Neu Cyber Threats – 16th September 2021
Windows zero-day security hole patched by Microsoft
Microsoft has warned its users to update their systems with an emergency patch that prevents malicious hackers from exploiting a vulnerability in Windows to launch targeted attacks against organisations. The security flaw, dubbed CVE-2021-40444, was a previously unknown remote code execution vulnerability in MSHTML, a core component of Windows which helps render web-based content.
Attacks exploiting the vulnerability have targeted companies via malicious Microsoft Office documents. In short, a timeline of infection might go something like this:
- A user downloads/receives a malicious Microsoft Office file. They are usually socially engineered into clicking a malicious link, or find the poisoned file in their inbox.
- The user opens the Microsoft Office file to view its contents, but it contains an embedded malicious ActiveX control.
- The ActiveX control exploits the bug in Windows MSHTML to gain the same level of control as the user, whereupon it installs malware of the hacker’s choice.
Microsoft’s security team explains that users who are not running with administration rights can reduce the impact of an attack: “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document.
“Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Researchers, who disclosed their discovery of the “dangerous” vulnerability to Microsoft last week, said that it had been exploited in “in-the-wild” attacks, and advised users, before the official patch, to: “Be extremely cautious about opening Office files – DO NOT OPEN if you don’t fully trust the source!”
The flaw impacted Windows Server 2008 through 2019 and Windows 8.1 or later, and it has a severity level of 8.8 out of the maximum 10. Microsoft said: “Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately.”
Luckily, these attacks were thwarted if Microsoft Office ran with the default configuration, which opens untrusted documents in Protected View mode (or with Application Guard for Office 365 customers).
Neuways advises updating Microsoft’s security patch for the flaw as soon as possible, to avoid any further ramifications.
Ragnar Locker cyber criminals warn against alerting police
The Ragnar Locker ransomware gang has threatened to leak victim data on its darknet data-leak site if they go to the police regarding any kind of data-swiping incidents.
In an announcement published recently, the ransomware operators had threatened to publish data of all of the businesses they have targeted that seek help from law enforcement or investigators following ransomware attacks. The same goes for victims that call in data-recovery experts who try to decrypt files or help out with negotiating the ransom or the decryption process.
Ragnar Locker went on to refer to their victims as “clients” in their statement, insinuating that they were willing to have their files encrypted and businesses paralysed, and had therefore contracted with the Ragnar Locker group to get the job done.
“So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the Police/Investigators, we will consider this as a hostile attempt and we will initiate the publication of whole compromised Data immediately,” the gang warned. “Don’t think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognise such a lie.”
Researchers explained late last year about an increase in Ragnar Locker activity. The operators first gained access to a victim’s network and then carry out reconnaissance to locate network resources, backups, or other sensitive files they can encrypt and steal. In the final stage of the attack, they manually deploy the ransomware, encrypting the victim’s data.
The Ragnar Locker ransomware family frequently changes its obfuscation techniques to slip past detection and prevention. The ransomware is identified by the extension “.RGNR_<ID>,” where <ID> is a hash of the computer’s NETBIOS name. The threat actors identify themselves as “RAGNAR_LOCKER” and leave a .txt ransom note, with instructions on how to pay.
Ragnar Locker has used VMProtect, UPX, and custom packing algorithms. The ransomware has also been deployed within an attacker’s custom Windows XP virtual machine on a target’s site. The alert followed the first observation of Ragnar Locker in April 2020, when the gang encrypted 10TB of data belonging to an unnamed, large corporation, demanding just under £8 million as a ransom.
At the time, it was being said that Ragnar Locker was increasingly targeting a range of victims, including cloud service providers, communication, construction, travel and enterprise software companies.
The gang’s latest technique of trying to scare victims away from seeking help will add yet more pressure to pay ransom demands. But, there remains plenty of good reasons not to pay, in spite of the group’s new threat – the biggest is common sense, they’re cyber criminals which means you cannot trust them.
Neuways advises businesses to never pay a ransom. For a start it doesn’t guarantee that you won’t get hit again by ransomware attacks. It is better to have a comprehensive Business Continuity and Disaster Recovery plan in place to ensure that your business can bounce back from any kind of setback.
