REvil Ransomware gang demands $50 million from Acer
Taiwanese computer maker Acer, the sixth-largest personal computer maker in the world, suffered a ransomware attack over the past weekend at the hands of the REvil ransomware gang, which is now demanding a $50 million ransom payment to decrypt the company’s computers and not leak its data on the dark web. The attack has not disrupted production systems but only hit the company’s back-office network. The security breach was not deemed disruptive enough to prevent or delay the computer maker from announcing its Q4 2020 financial results on Wednesday. Acer has a market share of roughly 6% of all global sales. The company reported a total revenue of roughly $3 billion in Q4 2020, hence the record-breaking ransom demand.
Feds indict hacktivist behind Verkada surveillance camera breach
The US has indicted a 21-year-old Swiss hacktivist on charges of computer fraud, wire fraud, and identity theft. Tillie Kottman is the hacker who admits to being part of a group that breached Verkada last week, exposing security camera data and footage from hospitals, schools, bars, stores, and private companies, including Tesla and Cloudflare. However this indictment pre-dates Verkada and focuses on Kottman’s activities since 2019, including allegedly stealing or distributing proprietary data from Nissan Motor Co., Intel and over a hundred others.
SolarWinds-linked hacking group SilverFish abuses enterprise victims for sandbox tests
Swiss cybersecurity firm Prodaft said on Thursday that SilverFish, an “extremely skilled” threat group, has been responsible for intrusions at over 4,700 private and government organizations including US military contractors, a top COVID-19 testing kit manufacturer, aerospace and automotive giants, multiple police networks, European airport systems, and “dozens” of banking institutions in the US and Europe. The group exploits actual SolarWinds affected enterprises as guinea pigs, inserting a malware detection sandbox that enables them to test their malicious payloads on victim servers before deploying them elsewhere.
DDoS booters now abuse DTLS servers to amplify attacks
DDoS-for-hire services are now actively abusing misconfigured or out-of-date Datagram Transport Layer Security (D/TLS) servers for amplification. DTLS is a User Datagram Protocol based version of the Transport Layer Security (TLS) protocol that prevents eavesdropping and tampering in delay-sensitive apps and services. Citrix experienced an attack in December when its technologies were exploited for this purpose, and its usage is now expanding among less sophisticated hackers. To mitigate such attacks, admins can either disable unnecessary DTLS services on Internet-exposed servers or patch in the HelloVerifyRequest anti-spoofing mechanism to remove the DTLS amplification vector.
Thanks to our episode sponsor, Trend Micro
Microsoft halts rollout of Windows 10 emergency update
Following on with an ongoing story, as of Sunday, Microsoft has paused the Windows 10 KB5001649 cumulative update rollout, due to installation issues and reported crashes. Microsoft is now offering the previously released KB5001567 emergency update instead. This pause is due to ongoing printer-related crashes. To fix these issues, Microsoft released two out of band updates – 1567 on March 15 and 1649 on March 18. Microsoft has not provided any official reason for the pause, and the KB5001649 support bulletin has not been updated with any information as of this recording.
Microsoft Defender can now protect servers against ProxyLogon attacks
Microsoft announced this week that Defender Antivirus and System Center Endpoint Protection now provide automatic protection against attacks exploiting the recently disclosed ProxyLogon vulnerabilities in Microsoft Exchange. In an announcement released on March 18, the Microsoft Defender Team stated that customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build 1.333.747.0 or newer), if they do not already have automatic updates turned on.
CISA releases CHIRP, a tool to detect SolarWinds malicious activity
The CISA Hunt and Incident Response Program (CHIRP), is a Python-based tool that allows the detection of malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise Windows environments. Similar to Sparrow, released earlier, which focused on Azure/Microsoft 365 environments CHIRP scans for signs of APT compromise within an on-premises environment, examining Windows event logs, Windows Registry, Windows network artifacts, and applying YARA rules to detect malware, backdoors, or implants.
Victoria University of Wellington accidentally wipes files on all its desktop PCs
Last Friday, IT staff at the Victoria University of Wellington in New Zealand started a maintenance procedure aimed at reclaiming space on the university network—in theory, by removing the profiles of students who no longer attend the university, but instead deleted all the files stored on all its desktop computers. While items in network drives, and the cloud were still accessible, some PhD students for example, had potentially lost a year’s worth of data because they had files stored in a program solely on their desktop computer. For many others, their entire computer had been reset, eliminating apps and presenting a completely “clean” profile that looked factory new.