All about Security, News, Events and Incidents

Kaseya says up to 1,500 businesses compromised in massive ransomware attack
https://www.cnn.com/2021/07/06/tech/kaseya-ransomware-attack-businesses-affected/index.html
(CNN Business)Software vendor Kaseya says that between 800 and 1,500 businesses have been compromised by the recent ransomware attack that has ricocheted around the world.

Kaseya said in a statement on Monday that approximately 50 of its direct customers were breached in the attack that began to unfold on Friday. But hundreds more companies were affected because many of Kaseya's customers provide IT services to small businesses such as restaurants and accounting firms.
"Our global teams are working around the clock to get our customers back up and running," Kaseya CEO Fred Voccola said in the statement. "We understand that every second they are shut down, it impacts their livelihood, which is why we're working feverishly to get this resolved."
Kaseya said that it has met with US government agencies including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). It said it had also engaged with the White House and cybersecurity firm FireEye Mandiant.


The White House on Sunday urged companies who believe their systems were compromised in the ransomware attack that targeted Kaseya to immediately report it to the Internet Crime Complaint Center.
Kaseya said that it had discussed "systems and network hardening requirements prior to service restoration" with the FBI and CISA. The company said that "a set of requirements" will be posted "to give our customers time to put these counter measures in place in anticipation of a return to service on July 6."

 

Western Digital offers free data rescue to intruder customers sweclockers.com | July 8,2021

Owners of the storage units My Book Live and My Book Live Duo who have had their data deleted as a result of a security hole now have a chance to have it recreated free of charge.

 

Trustwave said the ransomware "avoids systems that have default languages from what was the USSR region.

Brian Krebs noted that ransomware by DarkSide, the Russia-based group that attacked Colonial Pipeline in May, " has a hard-coded do-not-install list of countries," including Russia and former Soviet satellites

https://www.nbcnews.com/politics/na...ten-avoid-computers-use-russian-says-n1273222

 

U.S., global allies condemn China for "malicious cyber activities"

 

"Fake Windows 11 installers now used to infect you with malware"

- Scammers are already taking advantage of the hype surrounding Microsoft's next Windows release to push fake Windows 11 installers riddled with malware, adware, and other malicious tools.

https://www.bleepingcomputer.com/ne...stallers-now-used-to-infect-you-with-malware/

---

As if installing the official (non-fake) Windows 11 wasn't bad enough!!

 

Is Norton Planning to Kill Free Antivirus? pcmag.com | Aug 12, 2021

NortonLifeLock is merging with Avast, which already owned AVG. Add this to Norton’s Purchase of Avira in 2020, and it looks like consolidation is running rampant. How worried should we be that the days of free antivirus are numbered?

What Do Competitors Think?
I sent out queries to Norton’s biggest competitors asking for comment on the coming merger. Not surprisingly, almost all of them cited company policy against commenting on mergers and acquisitions. Marcin Kleczynski, CEO of Malwarebytes, was a rare exception.

“Consolidation in cybersecurity is natural, but not necessarily healthy for the industry or the end users,” said Kleczynski. ”The competition that exists in a diverse market landscape drives innovation and benefits all end users. The concern as large players like Norton begin to acquire free solutions is that truly free solutions may evaporate and many vulnerable populations will be forced to pay—or be left at the mercy of cybercriminals. This is why we always have offered a free solution for consumers.”

Indeed, Malwarebytes Free is very popular as a cleanup tool after a malware attack. I’ve even had tech support agents from other security companies recommend it. But the free Malwarebytes product is not a full-fledged antivirus system, because it doesn’t include a real-time component to protect against future infestations.

 

Millions of people on no-fly and terror watchlists exposed

https://www.bleepingcomputer.com/ne...chlist-with-2-million-records-exposed-online/



T-Mobile confirms a breach after threat actors claimed to have obtained records of 100 million of its customers

https://securityaffairs.co/wordpress/121205/data-breach/t-mobile-confirms-data-breach.html

 

Want Admin Privileges on Windows 10? Just Plug in a Razer Keyboard or Mouse pcmag.com

Razer has now publicly responded to news of this vulnerability, with a spokesperson explaining:

"We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process.

We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated version shortly. The use of our software (including the installation application) does not provide unauthorized third-party access to the machine.

We are committed to ensuring the digital safety and security of all our systems and services, and should you come across any potential lapses, we encourage you to report them through our bug bounty service, Inspectiv: https://app.inspectiv.com/#/sign-up."

Original Story:
Hardware company Razer is currently offering an easy way for anyone with physical access to a Windows 10 machine to gain admin privileges: Plug in a keyboard or mouse.

