HomePodcastCyber Security HeadlinesCyber Security Headlines – July 7, 2021

Cyber Security Headlines – July 7, 2021

Kaseya patches imminent after zero-day exploits

The worldwide attacks on the Kaseya Virtual System/Server Administrator (VSA) platform by the REvil ransomware gang turn out to be the result of exploits for at least one zero-day security vulnerability, and the company is swinging into full mitigation mode, with patches for the on-premises version coming soon, likely today or Thursday, the company said. “The VSA server is used to manage large fleets of computers and is normally used by MSPs to manage all their clients,” explained researchers at TruSec. Kaseya has stated that while customers wait for patches, all on-premises VSA servers should continue to remain offline until they receive further instructions from Kaseya about when it is safe to restore operations, as a patch will be required to be installed prior to restarting the VSA. They add, “customers who experienced ransomware and receive communication from the attackers should not click on any links as they may be weaponized.” 

(Threatpost)

REvil lowers ransom for universal decryptor

REvil has lowered its asking price for a universal decryptor for victims of the Kaseya attack from $70 million to $50 million. According to researcher Jack Cable, this may be a sign of desperation from the gang as a result of few victims willing or able to pay. This, he says would also explain why the gang is now allowing payment in Bitcoin in addition to Monero. Cable points out Bitcoin is easier to track. According to Threatpost some impacted companies are already turning to individual negotiations with REvil. With some ransoms being negotiated down from $500,000 to less than $50,000.

(Threatpost and Jack Cable via Twitter)

Researchers find new ransomware variant “Diavol”

Security researchers from Fortinet discovered a new ransomware dubbed Diavol targeting organizations globally from June 2021.  While it appears to be a new ransomware threat as opposed to a variant, the researchers have identified code fingerprints pointing to Wizard Spider – a Russia-based cybercriminal group that operates Trickbot botnet. Diavol leverages Asynchronous Procedure Calls (APCs) with a unique encryption procedure, dropping a ransom note in every folder it encrypts. While Diavol does not use any tactics to evade security detections, researchers found an anti-analysis technique used by the group to disguise its code.

(CISOMag)

Pentagon cancels $10 billion JEDI cloud contract that Amazon and Microsoft were fighting over

The Department of Defense announced Tuesday it’s calling off the $10 billion Joint Enterprise Defense Infrastructure cloud contract that was the subject of a legal battle involving Amazon and Microsoft. In a press release sent yesterday, the Pentagon said that “due to evolving requirements, increased cloud conversancy, and industry advances, the JEDI Cloud contract no longer meets its needs.” The Pentagon did say however that it still needs enterprise-scale cloud capability and announced a new multi-vendor contract known as the Joint Warfighter Cloud Capability. It plans to solicit proposals from both Amazon and Microsoft for this contract, adding that they are the only cloud service providers that can meet its needs, but said further it will continue to do market research to see if others could also meet its specifications.

(CNBC)

Thanks to our episode sponsor, Viakoo

Did you know IP cameras are responsible for 1/3rd of all IoT cyber breaches? And that 7 out of 10 cameras are running out of date firmware? Viakoo has proven solutions to automate cyber hygiene on cameras and other IoT devices. Sign up for a personalized demo at Viakoo.com. And come visit us at Black Hat this year.

Audacity denies spyware accusation

Following up on a story we brought you yesterday, audio editing software Audacity has denied accusations that its new privacy policy has transformed it into “possible spyware”. Its updated policy says data can be shared with its Russia-based infrastructure company, WSM, as well as regional law enforcement, but it says also that the only data it exchanges with its users is software updates and error reports. And while European user data is stored in Europe, it may “occasionally” share data with its headquarters in Russia in order to monitor “signs of potential distributed-denial-of-service (DDOS).”

(BBC News)

Microsoft 365 to let SecOps lock hacked Active Directory accounts

Microsoft is updating Microsoft Defender for Identity (previously known as Azure Advanced Threat Protection or Azure ATP) to allow security operations teams to block attacks by locking a compromised user’s Active Directory account. After adding what the company named “native ‘response’ actions” to the Defender for Identity, “SecOps will have the ability to not only lock the Active Directory account, but also prompt for the password to be reset, meaning more direct action can be taken when a user is compromised.

(Bleeping Computer)

Facebook partners with Liquid to extend Africa fiber network

Facebook Inc. and Africa’s largest fiber company, Liquid Intelligent Technologies, are extending their reach on the continent by laying 1,243 miles of fiber in the Democratic Republic of Congo. The move will make Facebook one of the biggest investors in fiber networks in the region. The cable will eventually extend the reach of 2Africa, a major sub-sea line that’s also been co-developed by Facebook, the two companies said in a statement Monday. Facebook switched to a predominantly fiber strategy following the failed launch of a satellite to beam signal around the continent in 2016. The build will 5,000 people to work on the project, the companies said.

(BNNBloomberg)

Interpol arrests Moroccan hacker

A two-year investigation has successfully apprehended a threat actor, a Moroccan citizen nicknamed Dr HeX, who is allegedly responsible for targeting thousands of victims over several years and staging malware attacks on telecom companies, major banks, and multinational corporations in France as part of a global phishing and credit card fraud scheme. At least three different phishing kits presumably developed by the threat actor have been extracted, kits that were also sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims. His arrest ends a crime spree that started in 2009.

(The Hacker News)

RELATED ARTICLES

Most Popular