Cyber Security Headlines – September 24, 2021

Second farming cooperative shut down by ransomware this week

Crystal Valley, a Minnesota-based farming cooperative, has been hit by a ransomware attack by an unknown threat actor. The company confirmed in a statement on Thursday that the cyberattack has forced them to shut down their payment systems. Crystal Valley is the second agriculture business to be hit with a ransomware attack this week after Iowa-based grain cooperative NEW Cooperative Inc. was struck by BlackMatter ransomware, where the threat actors demanded a payment of $5.9 million.  

(Security Magazine)

Canadian VoIP provider battles massive DDoS attack

Canada-based VoIP company, VoIP.ms, continues to battle a week-long, massive distributed denial of-service (DDoS) attack that began on September 16. The company, which provides internet telephony services to 80,000 customers in 125 countries, posted to its customers on Twitter, “We continue to work full-on re-establishing all of our services so we can have you connected.”  The attack also affected its domain name service (DNS) infrastructure and it remains difficult to access the company’s website. In an update on Wednesday, VoIP.ms apologized to customers and confirmed it was still being targeted by what it described as a ‘ransom DDoS attack’.

(ZDNet)

REvil double-crosses ransomware affiliates using sneaky backdoor tactics

New reports confirm that the REvil ransomware-as-a-service (RaaS) operation has been scamming its affiliates out of their ransom payments. In REvil’s ransomware model, developers create the malware and maintain the underlying infrastructure, and then recruit affiliates to attack victims, dividing the proceeds between the two parties with affiliates taking the larger cut (typically 70-80%). Yelisey Boguslavskiy, head of research at Advanced Intel, said that when talks reached a critical point, REvil would use a backdoor in its software to take over the chat, posing as the victim refusing to pay, and would then continue the negotiations with the victim in order to obtain the full ransom payment.. Boguslavskiy added that since at least 2020, claims of REvil’s scam have been made by various actors on underground forums.

(Bleeping Computer)

Bug in Microsoft Exchange Autodiscover leaks credentials of companies across the globe

Security researchers from Guardicore discovered a flaw in the Microsoft Exchange Autodiscover feature that can be exploited to harvest Windows domain and app credentials from users worldwide. The Autodiscover protocol enables the Exchange application to configure itself with minimal user input. Autodiscover performs a sequential URL search, during which it transmits an authorization header already populated with user credentials. By registering a number of Autodiscover domains, Guardicore researchers were able to capture over 372,000 Windows domain credentials and roughly 96,000 unique credentials from applications such as Microsoft Outlook from organizations worldwide. Guardicore shared its findings with Microsoft who is investigating and has indicated it will take appropriate steps to protect its customers.

(Security Affairs)

Thanks to our episode sponsor, Kanu Solutions

Over the next few weeks Kanu Solutions is offering a series of educational sessions on a variety of topics in security, such as endpoints, networks, privileged access management, Internet of things, and governance, risk management and compliance, or GRC. Attend these sessions to get some savvy education from the security experts at Kanu Solutions. You could also get a twenty dollar UberEats Gift Card just for attending. You can participate in Kanu Solutions’ Lunch-n-Learn by registering at kanusolutions.com/events.

Apple patches new zero-day bug used to hack iPhones and Macs

Apple has released security updates to fix a zero-day vulnerability exploited in the wild by attackers to hack into iPhones and Macs running older iOS and macOS versions.The zero-day patched on Thursday, tracked as CVE-2021-30869, was found in the XNU operating system kernel, the successful exploitation of which leads to arbitrary code execution with kernel privileges on compromised devices. The list of vulnerable Apple devices includes iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) running iOS 12.5.5 as well as Macs with Security Update 2021-006 Catalina.

(Bleeping Computer)

Hacking group targets hotels and high profile targets

Slovakian internet security firm ESET has identified a hacking group, dubbed “FamousSparrow,” targeting hotels worldwide, as well as some higher-profile companies, since at least 2019. The group leverages Internet-exposed web applications to breach target networks, using remote code execution vulnerabilities in Microsoft SharePoint, the Oracle Opera hotel management software, and the Microsoft Exchange security flaws known as ProxyLogon. The group then deploys custom tools such as a Mimikatz variant and a signature backdoor known as “SparrowDoor.” ESET noted that FamousSparrow likely leveraged its access into compromised hotel systems for espionage purposes, including to track high-profile targets. ESET added, “This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all.”

(Bleeping Computer)

New Windows bug could let hackers easily install a rootkit

Security researchers from Eclypsium have disclosed an unpatched weakness in Microsoft Windows Platform Binary Table (WPBT) affecting all Windows-based devices since Windows 8 that could be potentially exploited to install a rootkit and compromise the integrity of devices. Researchers noted that the tables can be attacked with direct physical access, remote access, through supply chain attacks, or by taking advantage of services that have access to WPBT. In response to the findings, Microsoft has recommended using a Windows Defender Application Control (WDAC) policy to tightly control what binaries can be permitted to run on the devices.

(The Hacker News)

Indian orgs attribute cyberattacks to vulns in pandemic tech deployments

The cyber firm, Tenable, published a global study that revealed 71% of organizations in India attribute recent business-impacting cyberattacks on the remote workforce due to vulnerabilities in technology deployed during the pandemic. In the past year, 88% of Indian organizations experienced a business-impacting cyberattack, with 56% of respondents indicating that the attacks targeted remote workers. The study showed that over half of security and business leaders are concerned with the security of employee home networks and personal devices, lack of visibility into employee security practices and having inadequate staff to monitor the attack surface. In response, Indian security leaders plan to increase cybersecurity investments in vulnerability management, cloud infrastructure and platforms and identity access management. Nathan Wenzler, Tenable Chief Security Strategist, said, “The responses we got from the Indian audience are very much in line with what we saw overall. So, I don’t think we see India as being an outlier.”

(CISO MAG)

Sean Kelly
Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.