Neu Cyber Threats – 29th July 2021
Under fire software provider acquires decryptor key for ransomware
Following on from devastating ransomware attacks that affected users in over 22 countries at the start of July, software provider Kaseya has obtained a master decryptor key for the REvil ransomware.
The ransomware attacks exploited now-patched zero-day vulnerabilities in the Kaseya Virtual System/Server Administrator (VSA) platform which affected those customers who were using the on-premises version of the platform. In addition to the 60 direct customers impacted, around 1,500 downstream customers were also affected, as the software is used to remotely monitor and manage software and network infrastructure.
It is not yet clear if the ransom set by the REvil cyber criminal gang of £50 million, was paid or not, as Kaseya announced via an advisory that it had obtained the decryptor “through a third party.” The next step is Kaseya working with customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor. Another strange part of the story is that REvil have gone dark since 13th July, as its sites disappeared and its representatives were banned on prominent underground forums.
Even though the master decryption key has been acquired, the attack isn’t necessarily over – REvil is known for its double-extortion attacks, where company data is stolen in addition to being hit with ransomware. The group may still have copies of data stolen from victims and they could use this to extort the victims even further or auction off the data.
The remediation with customers will be tricky though, as significant damage has been done already in the way of downtime and recovery costs, both currently and in the future. Even with the data decrypted, there are significant costs associated with restoring devices and data. Given the tendency of these criminal operators to leave lingering backdoor entrances in affected businesses, those being supported by Kaseya will need to rebuild compromised infrastructure into a clean, trustworthy state.
Neuways advises businesses to ensure that their data is being backed up consistently through a comprehensive Business Continuity and Disaster Recovery plan. BCDR plans ensure that if your business was affected by a ransomware attack such as that carried out by REvil, that you would be able to continue operating, without any downtime that could cost thousands of pounds, if not more.
Windows 10 suffers from privilege escalation bug
A privilege escalation bug, which is affecting versions of Windows 10, has received a fix by Microsoft to prevent cyber criminals from accessing data and creating new accounts on compromised systems.
The bug, dubbed ‘SeriousSAM’, exploits the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information, which makes it a particular attractive target for cyber criminals. A prerequisite for abuse of the bug is an attacker gaining either remote or local access to the vulnerable Windows 10 system.
Microsoft said: “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programmes; view, change, or delete data; or create new accounts with full user rights.” Simply stated, an attacker could leverage the bug to gain access to the SAM database of hashed credentials, which then could be decrypted offline and used by the nefarious criminals to bypass Windows 10 user access controls.
The bug is rated important in severity by Microsoft. Researchers revealed that the bug also impacts pre-production versions of Windows 11 – rumoured to be released in October 2021. The researcher said the bug was discovered while tinkering with Windows 11 and found that SAM database content can be accessed when part of a Windows Shadow Volume Copy (VSS) backup. VSS is a service that allows automatic or manual real-time backups of system files tied to a particular drive letter.
It has also been identified that the same issue is present on Windows 10 systems dating back to 2018 (v1809). As a result, Microsoft is recommending system admins delete the backup copies of the VSS files. The OS maker does not offer a patch for the bug, but instead a simple workaround.
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config
- Create a new System Restore point (if desired)
It also cautions that deleting VSS shadow copies, “could impact restore operations, including the ability to restore data with third-party backup applications.” Neuways recommends following the steps laid out by Microsoft above, to avoid any future issues due to the flaw.
HP Printer flaw impacting hundreds of millions of Windows machines
Researchers have discovered a high-severity privilege-escalation flaw in HP printer drivers which impacts hundreds of millions of Windows machines.
If exploited, cyber criminals could bypass security products. This would allow them to install programmes; view, change, encrypt or delete data; or create new accounts with more extensive user rights. The bug (CVE-2021-3438) has lurked in systems for 16 YEARS, but was only uncovered this year. According to researchers, the vulnerability exists in a function inside the driver that accepts data sent from User Mode via Input/Output Control (IOCTL); it does so without validating the size parameter. As the name suggests, IOCTL is a system call for device-specific input/output operations.
As a result, unprivileged users can elevate themselves into a SYSTEM account, allowing them to run code in kernel mode since the vulnerable driver is locally available to anyone. The printer-based attack is perfect for cyber criminals since printer drivers are essentially ubiquitous on Windows machines and are automatically loaded on every boot-up of the machine.
This means that the driver gets installed and loaded without asking or notifying the user. So far, no in-the-wild attacks have been observed. Since the bug has existed since 2005, it affects a very long list of printer models. While device-driver vulnerabilities are not uncommon, we’d suggest following some best practice methods to reduce the risk of infection. This includes enforcing strong access control lists (ACLs), which control access to packages, folders, and other elements (such as services, document types and specifications) at the group level. User input should be verified and not expose a generic interface to kernel mode operations.
HP is currently working on a patch for the vulnerability and Neuways will update you as and when this is available.
New malware spreading across the world via RATs and cookie stealers
A never-before-documented Windows malware strain dubbed ‘MosaicLoader’ is spreading worldwide, acting as a full-service malware-delivery platform that’s being used to infect victims with remote-access trojans (RATs), Facebook cookie stealers and other cyber threats.
Researchers discovered the loader is spreading indiscriminately worldwide through paid ads in search results. It masquerades as a cracked software installer, but in reality, it’s a downloader that can deliver any payload to an infected system. Those behind MosaicLoader created a piece of malware that can deliver any payload on the system making it potentially profitable as a delivery service.
Researchers first observed the malware sprayer delivering Facebook cookie stealers. These work to exfiltrate login data which allows cyber criminals to take over accounts, creating posts that spread malware or those that cause reputational damage. The malware is also spreading the Glupteba backdoor and a variety of RATs for espionage purposes. These can log keystrokes, record audio from the microphone and images from the webcam and capture screenshots.
Once installed on a machine, the malware creates a complex chain of processes. Its hallmark is an irregular obfuscation technique that shuffles small code chunks around resulting in an intricate, mosaic-like structure, which is where it has gotten the name from.
The malware sprayer’s objective is to download a list of malware from a list of URLs controlled by the attackers that host malware, and to execute them. Thus, it can deliver any malware on the system. The URLs are varied, with some having domains that were specifically registered for hosting malware, while others are legitimate URLs with files uploaded.
While the campaign has no specific target countries or industries, researchers are advising users to watch out for its prominence, with infections rising at a rapid rate globally. As with any kind of malware such as MosaicLoader, Neuways advises avoiding downloading any kind of software from an unofficial source. Users should check the source domain of every download to make sure that the files are legitimate and keep their security solutions up-to-date.