Welcome to the latest edition of security news in review. In this biweekly roundup, we collect news on attacks and threats that may have an impact on your business. Today, we have stories on REvil encrypting hundreds of organizations at once, the Babuk Locker ransomware being used in a brand new campaign, the PrintNightmare vulnerability’s potential impact on domain controllers, and reporting that Microsoft digitally signed a rootkit driver.
Read on for the news.
The REvil ransomware gang launched an attack against IT management firm Kaseya, managing to encrypt around 200 customers of the company at the same time on Friday afternoon. REvil infiltrated the software Kaseya VSA, which is popular among managed service providers (MSPs), and used it to compromise at least eight MSPs.
Three of the compromised MSPs work with the security firm Huntress, who said that their clients account for around 200 customers themselves. Given the reality of a holiday weekend in the United States, it’s likely that the full scope of the damage here will not be known until early next week. Read more about the attack at Wired.
A leaked tool that the Babuk Locker ransomware operation uses to build executables is now in a new campaign targeting victims worldwide. Babuk Locker itself shut down in April following its attack on the Metro Police Department in Washington, D.C., and the heightened attention from law enforcement that followed.
They relaunched under the name Payload Bin with a non-encrypting model. Researchers discovered the Babuk Locker builder on VirusTotal, and found it easy to generate a customized ransomware complete with ransom note that could be edited to include different payment info. Read more at Bleeping Computer.
A remote code execution vulnerability in the Windows Print Spooler service, dubbed “PrintNightmare,” allows attackers to inject a malicious DLL into domain controllers with Print Spooler enabled. The vulnerability has a base CVSS score of 7.8, rating it as not that high of a severity, and was at first rated much lower than that because it was originally believed to be a lower level privilege escalation vulnerability.
Microsoft upgraded the severity of the flaw after several security researchers showed it could be used for RCE. The good news is that an attacker would need to already be an authenticated user within the network to use this flaw; it cannot be used for initial access. Read more about the vulnerability at SC Magazine.
CISA offered up a mitigation for PrintNightmare recently; you can read more at Threatpost.
Security researchers think that the new Diavol ransomware was created by the same cybercrime group that ran the Trickbot botnet. They made this assertion after comparing Diavol with the Conti ransomware and noting the similarities between the two strains.
According to Bleeping Computer, “The two ransomware families' samples are cut from the same cloth, from the use of asynchronous I/O operations for file encryption queuing to using virtually identical command-line parameters for the same functionality (i.e., logging, drives and network shares encryption, network scanning).”
Key differences between Diavol and Conti, however, include that Diavol doesn’t have any checks in place to make sure it doesn’t run its payload on Russian targets as well as a lack of encryption. Read more about Diavol at Bleeping Computer.
The NewsBlur RSS service was restored from backups to get back online after about 10 hours this past week. Apparently, the ransomware attack resulted from a persistent issue with Docker where the container service exposes databases to the public internet.
According to SC Magazine, “when sys admins use Docker to containerize a database on a Linux server, Docker inserts an ‘allow rule’ into iptables, opening up the database to the public internet.” The workaround here is that the uncomplicated firewall configuration file needs to be updated on the server with new rules written for Docker. Read more about the attack at SC Magazine.
A driver called “Netfilter” was mistakenly given the go-ahead to be installed by default on Windows machines as part of Microsoft’s approval process. The driver is actually a rootkit that decrypts encrypted communication and sends the result to an attacker-controlled server.
How this rootkit got through the process to be approved by Microsoft is something the company isn’t talking about. This is dangerous for Windows users, as it means that the rootkit won’t throw a security alert or require users to take additional steps to install.
Microsoft is currently investigating to understand how the rootkit passed the Windows Hardware Compatibility Program, but has said that the WHCP itself does not appear to be compromised. Microsoft suspended the account related to the Netfilter driver; they have not yet made a statement about how the malicious file was authorized through the WHCP. Read more over at Ars Technica.
The EternalBlue exploit developed by the NSA continues to be the basis for threats against the Microsoft server message block four years after the vulnerability was patched. The latest threat is a worm called Indexsinas that has been targeting organizations in the Asia Pacific region, but recently started impacting targets in North America.
The worm has favored targets in healthcare, hospitality, education, and telecom thus far; and targets networks that remain vulnerable to EternalBlue. The primary motive of the campaign, according to reporting at Dark Reading, appears to be cryptomining. There’s no telling what else the campaign will be used for in the future, however. Read more about Indexsinas over at Dark Reading.
There’s a critical vulnerability in PowerShell 7 resulting from how text encoding is performed in .NET 5 and .NET Core. Microsoft is urging customers to update to PowerShell 7.0.6 and 7.1.3 as soon as possible to protect against the issue, for which there are no mitigation measures currently available. Microsoft said that updating PowerShell and re-deploying any apps on PowerShell 7 will be enough to resolve the issue. Read more at Bleeping Computer.