*** The Security News Thread ***

[harrybarracuda]

A very simple tutorial on how to turn on Windows 10's built in Ransomware Protection.

How to Turn on Windows 10 Ransomware Protection | Digital Trends

[TTraveler]

A very simple tutorial on how to turn on Windows 10's built in Ransomware Protection.

How to Turn on Windows 10 Ransomware Protection | Digital Trends

Good info, good timing.

[TTraveler]

I get why they're doing it, but not sure how I feel about the ethics of it.

"Vigilante malware stops victims from visiting piracy websites"

Vigilante malware stops victims from visiting piracy websitesSecurity Affairs

[misskit]

WASHINGTON (AP) — A ransomware attack paralyzed the networks of at least 200 U.S. companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.


The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of the security firm Huntress Labs. He said the criminals targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers. Other researchers agreed with Hammond’s assessment.


“Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business,” Hammond said in a direct message on Twitter. “This is a colossal and devastating supply chain attack.”


Such cyberattacks typically infiltrate widely used software and spread malware as it updates automatically.


It was not immediately clear how many Kaseya customers might be affected or who they might be. Kaseya urged customers in a statement on its website to immediately shut down servers running the affected software. It said the attack was limited to a “small number” of its customers.


Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft, said he was unaware of any previous ransomware supply-chain attack on this scale. There have been others, but they were fairly minor, he said.


“This is SolarWinds with ransomware,” he said. He was referring to a Russian cyberespionage hacking campaign discovered in December that spread by infecting network management software to infiltrate U.S. federal agencies and scores of corporations.


Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies hit by the ransomware. It’s no accident that this happened before the Fourth of July weekend, when IT staffing is generally thin, he added.


“There’s zero doubt in my mind that the timing here was intentional,” he said.


Hammond of Huntress said he was aware of four managed-services providers — companies that host IT infrastructure for multiple customers — being hit by the ransomware, which encrypts networks until the victims pay off attackers. He said thousand of computers were hit.


“We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted,” Hammond said.


Hammond wrote on Twitter: “Based on everything we are seeing right now, we strongly believe this (is) REvil/Sodinikibi.” The FBI linked the same ransomware provider to a May attack on JBS SA, a major global meat processer.


The federal Cybersecurity and Infrastructure Security Agency said in a statement late Friday that it is closely monitoring the situation and working with the FBI to collect more information about its impact.


CISA urged anyone who might be affected to “follow Kaseya’s guidance to shut down VSA servers immediately.” Kaseya runs what’s called a virtual system administrator, or VSA, that’s used to remotely manage and monitor a customer’s network.


The privately held Kaseya says it is based in Dublin, Ireland, with a U.S. headquarters in Miami. The Miami Herald recently described it as “one of Miami’s oldest tech companies” in a report about its plans to hire as many as 500 workers by 2022 to staff a recently acquired cybersecurity platform.


Brian Honan, an Irish cybersecurity consultant, said by email Friday that “this is a classic supply chain attack where the criminals have compromised a trusted supplier of companies and have abused that trust to attack their customers.”


He said it can be difficult for smaller businesses to defend against this type of attack because they “rely on the security of their suppliers and the software those suppliers are using.”


The only good news, said Williams, of Rendition Infosec, is that “a lot of our customers don’t have Kaseya on every machine in their network,” making it harder for attackers to move across an organization’s computer systems.


That makes for an easier recovery, he said.


Active since April 2019, the group known as REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms.


REvil is among ransomware gangs that steal data from targets before activating the ransomware, strengthening their extortion efforts. The average ransom payment to the group was about half a million dollars last year, said the Palo Alto Networks cybersecurity firm in a recent report.


Some cybersecurity experts predicted that it might be hard for the gang to handle the ransom negotiations, given the large number of victims — though the long U.S. holiday weekend might give it more time to start working through the list.


Ransomware hits hundreds of US companies, security firm says

[harrybarracuda]

Damn, if only there was a Security News thread for things like this...

[TTraveler]

Wonder if this will destroy Kaseya or make it stronger.

