our article about this, which can be found here: Basefarm Ransomware Information

Further information about this specific attack:
Telenor Twitter

Protect your organization before ransomware strikes

Is ransomware just another cry wolf, or something organizations should take seriously? Basefarm considers ransomware to be the number one IT threat today. The company’s best advice is to protect yourself before the threat affects you.

No empty threat
– Companies and other organizations have become accustomed to warnings of computer threats without being affected by them. Therefore, it is tempting to ignore the ransomware threat. You should not do that. In return, the remedies for ransomware also works preventively against many other threats, Fredrik Svantes, leader of Basefarm SIRT (Security Incident Response Team) says.

Basefarm supplies complex IT solutions for mission-critical software. The company’s reference list comprises large businesses, including public administration, transport companies and financial businesses. All depend on their IT systems running without interruptions. Being responsible for this, Basefarm follows the IT threat level closely.
– We have seen attempted attacks. Slightly larger companies with a healthy economy are particularly vulnerable, Svantes confirms.

Loss of time and revenue
The attack stories keep coming. Here are two of them: A hospital in California was infiltrated. In order to access their own patient journals, they paid 20,000 dollars. In January last year, ransomware took over more than 20 million files at the Swedish National Agency for Education.
The story of the National Agency for Education is the most typical of all. According to (Dagens Nyheter, the Daily News) an employee opened a file which ended up in the mailbox. Thus the person’s computer and the document server of the entire organization were infected. On the server were most of the documents that the employees had, including business decisions reports and other support material. It took nearly a week to reset the server from a backup taken the day before.
– One week without access is a long time, and will entail delays and losses. Even if you are advised not to pay the ransom, many are tempted in order to regain access to their files. After all, not getting the files back could mean a total disaster. The tendency is for the size of the ransom to rise along with the willingness to pay, Svantes says.

Infected ads
The infection may also come from infected websites. Many who hears this intuitively thinks that this means someone has visited websites they should not have visited.
However, ransomware is distributed through ad networks in ads that can be found at most completely normal websites, including online newspapers and blogs. In other words, if you want to distribute a virus you can buy ad space and for example upload a file with flash animation. Users without updated flash software/clients on their computers are exposed to risk of infection.
– The crooks earn money doing this, and therefore they have no problems paying for the ads.

Takes the TV and other “Internet things”

The problem with ransomware and other malware is going to grow due to the prevalence of the Internet of Things (IoT). These things are connected to the internet in one way or another. Many of them are cheap compared to, for example, a server or a PC. They may be secure when purchased, but the manufacturer or you may not be very interested in taking the costs of keeping them up to date. The first TVs have already been taken by discount ransomware. For a few hundred you can get the unit back up and running. The fact that life-critical, medical equipment may be open to this type of attack is even more serious.

8 tips how to protect your business against ransomware

The good thing about methods of protecting yourself against ransomware is that they also work against other malware and other types of attack.

Tip 1: Ensure the organization has the right knowledge and culture
Considering that antivirus systems and firewalls routinely are updated and blocks regular mass attacks, the crooks are forced to find new, clever paths. A phenomenon that is rapidly spreading is that the attacks are directed towards individuals. By searching Facebook, LinkedIn or other social channels they find information about persons and their networks. Then they send e-mails to the victims, who feel safe on the basis of the personal character of the information.
The consequence of this is that businesses must establish a culture with sufficient knowledge of this type of approach, and therefore be extra attentive towards what might happen. A vigilant mindset towards e-mail and memory sticks must be part of such a culture. Firstly, not all e-mails should be opened. Secondly, not all attachments should be opened. Thirdly, do not reply to everything. And do not insert any unknown memory stick into the computer!

Tip 2: Establish routines for handling attacks and ensure that everybody knows them
Someone takes the chance of opening an e-mail because they do not want to be a nuisance or expose their “stupidity”. Clearly not a good idea. People need to know who to contact, and that they will be met in a friendly and professional manner.
If something occurs, the notification procedures must be crystal clear, the distribution of responsibility indisputable and the measures immediate. The organization must keep surveillance equipment and control this equipment, including making sure there are subscribers to security updates.
Part of the contingency is practicing. Practice may be done at different levels: from within the IT department to the entire organization.

Tip 3: Have a backup and make sure it works
You have heard this advice before: backup. But if your backup is reasonably new, and you have restore processes that work, you will be relatively fine even if you are affected by ransomware.
You cannot backup database-based systems (CRM, ERP, financial systems etc.) that are running. Such systems must therefore be set to backup their own data, and then you backup these backups. No backups are safe before you have tested that they can be used (restore). Cloud backups may be good, but remember that transferring large amounts of data can take quite some time.
Block the backup server for all types of users except the backup software itself. This way you prevent the infection from destroying the backup.

Tip 4: Segment networks and rights
This entails ensuring that different employees have read- or write access only to the specific areas of a server that they need. If they are affected by ransomware, this will only affect these areas.
Furthermore, the user should not be allowed to install any software or run software as administrator. This way any infection will be limited to the areas that the user has access to, and cannot easily take over the entire computer.

Tip 5: Ensure that all software is up to date
This applies to both clients and servers. Flash and Java are two vulnerable systems where most of the infections occur today. Outdated software may have security holes that the crooks can force their way through.

Tip 6: Limit what programs the users can run
Most people currently run antivirus, but antiviruses can only stop known malware. Every day there are new variants that the antivirus cannot recognize, since the attackers change the malware and test it against common antiviruses right before they send it out.
Whitelisting is the opposite tactic: Instead of, or in addition to, maintaining a list of programs you do not want to run, you maintain a list of software you actually want. Ransomware is not on that list, and will therefore not be run.
Whitelisting has proven difficult in practice, but is now becoming easier to use. It is the most efficient technique against ransomware.

Tip 7: Have an updated firewall
The firewall prevents outside users to access the local network. Classic firewalls block entrances. But some ports, such as port 80 (normally www/http) must usually be open, and a classic firewall will therefore not stop attacks via this port. More advanced firewalls therefore monitor content coming through the ports. In any case there are less risks connected to computer usage behind a firewall than in front of it.

Tip 8: Use intrusion detection systems (IDS)
IDS systems monitor the network traffic. If the system detects a computer that starts to send out large amounts of data or contacts servers it does not usually use, this is an early infection indication that can be used for blocking the computer and protecting others.