Weekly cyber-facts in review 11/07/21 - Aiuken
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Weekly cyber-facts in review 11/07/21
2 | Weekly cyber-facts in review
Vulnerabilities In
Review
3 | Weekly cyber-facts in review
Infrastructure
Microsoft indicates that Windows 10 Enterprise (1909) virtualized systems (VDI) are only capable of upgrading until May 2021. Microsoft
recommends either redeploying virtual instances from system images available from the Azure Marketplace or upgrading manually. Cisco patches
Business Process Automation products, Wep Security Appliance, SD-Wan, Virtualized Voice Browser, Identity Services Engine, Video Surveillance
7000 Series IP cameras, BroadWorks Application Server, Adaptive Security Device Manager Launcher. New patches released for Qnap. The
patched vulnerability consists of a lack of authorization that allows an attacker to escalate privileges within the system.
Content
4 high severity vulnerabilities have been discovered in Sage X3. The vulnerabilities consist of authentication failures and an XSS vulnerability. By
exploiting vulnerabilities, it is possible to raise privileges and to take control of the system.
Industrial
Severe vulnerabilities are discovered in the I / O check component of the PLC and HMI systems manufactured by Wago. The vulnerabilities affect
the I / O check component in PFC 100, PFC 200 and Touch Panel 600 products. 15 vulnerabilities are made public in Vue Speech, Vue Motion and
MyVue, which allow access, modify files and take control of affected assets.4 | Weekly cyber-facts in review
Issues to keep
in mind5 | Weekly cyber-facts in review
Printnightmare
A critical vulnerability has been discovered in the print spooler wizard on
Windows systems. There are exploits and malicious activity is very likely
trying to take advantage of the vulnerability.
PowerShell important issue
Microsoft recommends its customers to update the PowerShell version
The vulnerability, which is known as PrintNightmare, allows remote code
on Azure platforms.
execution and elevation of privileges to the SYSTEM level (SYSTEM, identity
with maximum privileges within the operating system).
The vulnerability in the PowerShell implementation consists of an input
validation error, which results in remote code execution. An adversary
An attacker could use the vulnerability to take control of the affected
could use the vulnerability to take control of Azure cloud instances.
systems (from domain controllers to user computers), even networks.
The affected versions are 7.0 and 7.1. Update to versions 7.0.6 and
The patch was released but does not resolve the vulnerability in Windows 10
7.1.3 as soon as possible.
versions 1607, and Server 2012 and 2016. Consider the mitigation options
such as disabling print spooler, which would prevent OS' users from printing
anything. We recommend disabling Print Spooler in any Windows's Domain
Controller.6 | Weekly cyber-facts in review
Ransomware
in Review7 | Weekly cyber-facts in review
The biggest supply-chain ransomware attack till date took place last weekend
On Friday, July the 2nd, a massive supply-chain ransomware attack leveraging a zero-day vulnerability in
Kaseya VSA software against multiple managed service providers (MSPs) and their customers. REvil
ransomware gang managed to access Kayesa’s customers by distributing a fake software update which
installed the malware and encrypted all files. No data seems to have been stolen nor being sold on hacker
forums. Kaseya was listed on REvil ransomware’s leak page as its most recent victim and asked for a $70
million ransom.8 | Weekly cyber-facts in review
More details about Brenntag attack
New details about the stolen information and the attack which hit Brenntag’s North American division have
been released. On April 26th, the ransomware DarkSide operators compromised the world-leading chemical
distribution company Brenntag. DarkSide claimed to have stolen 150 GB of data and Brenntag paid a $4.4
million ransom to prevent this information from being leaked. The presumed entry vector exploited was a
combination of RDP credentials which were for sale in UAS underground market.9 | Weekly cyber-facts in review
Campaigns
against Energy
Sector in Review10 | Weekly cyber-facts in review
Malicious campaign focused on the industrial sector in the Middle
A threat group, dubbed WildPressure, has been actively targeting industries in the oil and gas sector in the Middle East, since, at
least, 2019. Malicious actors are exploiting VPS and compromised servers, mostly WordPress website as entry vector.