Solarwinds, though it's become a byword for supply chain attacks, doesn't appear to be struggling too much.

[TTraveler]

Update: "Kaseya Rules Out Supply-Chain Attack; Says VSA 0-Day Hit Its Customers Directly"

Kaseya Rules Out Supply-Chain Attack; Says VSA 0-Day Hit Its Customers Directly

[harrybarracuda]

D-Link has issued a firmware hotfix to address multiple vulnerabilities in the DIR-3040 AC3000-based wireless internet router.

Following successful exploitation, they can let attackers execute arbitrary code on unpatched routers, gain access to sensitive information or crash the routers after triggering a denial of service state.

The DIR-3040 security flaws discovered and reported by Cisco Talos security researcher Dave McDaniel include hardcoded passwords, command injection, and information disclosure bugs.

D-Link issues hotfix for hard-coded password router vulnerabilities

[harrybarracuda]

Chinky bastards at it again.

CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed increasingly sophisticated Chinese state-sponsored activity targeting U.S. political, economic, military, educational, and critical infrastructure personnel and organizations. In response:

• The White House has released a statement attributing recent Microsoft Exchange server exploitation activity to the People’s Republic of China (PRC).

• The Department of Justice has indicted four Chinese cyber actors from the advanced persistent threat (APT) group APT40 for malicious cyber activities, carried out on orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD). These activities resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organizations in the United States and abroad, as well as from multiple foreign governments.

• CISA and FBI have released Joint Cybersecurity Advisory: TTPs of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department to help network defenders identify and remediate APT40 intrusions and established footholds.

• CISA, NSA and FBI have released Joint Cybersecurity Advisory: Chinese Observed TTPs, which describes Chinese cyber threat behavior and trends and provides mitigations to help protect the Federal Government; state, local, tribal, and territorial governments; critical infrastructure, defense industrial base, and private industry organizations.

• CISA, NSA and FBI have released CISA Insights: Chinese Cyber Threat Overview for Leaders to help leaders understand this threat and how to reduce their organization's risk of falling victim to cyber espionage and data theft.

[lom]

Microsoft Exchange server

a fitting name for that product, innit?

[TTraveler]

Chinky bastards at it again.

I don't get why China denies any involvement. One would think such hacking feats would bring glory to the nation, the party, or something.

[TTraveler]

More printer vulnerabilities: "Hundreds of millions of HP, Xerox, and Samsung printers vulnerable to new bug."

Hundreds of millions of HP, Xerox, and Samsung printers vulnerable to new bug - The Record by Recorded Future

[harrybarracuda]

Well shit.

The world woke up on Tuesday to two new vulnerabilities—one in Windows and the other in Linux—that allow hackers with a toehold in a vulnerable system to bypass OS security restrictions and access sensitive resources.

As operating systems and applications become harder to hack, successful attacks typically require two or more vulnerabilities.

One vulnerability allows the attacker access to low-privileged OS resources, where code can be executed or sensitive data can be read.

A second vulnerability elevates that code execution or file access to OS resources reserved for password storage or other sensitive operations. The value of so-called local privilege escalation vulnerabilities, accordingly, has increased in recent years.

Two-for-Tuesday vulnerabilities send Windows and Linux users scrambling | Ars Technica

[baldrick]

and the other in Linux

1/ We mkdir() a deep directory structure (roughly 1M nested directories)

you wouldn't want to do that manually

[harrybarracuda]

you wouldn't want to do that manually

As someone pointed out, I'm surprised that didn't blow up the system.

[harrybarracuda]

Chinky bastards at it again.

Chinese state-sponsored attackers have breached 13 US oil and natural gas (ONG) pipeline companies between December 2011 to 2013 following a spear-phishing campaign targeting their employees.
The end goal of the attacks was to help China develop cyberattack capabilities that would allow future intrusions to physically damage targeted pipelines or disrupt US pipeline operations.

