Cyber Security Weekly Briefing May 8-14

ElevenPaths    14 May, 2021

Ransomware attack on a main US oil pipeline

US energy company Colonial Pipeline was hit by a ransomware attack on Friday, causing the shutdown of around 8800km of pipelines supplying crude oil to the East Coast. This measure was reportedly taken to prevent the spread of the malware but, according to the company, the attack only affected its corporate IT network, not OT systems. Several specialised sources attribute the incident to the ransomware family known as DarkSide, who were already responsible for the attack on the Escuela de Organización Industrial (EOI) in Spain. This ransomware adheres to the current trends of double extortion (exfiltration of data and its open publication) and business model through affiliations (Ransomware-as-a-Service). As a result, the US government declared a state of emergency in order to move the crude oil needed by the population through roads. This incident’s impact forced the operators of the DarkSide ransomware to issue a press release, where they claim to be apolitical and not related to any government. They also indicated that from now on they will review their targets before perpetrating their attacks, as the aim of their organisation is to make money and not to “create social problems”. DarkSide operates as Ransomware-as-a-Service, this model consists of two groups of people: the ransomware developers and their affiliates who provide access to the victim networks. Following the Colonial Pipeline incident, it is expected that the DarkSide developers will have more control over this second group. In relation to the attack, it is estimated that the ransomware operators exfiltrated around 100GB of data from the systems before the network was encrypted, although these files have not yet been made public. The affected company continues to mitigate the incident and has not yet returned to full operational normality. In the last hours, Bloomberg media affirms that the company would have formalized the requested payment to recover normality; however, no confirmation has been made from Colonial Pipeline.


Microsoft fixes three 0-day vulnerabilities and four critical vulnerabilities

Microsoft has published its security newsletter for the month of May, in which three 0-day vulnerabilities are corrected, with no evidence of active exploitation, despite the fact that they were disclosed before their correction was made public.

  • CVE-2021-31204: Scalation of privilege vulnerability in .NET and Visual Studio.
  • CVE-2021-31207: security feature bypass vulnerability in Microsoft Exchange Server. This security flaw was discovered in the 2021 edition of Pwn2Own that took place at the beginning of April.
  • CVE-2021-31200: Remote code execution vulnerability in the common utilities of Microsoft’s NNI (Neural Network Intelligence) toolkit. 

This update covers a total of 55 vulnerabilities, 4 of them critical (CVE-2021-31166 in HTTP Protocol Stack, CVE-2021-26419 in Internet Explorer, CVE-2021-28476 in Hyper-V and CVE-2021-31194 in Windows OLE), 50 important and finally, one of moderate criticality. None of them under active exploitation.

Full info:

Adobe fixes actively exploited 0-day vulnerability

Adobe has patched multiple vulnerabilities affecting twelve of its products: Adobe Experience Manager, InDesign, Illustrator, InCopy, Genuine Service, Acrobat, Magento, Creative Cloud Desktop Application, Media Encoder, After Effects, Medium, and Animate. These sum up to a total of 43 vulnerabilities, including a 0-day vulnerability that affects Adobe Acrobat Reader, and is catalogued as CVE-2021-28550. Adobe indicates that this security flaw has been actively exploited in limited attacks against Windows devices. It should be noted that this use-after-free vulnerability allows remote code execution, which could allow attackers to execute commands, install malware or even the possibility of gaining access to victims’ devices that use Windows as their operating system and have a specially crafted malicious PDF file opened. Adobe warns customers to update vulnerable versions as soon as possible.

All the details:

FragAttacks: 12 new vulnerabilities in the Wi-Fi standard and its implementations

A Belgian researcher has discovered a series of 12 new vulnerabilities affecting Wi-Fi devices, collectively referred to as FragAttacks.  These vulnerabilities could be used by attackers within the Wi-Fi range to inject frames into a protected Wi-Fi network, getting the victim to use a DNS server controlled by the threat actor and intercepting the traffic. It would also allow, in the case of a router, circumvention of the firewall/NAT, allowing attackers to communicate directly with devices on the Wi-Fi network, potentially resulting in subsequent attacks on vulnerable services. Among the identified flaws, CVE-2020-24588CVE-2020-24587 and CVE-2020-24586 are caused by flaws in the design of the Wi-Fi standard, affecting most devices; while CVE-2020-26145CVE-2020-26144CVE-2020-26140 and CVE-2020-26143 reside in implementation flaws, allowing trivial frame injections into protected Wi-Fi networks. An additional 5 less trivial vulnerabilities also reside in implementation flaws. The researcher said that every Wi-Fi product is affected by at least one vulnerability, and most products are affected by more than one. For those not yet patched, a number of mitigation recommendations have also been provided.

Learn more:

FiveHands: double extortion ransomware attacks targeting organisations

The US Cybersecurity Agency (CISA) has issued a warning about a new ransomware variant called FiveHands, which was identified in January this year.Its operators use the double extortion technique, already present in many ransomware families, in which threat actors demand a ransom to decrypt compromised systems and not leak the organisation’s stolen data.  In their intrusions, they exploit publicly available tools such as SoftPerfect Network Scanner for Discovery and Microsoft’s remote administration program, PsExec.exe, along with ServeManager.exe. It is also common to see the SombRAT malware deployed, which is capable of collecting data from the compromised system, as well as allowing DLLs to be downloaded and executed on affected systems via a protected SSL session. FiveHands also has the ability to delete system backups and/or any recovery files. In April, FireEye identified the FiveHands operators as UNC2447, linking them to the exploitation of a 0-day vulnerability in SonicWall VPN (CVE-2021-20016) for which patches have been available since February.

More information:

Leave a Reply

Your email address will not be published.