Windows 11 focus of cyber crime campaign before its release next month
Researchers who observed a recent campaign from the group leveraged six different documents, all referencing “Windows 11 Alpha” – the Insider Preview version of the upcoming Windows 11 operating system from Microsoft. Windows 11 Alpha was released to the computing giant’s developer channels in June, and it generated buzz among the tech community for offering a glimpse of the planned upgrades that users can look forward to when Windows 11 rolls out next month.
Realising this, the FIN7 cyber crime gang looked to capitalise on this. They delivered the themed documents to specific targets, all boobytrapped with malicious Visual Basic (VBA) macros. The infection chain begins with a Microsoft Word document featuring a decoy image, telling readers that it was made with Windows 11 Alpha. The image asks the user to “Enable Editing and Enable Content” to see the full document.
Once the content and editing has been enabled, a VBA macro executes that takes encoded values from a hidden table inside the .doc file and deciphers them with an XOR key. This creates a script that carries out various checks on the target.
The FIN7 cyber crime gang is a well-known threat actor that have been circulating since at least 2015. The group typically uses malware-laced phishing attacks against victims in hopes of infiltrating systems to steal bank-card data and sell it. The gang consistently changes its malware arsenal in order to keep companies and researchers on their toes. Since 2020, it has also added ransomware/data exfiltration attacks to the mix, carefully selecting targets according to company revenue.
Once again, Neuways urges businesses and their employees to be aware of the potential threat of malware-filled documents by cyber criminal groups. Phishing Awareness Training gives employees a chance to test themselves against potential spam-filled email communications they are likely to receive. It puts businesses in a great position to be lesser impacted by ransomware attacks.
Ransomware gang return with a vengeance
The notorious ransomware gang, REvil have returned with a bang, with the ransomware gang’s servers back online, along with a fresh victim listed on its site and ransomware payments back up and flowing after a two-month hiatus.
The period of quiet came alongside a universal decryptor key being issued by Kaseya, the IT solutions developer that was affected by a large ransomware attack. The gang are claiming that Kaseya only gained access to the key due to a gang member making a mistake.
REvil posted twice on the Exploit underground forum on Friday, Sept. 10, to clarify that a coder mistakenly generated and leaked the universal key.
Researchers see this claim as being suspect at best: “All threat actors agree that the reasoning regarding the mistaken generation of the decryption key is absolutely ridiculous and doesn’t make any sense in the context of how contemporary ransomware operations work.”
It appears that REvil managed to come back online by restoring their systems through their backups. This adds up, as their recent reappearance marks their first time online, since their servers slipped offline without an explanation in July – which was immediately following the high-profile Kaseya attack.
After that specific attack, the gang’s Tor servers and infrastructure powered down, and a security researcher discovered the master decryption key had been leaked to an underground forum. Two days before their return, REvil’s leak site – known as Happy Blog – was back up, and is now fully operational.
On that same day, REvil’s Tor payment/negotiation site also sprang back to life. By Thursday, victims could once again log in and negotiate with the group, and, unfortunately, at this point, there’s evidence of active development, too. It took until 9th September for a new REvil ransomware sample to be found, which was compiled just five days earlier on 4th September.
And, acting as confirmation of their full return, the gang published screenshots of stolen data for the new victim on its data leak site as further proof that they were, in fact, back in action.
Law enforcement getting their hands on the decryptor and shutting down the servers was one possibility that was floated after REvil’s servers went dark. Besides re-emerging, in whatever form it has, REvil is apparently looking to re-establish itself. It looks like the reborn REvil – which is a ransomware-as-a-service (RaaS) player that rents out its ransomware gear to affiliates – is trying to patch things up with disgruntled buyers of their services who grumbled about missing out on their own ransoms after the group’s disappearance.
With REvil’s re-emergence on the scene will likely come an increase in threats experienced by businesses. Neuways advises all companies to remain wary of email communications received that contain hyperlinks or documents which could lead to the user being compromised by nefarious criminals.