Cybersecurity Digest #27: 14/06/2021 – 25/06/2021

Cybersecurity News

• Thousands of instances of VMware vCenter Servers with two recently disclosed vulnerabilities in them remain publicly accessible on the Internet three weeks after the company urged organizations to immediately patch the flaws, citing their severity. The flaws, CVE-2021-21985 and CVE-2021-21986, basically give attackers a way to take complete control of systems running vCenter Server, a utility for centrally managing VMware vSphere virtual server environments.
• Researchers from Avast are warning of the rapid growth of the DirtyMoe botnet, which passed from 10,000 infected systems in 2020 to more than 100,000 in the first half of 2021. Experts defined DirtyMoe as a complex malware that has been designed as a modular system.
• Mayur Fartade, the Indian hacker, discovered the Instagram bug that allowed hackers to view selected media on the platform. By brute-forcing Media IDs, the attacker might have also been able to save photographs, videos, and metadata about specific media in addition to accessing user’s private images. Facebook patched the bug on April 29, and on June 15, Fartade was awarded $30000 for discovering the dangerous vulnerability.
• Researchers have seen a new variant of the IcedID banking trojan sliding in via two new spam campaigns. Written in English and carrying .ZIP files full of the malware – or links to such ZIP files – the new twist on the old banking trojan is a tweaked downloader, which the threat actors moved from the initial x86 version to the latest: an x86-64 version.
• MITRE adds D3FEND defensive cybersecurity techniques to ATT&CK Framework. The project was announced last week by the U.S. National Security Agency (NSA), it proposes a standard approach for the description of defensive cybersecurity countermeasures for techniques used by threat actors.

Cybersecurity Blog Posts

• Active Directory (AD) is one of the most valuable targets for cyberattackers because it handles authentication and authorization across all enterprise resources and touches virtually everything on the network. Carolyn Crandall described top 8 ways that cybercriminals can attack AD.
• As more and more companies migrate their operations and workloads to the cloud, publicly open services just sitting out there are easy prey. The post in Imperva’s blog reveals the Imperva Security Labs’ findings on which public cloud services are used most frequently and suggest some best practices for securing them.
•  Forcepoint’s Michael Crouse talks about risk-adaptive data-protection approaches and how to develop a behavior-based approach to insider threats and risk, particularly with pandemic-expanded network perimeters.
• Software supply chain breaches are headline news right now, but it’s not new. With application vulnerabilities piling up and the rate of breaches escalating, organizations need a programmatic way to do all this and fast. Joanne Godfrey suggests asking yourself 8 questions when securing software supply chain.

Research and Analytics

• Avast’s mobile threat team identified 2021’s biggest Android threats, and adware takes the cake. Analyzing all the threat intelligence they collected in the first five months of the year, Avast mobile threat researchers have been able to identify the greatest threats to Android devices in 2021. By a vast margin, the most common danger has been adware, making up 45% of the threats encountered so far this year.
•  

  Fortinet specialists have published threat report where dived into the inner workings of Diavol and its possible attribution to the criminal group known as Wizard Spider.

•  

  A home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week, a new Which? investigation has found. They set up a test home in collaboration with NCC Group and IoT malware specialists, the Global Cyber Alliance (GCA), and the scale of scanning and hacking activity against the devices was breathtaking.

•  

  According to IDC Survey of 200 Security Decision Makers, 63% of Organizations Experienced Exposure of Sensitive Data. 98% of the companies surveyed had experienced at least one cloud data breach in the past 18 months compared to 79% last year. Meanwhile, 67% reported three or more such breaches, and 63% said they had sensitive data exposed.

•  

  Security researchers at the Lookout Threat Lab have identified over 170 Android apps, including 25 on Google Play, scamming people interested in cryptocurrencies. According to the analysis, they scammed more than 93,000 people and stole at least $350,000 between users paying for apps and buying additional fake upgrades and services.

•  

  ReversingLabs experts described the hidden risks behind off-the-shelf software supply chain components. They addressed the importance of validating third-party software components as a way to manage the risks that they can introduce and explained why some of these security risks can only be recognized by analyzing the final software product delivered to the customers.

Major Cyber Incidents

• US water company WSSC Water hit by a ransomware attack that targeted a portion of their network that operates non-essential business systems. According to reports from WJZ13 Baltimore, the company removed the malware just hours later and locked out the threat, however, the attackers accessed internal files.
•  

  Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack.  It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) — and their customers. The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, “Happy Blog.”

•  

  Swedish supermarket chain Coop has shut down approximately 500 stores after they were affected by an REvil ransomware attack targeting managed service providers through a supply-chain attack. The supermarket chain closed its stores after the REvil ransomware gang targeted managed service providers (MSPs) and their customers in a massive supply-chain attack through Kaseya VSA, a remote patch management and monitoring uite.

•  

  Russian government hackers breached the computer systems of the Republican National Committee last week, around the time a Russia-linked criminal group unleashed a massive ransomware attack.The government hackers were part of a group known as APT 29 or Cozy Bear.

•  

  GETTR, the new social media launched by Trump advisor Jason Miller, has been hacked, with over 90,000 user locations and details exposed. Users also cannot delete their accounts. The data, which was accessed via exploiting “bad API” implemented on GETTR, did not include password hashes and data that could be used to log into accounts, but did include emails, usernames, and most worryingly, the location data of the users.

•  

  American fashion brand and retailer Guess is notifying affected customers of a data breach following a February ransomware attack that led to data theft. According to the breach notifications information exposed in the attack includes personal and financial data. Guess has implemented additional measures to boost its security protocols and is cooperating with law enforcement as part of an ongoing incident investigation. DarkSide ransomware likely behind the attack.