As BleepingComputer reports, a security researcher who goes by the name jonhat on Twitter discovered a zero-day vulnerability made possible by Razer's peripherals. The vulnerability was disclosed to Razer, but the company didn't respond, so jonhat decided to go public and posted a video of the privilege escalation being carried out. You can see it in the tweet below, or watch a higher quality version on Streamable.

SteelSeries bug gives Windows 10 admin rights by plugging in a device bleepingcomputer.com | Today

The discovery comes after news broke over the weekend that the Razer Synapse software can be used to gain elevated privileges when connecting a Razer mouse or keyboard.



-----------------------------------------------------------------

Hundreds of thousands of home Wi-Fi routers under attack — what to do tomsguide.com | Aug 24, 2021

Chipset flaws dating back many years permit remote takeover

Serious flaws have been found in hundreds of different models of home networking devices devices made and sold by at least 65 different companies, and cybercriminals are already attacking them. We've got a list of the vulnerable devices at the end of this page.

----------------------------------------------------------------

Edit. Aug 30,2021

PERIPHERALS FROM RAZER & ASUS UPDATE 2Driver installation grants admin rights

The automatic driver installation via Windows Update allows attackers to gain admin rights with products from Razer and Asus.

Update 08/30/2021 9:10 am Forum »
Asus has also investigated the problem. In its statement sent to ComputerBase, the company rules out the possibility of the Armory Crate software granting its users administration rights during installation. In addition, an email address is given to which security gaps can be reported.
We are aware of a few online articles claiming a potential security issue concerning ASUS Armory Crate.
We would like to clarify that ASUS Armory Crate does not grant normal users System Admin permissions during the installation process.
We take digital security and safety very seriously, and encourage users who encounter such issues to report it to the ASUS Customer Service team at [email protected]

 

Cyberhack Hides Malicious Code in Your Graphics Card's VRAM
By Aleksandar Kostovic about 6 hours ago

Undetectable by antivirus

 

Office 365 Users Are Being Targeted By This Highly Sophisticated Zero-Day Security Threat hothardware.com

Security researchers say they discovered and reported to Microsoft a "highly sophisticated" zero-day attack vector in Windows that targets Office 365 and Office 2019 users. In some cases, simply opening an infected document would be enough to compromise a PC. Furthermore, there does not yet exist a patch, though one... Read more...

 

Hmm. Looks like I have to download damn MSO updates for my 2016,2019 and 365.

 

Windows MSHTML zero-day exploits shared on hacking forums bleepingcomputer.com | September 12, 2021



Threat actors are sharing Windows MSHTML zero-day (CVE-2021-40444) tutorials and exploits on hacking forums, allowing other hackers to start exploiting the new vulnerability in their own attacks.

Last Tuesday, Microsoft disclosed a new zero-day vulnerability in Windows MSHTML that allows threat actors to create malicious documents, including Office and RTF docs, to execute commands on a victim's computer remotely.

Even though there are no security updates available for the CVE-2021-40444 vulnerability, as it was discovered used in active attacks by EXPMOM and Mandiant, Microsoft decided to disclose the vulnerability and provide mitigations to help prevent its exploitation.

These mitigations work by blocking ActiveX controls and Word/RTF document previews in Windows Explorer.

However, researchers have been able to modify the exploit not to use ActiveX, effectively bypassing Microsoft's mitigations.

 

Yikes! I will patch the PC right away!

 

SECURITY
Millions of HP OMEN gaming PCs impacted by driver vulnerability bleepingcomputer.com | Sept 2021

Millions of HP OMEN laptop and desktop gaming computers are exposed to attacks by a high severity vulnerability that can let threat actors trigger denial of service states or escalate privileges and disable security solutions.

"While we haven’t seen any indicators that these vulnerabilities have been exploited in the wild up till now, using any OMEN-branded PC with the vulnerable driver utilized by OMEN Gaming Hub makes the user potentially vulnerable," SentinelOne warned.

"Therefore, we urge users of OMEN PC’s to ensure they take appropriate mitigating measures without delay."

 

Netgear fixes dangerous code execution bug in multiple routers bleepingcomputer.com | Today

Netgear has fixed a high severity remote code execution (RCE) vulnerability found in the Circle parental control service, which runs with root permissions on almost a dozen modern Small Offices/Home Offices (SOHO) Netgear routers.

 

Malware devs trick Windows validation with malformed certs bleepingcomputer.com | September 23, 2021

Google researchers spotted malware developers creating malformed code signatures seen as valid in Windows to bypass security software.