Chinese state hackers breached over a dozen US pipeline operators

[TTraveler]

At this rate, one must assume that China/Russia/NK or whoever has accessed pretty much everything there is to access. I'm sure the things we hear about in the news are just the tip of the iceberg of what's actually known. And what's known but not revealed by companies and governments is probably only the tip of the iceberg on intrusions as a whole, most of which go undetected.

[baldrick]

has accessed pretty much everything there is to access

everything that is easy to access

China state hackers are compromising large numbers of home and office routers for use in a vast and ongoing attack against organizations in France, authorities from that county said.

Home and office routers come under attack by China state hackers, France warns | Ars Technica

if you are forced to use an ISP supplied router to connect , then be sure to put your own router behind it for your local network

[harrybarracuda]

if you are forced to use an ISP supplied router to connect , then be sure to put your own router behind it for your local network

Especially if your ISP supplied router is a Huawei.

[harrybarracuda]

StrongPity APT targets Android devices.

Researchers at Trend Micro say the StrongPity APT is developing and deploying Android backdoors for the first time. The threat actor is using compromised websites as watering-holes to trick users into installing malicious Android apps:
"There are no known public reports of StrongPity using malicious Android applications in their attacks at the time of writing. In order to strengthen our confidence in the accuracy of our attribution to StrongPity, we decided to further examine some of their samples that were used to target Microsoft Windows platforms and see if we could identify similar tools, tactics, and procedures (TTPs) in their actions.
"Just as we have seen with the Android apps, the StrongPity group favors repacking benign installers to produce trojanized versions of these applications. Likewise, the main function of these backdoors is to search, harvest, and exfiltrate files from the victim’s computers."

https://thecyberwire.com/newsletters...-briefing/3/30

[TTraveler]

China is changing the meaning of security as we know it. instead of keeping information safe from 3rd parties, to China, security means making information easily accessible to government organs. At least that's how I interpret this activity.

Tencent suspends signups to WeChat, citing 'security upgrade' and need to comply with Chinese laws

Promises everything will be back to normal sometime in early August

Tencent suspends signups to WeChat, citing 'security upgrade' and need to comply with Chinese laws • The Register

[harrybarracuda]

China is changing the meaning of security as we know it. instead of keeping information safe from 3rd parties, to China, security means making information easily accessible to government organs. At least that's how I interpret this activity.



Tencent suspends signups to WeChat, citing 'security upgrade' and need to comply with Chinese laws • The Register

No, you're right, the chinky bastards demand access to company networks pretending that it's for "security".

It's all part of their IP theft approach to doing business.

[harrybarracuda]

Be careful with your Kindle and "free" ebooks. Attackers can now insert malware and take control of your Kindle and possibly Amazon account.

Your Amazon Kindle and your Amazon account could be hacked by just opening a single ebook, according to research published Friday as part of the DEF CON security conference taking place in Las Vegas this week.

Once the malicious book is opened, a remote hacker could delete all books on the device and could steal the authentication token used to get into an Amazon account, according to the proof of concept attack developed by researchers at Israel-based cybersecurity company Check Point. “Equipped with these tokens the attacker would now be able to access the victims Amazon account and perform anything on his behalf,” said Yaniv Balmas, head of cyber research at Check Point. An attacker could have also used the Kindle as a launchpad for attacking other devices on a local WiFi network.

Amazon Kindle Hack Needs Just One Evil Ebook To Take Over Your Ereader—And Maybe Your Amazon Account Too

[baldrick]

No, you're right, the chinky bastards demand access to company networks pretending that it's for "security".

they will soon be able to see butterfluffers arsehole when they get access to the photos on his iphone

[harrybarracuda]

Actively exploited bug bypasses authentication on millions of routers

"Vulnerable devices include dozens of router models from multiple vendors and ISPs, including Asus, British Telecom, Deutsche Telekom, Orange, O2 (Telefonica), Verizon, Vodafone, Telstra, and Telus.

Based on the number of router models and the long list of vendors impacted by this bug, the total number of devices exposed to attacks likely reaches millions of routers."

Actively exploited bug bypasses authentication on millions of routers

Multiple Vulnerabilities in Buffalo and Arcadyan manufactured routers - Research Advisory | Tenable(R)