Cyber Security Headlines: Pwn2Own Toronto winners, EDR data wipers, MuddyWater’s new campaign

Pwn2Own Toronto 2022 nets almost $1M for 63 zero days

Pwn2Own Toronto 2022, a hacking competition put on by the Zero Day Initiative has wrapped for the year. A total of $989,750 was awarded. The event saw 63 unique zero-days, 66 entries, and 36 different teams representing 14 countries. In a session closure announcement ZDI stated, “The Master of Pwn title came down to the wire, but the team from DEVCORE claimed their second title with winnings of $142,500 and 18.5 points.” Printers from Lexmark and Canon had the dubious honor of being the subject of three separate exploits.

(Security Affairs)

Antivirus and EDR solutions tricked into acting as data wipers

SafeBreach researcher Or Yair has found a way to “exploit the data deletion capabilities of endpoint detection and response (EDR) and antivirus (AV) software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG to turn them into data wipers.” Yair’s scheme focuses on making attacks more stealthy while removing the requirement for a threat actor to be a privileged user. Yair also suggests that “abusing EDRs and AVs for data wiping is a good way to bypass security defenses as the file deletion capabilities of security solutions are expected behavior and would likely be missed.”

(Bleeping Computer)

Iran-linked MuddyWater APT launches new campaign

Deep Instinct’s Threat Research team has discovered a new campaign launched by the MuddyWater APT (aka SeedWorm, TEMP.Zagros, and Static Kitten) targeting numerous countries in the Middle East and Central Asia. The campaign started in September differs from its previous activities due to the use of a new remote administration tool named “Syncro.” The group uses an HTML attachment as a lure and employs additional providers for hosting the archives containing the installers of the remote administration tool. HTML attachments are used because they are often not blocked by antivirus and email security solutions.

(Security Affairs)

More than 4,000 Pulse Connect Secure hosts exposed and vulnerable

According to researchers at Censys, researching the SSL VPN Pulse Connect Secure, a device used by many remote and mobile users, 4,460 Pulse Connect Secure hosts out of 30,266 installs are exposed to the Internet while lacking security patches.

(Security Affairs)

Thanks to this week’s episode sponsor, Fortra

The cybersecurity landscape is full of single-solution providers, making it easy for unexpected cyberthreats to sneak through the cracks. That’s why Fortra is creating a stronger, simpler strategy for protection. One that increases your security maturity while decreasing the operational burden that comes with it. Fortra’s integrated, scalable solutions help customers face their toughest challenges with confidence. Learn more at fortra.com

Healthcare organizations warned of Royal Ransomware attacks

A warning has been issued by the US Department of Health and Human Services (HHS)regarding ongoing Royal ransomware attacks. Unlike other ransomware families that use the ransomware-as-a-service (RaaS) business model, Royal is operated by a financially motivated private group, which likely consists of experienced actors from other groups. “The group makes ransom demands ranging from $250,000 to $2 million, and also steals victim data to engage in double-extortion tactics. After compromising a network, the group deploys specific post-exploitation tools to ensure a persistent foothold, and then deploy the Royal ransomware to encrypt the victim’s data.”

(Security Week)

TSA to expand facial recognition across America

America’s Transport Security Administration has been testing facial recognition software in 16 airports to automatically screen passengers flying across the country. It is now looking into rolling it out nationwide next year. According to The Register, “flyers will be able to pass through security checkpoints by scanning a copy of a government-issued ID, such as a driver’s license stored on their mobile phones, and standing in front of a camera system. The equipment will snap a live photo of their face and check whether it matches with the one captured on their ID.” It aims to reduce security screening wait times by automating the process so TSA agents do not need to manually check IDs. The pilot program, tested the Credential Authentication Technology 2 (CAT-2) system.

(The Register)

Australia’s Telstra suffers privacy breach

Australia’s largest telecoms firm Telstra Corp Ltd said on Sunday that “132,000 customers were impacted by an internal error that led to disclosure of customer details. Telstra, which has 18.8 million customer accounts equivalent to three-quarters of Australia’s population, said an internal review found the details were made publicly available due to ‘”‘a misalignment of databases.'” Telstra chief financial officer Michael Ackland said in a statement that no cyber activity was involved.

(Reuters)

Last week in ransomware 

Last week, Rackspace suffered a massive outage on their hosted Microsoft Exchange environment, preventing customers from accessing their emails. On Tuesday, they finally confirmed that a ransomware attack caused the outage. An attack against New Zealand MSP Mercury IT has led to a series of outages for its customers, many of which are local governments in the country. There was also a ransomware attack on the André-Mignot teaching hospital in Paris has also led to significant disruption, causing some patients to be rerouted to other hospitals. Brian Krebs had a very interesting report on new tactics used by the Venus and Clop ransomware gangs to breach networks and convince victims to pay.

(Bleeping Computer)

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.