Welcome to CyberIntelMag’s weekly roundup! A place where you can find the most important stories in the cybersecurity world from the past week.
From the good news:
This week, we’ve learned that the largest ever ransomware attack is at the same time very ineffective, US’ promise to take on Russian hackers, and more.
- New evidence suggests that the REvil gang has failed to encrypt the victims’ data, as a result victims are not paying ransoms. CTO of Emsisoft said a REvil’s affiliate tried to delete victims’ backup folders but was unsuccessful.
- CISA and FBI have published guidance for managed service providers (MSPs) impacted by the REvil supply-chain ransomware attack on Kaseya. They advise various mitigations and checking systems for traces of compromise using a detection tool provided by Kaseya.
- The US’ Secretary of State said the US will take action against Russian cybercriminal groups if Russia does not do it. The White House will hold another meeting with Russian officials next week to discuss ransomware attacks.
- Interpol have apprehended Dr HeX, a hacker behind multiple attacks on thousands of individuals and telecom companies, major banks, and multinational corporations in France over the past several years. Dr HeX has been active since 2009, his activities involved phishing, defacing, malware development, carding, and fraud.
From the bad news:
This week has brought new details about the Kaseya attack, new campaign by Lazarus and new spear-phishing campaigns, Microsoft’s troubles with the Print Spooler vulnerability, and other important stories you can’t miss.
- Dutch researchers shed new light on Kaseya vulnerabilities, namely the authentication bypass flaw that REvil exploited to conduct the largest ransomware attack to date on July 2. The new information raises the possibility that a leak in the confidential bug disclosure process allowed the attackers to exploit the vulnerabilities in Kaseya’s platform.
- In a new campaign, North Korean Lazarus APT impersonates Airbus, General Motors, Rheinmetall. Attackers lure victims into downloading malware with fake documents that are made to look like they belong to the mentioned manufacturers.
- Intezer described a spear-phishing campaign targeting the energy sector in which attackers are using social engineering techniques to spread Agent Tesla and other RATs. The attackers use common malware families, which makes attribution of this campaign to a particular threat group difficult.
- Microsoft upgraded the Print Spooler vulnerability (CVE-2021-34527) from low to critical after the Proof of Concept (PoC) was published on GitHub. Microsoft has released a patch for this flaw, which many researchers found ineffective. However, Microsoft later said the updates do patch this vulnerability.
- Morgan Stanley said its customers’ personal information was stolen after a hacker breached an Accellion FTA server of its third-party vendor Guidehouse in January.
- Comparis, a Swiss ecommerce outlet, said it had filed a criminal complaint after a ransomware attack on Wednesday blocked some of its systems. It is not clear if the incident is linked to the ransomware attack on Kaseya that affected hundreds of businesses globally.
- New phishing campaigns launched this week are trying to capitalize on the widely-covered ransomware attack by REvil that hit Kaseya and over 1,500 businesses. In one campaign reported by Malwarebytes, attackers are targeting customers with the Cobalt Strike payload.
- According to a study conducted by KELA, the lone-wolf hackers have almost completely disappeared due to the rise of the criminal ransomware industry. The potential financial gains from companies wanting to unlock their systems has raised the demand for extortion specialists and individuals who do the negotiation part of an attack.
- Recorded Future said a suspected Chinese state-backed hacker group is targeting telecommunications organizations in Taiwan, Nepal, and the Philippines. “In recent years, Chinese groups have targeted multiple organizations across Taiwan’s semiconductor industry to obtain source code, software development kits, and chip designs,” researchers said.
- Researchers said scammers are increasingly targeting live chat support agents by posing as customers and tricking them into opening infected documents.
- Russian state-backed hackers were able to access the Republican National Committee‘s servers last week. Anonymous sources told Bloomberg the hackers were part of a group known as APT 29 or Cozy Bear.
- Poland’s counter-intelligence service said Russian hackers breached several MPs’ email accounts, two weeks after Polish authorities revealed a massive cyberattack that affected over 100 officials’ email accounts. The Kremlin and Russia’s government have denied carrying out these cyberattacks.