Overview of security incidents for the period 7-13 August 2021
The outgoing week turned out to be extremely rich in a variety of events in the world of information security, from the largest robbery in the history of cryptocurrencies to the hacking of thousands of Facebook pages using an Android Trojan. Read about these and other events in the world of information security for the period from 7 to 13 August 2021
Just two days after the disclosure of a vulnerability “potentially affecting millions of home routers,” Juniper Threat Labs discovered evidence that it was already being actively exploited in hacker attacks. On August 3, 2021, a researcher at the information security company Tenable Evan Grant published details about several vulnerabilities in routers from a number of telecom operators, including Verizon and O2, and just two days later, Juniper Threat Labs specialists discovered that one of them ( CVE-2021-20090 ) began to be exploited by hackers.
Cybercriminals have also armed themselves with the notorious PrintNightmare vulnerabilities and are now attacking Windows servers to deploy Magniber ransomware. PrintNightmare is a class of vulnerabilities ( CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958 ) in Windows Print Spooler, Windows drivers, and Windows Point and Print functionality. CrowdStrike researchers found that Magniber ransomware operators are now exploiting PrintNightmare vulnerabilities in attacks on victims in South Korea.
Cybercriminals are actively scanning the Internet for available installations of Microsoft Exchange with unpatched ProxyShell vulnerabilities. The scans began after new details about the vulnerabilities were presented last week at the Black Hat conference in Las Vegas.
During the reporting period, several botnet reports appeared at once. So, experts from the Splunk company announced the resumption of the activity of the Crypto botnet operators. Cybercriminals attack Windows Server virtual servers inside Amazon Web Services with Remote Desktop Protocol (RDP) enabled. After detecting vulnerable virtual machines, attackers carry out a brute-force attack. If successful, hackers install tools for mining Monero cryptocurrency.
Cybersecurity researchers at Uptycs have reported a malicious campaign in which hackers use a worm written in the Golang language to install a crypto miner on victims’ devices. Cryptominer tweaks CPU configurations on compromised Linux servers to improve the efficiency and performance of its cryptocurrency mining code. According to experts, this is the first time that attackers change the Model-Specific Registers (MSR) of a processor to disable the CPU’s Hardware Prefetcher function.
Taiwanese NAS manufacturer Synology has alerted customers to a malicious campaign in which StealthWorker botnet operators attack NAS devices and infect them with ransomware. According to Synology’s Product Security Incident Response Team (PSIRT), Synology NAS devices compromised by these attacks are being used in further attempts to compromise other Linux systems.
Microsoft has warned of several malicious campaigns at once. In particular, she spoke about a malicious phishing campaign that many Microsoft Office 365 users have fallen victim to. According to experts, numerous attacks began in July 2020. In an ongoing phishing campaign, attackers are encouraging victims to transfer their Office 365 credentials using XLS.HTML attachments.
The Microsoft Security Intelligence team also announced a new malicious BazaCall campaign. The campaign uses fake copyright infringement contact form emails and malicious files that allegedly contain “stolen images”. In this way, scammers try to trick users into downloading malware.
One of the most notorious events of the week was the attack on the transnational blockchain platform Poly Network. As a result of the attack, an unknown hacker managed to transfer more than $ 600 million in cryptocurrency to their wallets, making it the largest robbery in the history of cryptocurrencies. However, shortly thereafter, someone under the pseudonym “Mr. White Hat” began to recover the stolen assets. The hacker stated that his goal was to demonstrate the vulnerability in the Poly Network, and he will return all stolen funds.
Hackers attacked the DAO Maker crowdfunding platform and withdrew $ 7 million in USDC stablecoins from it. Representatives of the DAO Maker platform reported on their Telegram channel that the attack only affected the custody smart contract. DAO tokens and staking assets were not affected by attackers, DAO Maker representatives assured.
Traditionally, it has not been without cyber ransomware attacks. One of the most notorious was the attack on the Fortune 500 consulting company Accenture. The company fell victim to an attack using ransomware LockBit.
Known manufacturer of motherboards, graphics cards and other computer components, Gigabyte also been attacked extortionists. The hacker group RansomExx stated that during the attack it managed to steal 112 gigabytes of data. Attackers threaten to put them online if Gigabyte refuses to pay them.
Computer game developer and publisher Crytek has confirmed that it fell victim to the ransomware Egregor in October 2020. The hackers encrypted the company’s systems, stole files with confidential customer data and published them on their darknet leaks site. Crytek only sent out relevant notifications to affected users in August 2021.
The eCh0raix ransomware has received the encryption function of QNAP and Synology network-attached storage (NAS). ECh0raix malware, also known as QNAPCrypt, was first detected in June 2016. The ransomware attacked QNAP NAS devices in waves. The first “wave” took place in June 2019, and the second – in June 2020. In 2019, eCh0raix also encrypted devices manufactured by Synology, pre-hacking them using brute force. Now the ransomware has an encryption function for both device families.
On the hacker, the forum was published a mysterious universal key to decrypt files encrypted by the ransomware REvil during an attack on Kaseya’s customers. Recall that on July 2 of this year, the REvil group attacked managed service providers around the world through a zero-day vulnerability in the Kaseya VSA remote control application. After the attack, the ransomware demanded $ 70 million for a universal tool that would restore the encrypted files of all Kaseya customers. However, then the REvil group mysteriously ceased to exist, and its wallets and all infrastructure were turned off. On July 22nd, Kaseya received a universal decryptor from a mysterious “third party” and began distributing it to its customers. This week, a mysterious master key was posted on one of the hacker forums.
The master key for users who became their victims between July 2017 and early 2021 was published by the ransomware group El_Cometa, formerly known as SynAck. As representatives of SynAck said, they decided to release a master key to recover files encrypted by the ransomware during old operations, as they intend to focus on new ones. So, at the end of last month, the group began new operations called El_Cometa.
Not without data leaks during the week. Thus, the hackers put up for sale secret documents of the Ministry of Foreign Affairs of Lithuania. The attackers stole the correspondence of the Ministry of Foreign Affairs with the embassies of the Baltic republic abroad and the embassies of other countries in Lithuania. An investigation is underway on this fact.
The European Commission is investigating the hacking of its Cybersecurity Atlas project after a copy of the resource’s internal database was put up for sale on an underground forum. An unidentified attacker put the stolen data up for sale on a clandestine forum, claiming to have gained access to the entire Cybersecurity Atlas database. The seller intends to complete the transaction through Discord messenger.
A Chinese cybercriminal group attacked Israeli organizations in a malicious campaign launched back in January 2019. Hackers often used fake flags in an attempt to disguise themselves as Iranian criminals. According to experts from information security firm Mandiant, the attacks targeted Israeli government agencies, IT companies and telecommunications service providers. The attackers, who are being tracked under the codename UNC215, have routinely compromised organizations through Microsoft SharePoint servers that contain the CVE-2019-0604 vulnerability.
This week, users of social networks and instant messengers were attacked by malware. For example, the FatalRAT malware is distributed in the Telegram messenger. The FatalRAT remote access Trojan not only steals data from Russians but also affects the security system of the device on which the messenger is installed. The malicious program carries out attacks remotely and spreads inside channels and chats.
Specialists of the information security company Zimperium have discovered a new malicious campaign aimed at Android users. The campaign uses FlyTrap malware to hack Facebook accounts by stealing session cookies. More than 10 thousand users in 140 countries of the world have already become victims of the malware.
Catch up on more articles here
Follow us on Twitter here