-------------------------------------------------------------------------------

FBI, NSA, and CIA use ad blockers due to fear of targeted ads

http://forum.notebookreview.com/thr...ription-20-store-credit.836827/#post-11120005

 

SECURITY
New UEFI bootkit used to backdoor Windows devices since 2012 bleepingcomputer.com | Oct 5, 2015
A newly discovered and previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit has been used by attackers to backdoor Windows systems by hijacking the Windows Boot Manager since at least 2012.

Secure Boot doesn't really help
Patching the Windows Boot Manager (bootmgfw.efi) requires for Secure Boot (which helps check if the PC boots using trusted firmware) to be disabled.

As the researchers discovered, attackers have deployed the bootkit in the wild, which means they've found a method to toggle off Secure Boot on targeted devices.

 

Could someone develop a small utility that sits in the system tray and monitors the secure boot status, and raise an alert if the status changes?

Shouldn't be too hard, I think.
https://docs.microsoft.com/en-us/po...firm-securebootuefi?view=windowsserver2019-ps

 

Strong words from Microsoft.

"This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government"

https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/

 

Research finds vulnerabilities in 97 percent of applications betanews.com

Data from 3,900 tests conducted on 2,600 software or systems targets reveals that 97 percent had some form of vulnerability, 30 percent of the targets had high-risk vulnerabilities, and six percent had critical-risk vulnerabilities...

 

New Windows zero-day with public exploit lets you become an admin bleepingcomputer.com

A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server...

 

Malicious KMSPico installers steal your cryptocurrency wallets bleepingcomputer.com

Threat actors are distributing altered KMSpico installers to infect Windows devices with malware that steals cryptocurrency wallets.

This activity has been spotted by researchers at Red Canary, who warn that pirating software to save on licensing costs isn't worth the risk.

KMSPico is a popular Microsoft Windows and Office product activator that emulates a Windows Key Management Services (KMS) server to activate licenses fraudulently.

According to Red Canary, many IT departments using KMSPico instead of legitimate Microsoft software licenses are much bigger than one would expect.

"We've observed several IT departments using KMSPico instead of legitimate Microsoft licenses to activate systems," explained Red Canary intelligence analyst Tony Lambert.

"In fact, we even experienced one ill-fated incident response engagement where our IR partner could not remediate one environment due to the organization not having a single valid Windows license in the environment."

 

Dell Windows drivers still allow kernel attacks
Posted on December 19, 2021 by Günter Born

users of Dell systems are at risk still that their Windows systems are compromised through Dell drivers through kernel attacks. The problem should be fixed by updates in May 2021. Rapid7 security researchers are now sounding the alarm that these security updates have not closed all vulnerabilities. Administrator privileges are required to install the drivers. But it looks like this approach is being used by cyber gangs for attacks. In the business environment, however, there are countermeasures....

 

"It’s the rare thing that Americans of all ages and across the political spectrum largely seem to agree on: They don’t trust social media services with their information and they view targeted ads as annoying and invasive"

https://www.washingtonpost.com/technology/2021/12/22/tech-trust-survey/

 

Scary they have such a trust in Microsoft who have a bigger audience

Microsoft Edge may be sending search information to Microsoft! Here is how you turn that off

Microsoft Edge may send search results from any search that is run in the browser to Microsoft by default. The feature is not limited to Bing Search, it will inform Microsoft about searches on all search engines, including Google, DuckDuckGo, or StartPage, that users of Edge make, if the setting is enabled.

A quick check of the setting revealed that Microsoft Edge turned it on, as it was turned off previously. The setting in question is called "Help improve Microsoft products by sending the results from searches on the web", and you find it in the privacy section.

 

Social media accounts main target of hackers
http://forum.notebookreview.com/thr...fo-for-their-ads.831352/page-12#post-11134699

 

New Malware Uses SSD Over-Provisioning to Bypass Security Measures tomshardware.com

An almost perfect way to stealthily store malware

Thankfully, these attacks were created by researchers and were not discovered by an actual attack. However, an attack like this could very well happen, so hopefully, SSD manufacturers will start patching these security vulnerabilities quickly before someone gets a chance to exploit them.

 

Microsoft Defender weakness lets hackers bypass malware detection bleepingcomputer.com

Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there.

Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there.

The issue has persisted for at least eight years, according to some users, and affects Windows 10 21H1 and Windows 10 21H2.

Given that it's been this long and Microsoft has yet to address the problem, network administrators should consult the documentation for properly configuring Microsoft Defender exclusions on servers and local machines via group policies.


https://twitter.com/SecurityAura/status/1481107646082072577

Yep, Microsoft really really want that you swap over to the new Win 11 touch friendly disaster.

 

The back door Sysjoker affects Windows, Mac OS and Linux sweclockers.com

The recently documented RAT virus Sysjoker has been developed to bypass antivirus software regardless of operating system.