Cyber Security Weekly Briefing 24-30 July

Telefónica Tech    30 July, 2021
Cyber Security Report 30 July

PetitPotam: new NTLM relay attack

Security researcher Gilles Lionel, also known as Topotam, has discovered a flaw in Windows systems with enabled Active Directory Certificate Services (ADCS) that would allow attackers to take control of domain controllers via an NTLM relay attack. Lionel has published a proof of concept that would allow this flaw to be exploited via an SMB request. This attack leverages the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) to force a device, including domain controllers, to authenticate and share its password hashes with the attacker, allowing the attacker to take full control of the victim’s network. According to researchers, this flaw affects most versions of Windows Server. Microsoft has not yet fixed the issue; however, it has released mitigations to reduce the impact.

All the details:

​​Analysis of the new AvosLocker ransomware family

Researchers at Malwarebytes Lab have published an analysis of a new ransomware family known as AvosLocker. At the end of June, security analyst Rakesh Krishnan shared via his official Twitter profile what it seemed to be a new ransomware family that would have chosen to continue the current trend of operating: seeking affiliates in underground forums, known as Ransomware-as-a-Service (RaaS), and creating a blog on the Dark Web where to share and extort money from its victims, known as double extortion. AvosLocker is a RaaS written in C++ that uses two different encryption algorithms: AES for files and RSA for generated AES keys. Malwarebytes determines that this family appears to be manually operated once it gains initial access to the victim’s device, estimating that it creates one sample per victim since the ID is encoded in the sample. Once the ransomware is deployed, its operators direct the victim to a Dark Web domain where they can see the amount requested and the time they have to pay the amount, increasing the amount if they fail to meet the deadline. Researchers say this new ransomware family is quite active, and according to Rakesh Krishnan, it could be targeting companies in the legal, logistics and real estate sectors in the US, the UK and Europe.

All the details:

Apple fixes a 0-day vulnerability

Apple has released a security update to fix an exploited 0-day vulnerability affecting iOS, iPadOS and macOS devices. The vulnerability, registered as CVE-2021-30807, involves a memory corruption flaw in the IOMobileFramebuffer kernel extension that allows arbitrary code with kernel privileges to be executed on a vulnerable device. Apple has fixed the bug in iOS 14.7.1, iPadOS 14.7.1 and macOS Big Sur 11.5.1. The company also confirms that the vulnerability could be actively exploited, although no further details have been shared. Following Apple’s publication of the flaw, security researchers speculated that it might be a jailbreak, rather than a 0-day exploit. Finally, another researcher has published a detailed analysis of it, for which a Proof of Concept (PoC) has also been released.

All the details:

​​​​​HTML smuggling malspam campaign

The Microsoft Security Intelligence team has analysed a malware distribution campaign that has been active for several weeks and is exploiting a technique known as HTML smuggling to evade victims’ email security solutions. In this campaign, attackers send emails with malicious links that, after being accessed, display HTML embedded components via HTML smuggling. This technique creates a malicious file inside the victim’s browser, in this case a ZIP file containing a JavaScript that downloads other malicious files, including the Casbaneiro trojan payload. Although Microsoft has not detailed the scope of this campaign, the activity of this trojan tends to focus on Latin American countries.

​​​​​​Analysis of Hanon ransomware

Investigators of Korean security firm S2W have published an analysis of a new ransomware family called Haron, which started operations this month. Haron uses tactics of matures ransomware families such as exfiltration of data for later publication at their Dark Web blog. Analysts have linked this new sample with Thanos and Avaddon families, now defunct, confirming that this new ransomware would rather be the union of different aspects of these families based on the similarity of Dark Web blogs, payment pages, ransom notes, icons and pictures, among others. S2W does not clarify the reason for these similarities, hypothesizing that perhaps Haron bought some parts from the Avaddon operators or that some actor of the extinct family joined the operators of the new sample.

All the details:

Leave a Reply

Your email address will not be published.