Global phishing campaign targets Energy sector
A sophisticated campaign targeting large international companies in the oil and gas sector has been underway for more than a
year, distributing RATs for cyberespionage purposes. This campaign has also affected organizations in the IT, manufacturing and
media sectors.11 | Weekly cyber-facts in review
Phishing
Campaigns in
Review12 | Weekly cyber-facts in review
Phishing campaign impersonating BBVA bank
A new phishing campaign impersonating BBVA bank has been detected. It is distributed via SMS and it leads victims to a fake
portal to steal their banking credentials.
Phishing campaign impersonating Spanish DGT
A new phishing campaign impersonating Spanish National Department of Traffic has been detected. It informs victims about a
fake fine and redirects them to a fake payment gateway.13 | Weekly cyber-facts in review
Other cases
in Review14 | Weekly cyber-facts in review
Hackers compromise Mongolian Certificate Authority
Major CA in East Asia, Mongolian Certificate Authority MonPass, was compromised by an unknown threat actor for malware
distribution. The attackers appear to have concentrated their efforts towards compromising entities in this geography.
Is TrickBot returning to its Trojan backing capabilities?
TrickBot, after a year almost exclusively acting as a first-stage, multipurpose malware, which distributed ransomware, is returning
to its banking trojan capabilities. TrickBot latest updates added man-in-the-browser capabilities to steal online banking credentials
and web injects configurations.
SideCopy APT continues to evolve its arsenal
An increase in the SideCopy APT’s activity has been identified. In this new campaign this APT is targeting government personnel
in India using themes and tactics similar to APT36. Threat actors are using infection chains to deliver their own set of malware
(which is formed by numerous RATs) onto its victims’ network with the final goal of deploying credential-stealers and keyloggers.15 | Weekly cyber-facts in review
The minute
men16 | Weekly cyber-facts in review
The minute men
This week European authorities announced that a new unit is going to be created to handle incidents of high and wide magnitudes within EU borders. Such unit will be
called JCU (Joint Cyber Unit) and will be dependent on ENISA. It is expected that the unit will start its operations in 2023. For now, little is known about the "unit" or its
relationships with the rest of entities within EU administration, national administration or companies. Next, we will recap the facts that could end up conditioning the
existence of JCU.
In first place, all companies within EU must comply with GDPR regulation. Such compliance is carried out through audits, investigations and compulsory notifications
about serious data breaches to competent national authorities in such matter (privacy). In addition, if a company is named critical operator, Network & Information
Security (NIS) regulation is applicable as well. Such norm stablishes the obligation to report to the designated national authority, in case of a major cyberincident.
Further industry-specific frameworks are applicable too and are coordinated by national organisms in the different member states. For example, this is the case of
TIBER-EU in banking.
Secondly, we acknowledge the labor of law enforcement pursuing cybercrime, and the way law enforcement agencies of different member states coordinate (Europol).
No other but law enforcement agencies are qualified to make criminal law fulfilled. Although, by default, most intentional cyberincident constitutes a criminal case,
political and defense implications could emerge.
Finally, there is already a CERT-EU, responsible to handle and coordinate the response against cyberincidents. Such entity coordinates its operations with Enisa. The
institution also interchanges information with national CERT's, and it was integrated in NIS regulation.
It seems that the creation of this unit is in danger to add further complexity to the cyber-response-compliance ecosystem within EU, to move away the response
against cyberincidents from the point where they originate and to partially mimic the functions of already functioning institutions. Aiuken Cybersecurity will keep track of
the foundation of this new organization with the hope to clarify the gray spots we have identified.Calle Francisco Tomás y Valiente nº 2
Boadilla del Monte · 28660 Madrid (España)
Teléfono:+34 912 909 805
aiuken.comYou can also read
