Are industrial control systems the new criminal target?

Diego Samuel Espitia    16 August, 2021

A few days ago we published the cyber security report of the first half of the year, where you can find a special chapter about the threats in the OT world, also known as Industrial Control System (ICS), taken from the metahoneypot that the innovation and laboratory area deployed in C4IN, which is called Aristeo.

In the 24 hours prior to writing this article, Aristeo had detected nearly 3’000,000 cyber security events targeting these infrastructures. In the last six months we have witnessed how critical infrastructures, which base their operation on ICS, have been front page news around the world, with cases such as the Colonial Pipeline Ransomware, the detection of bugs in Schneider Electric systems, implications of the SolarWinds case in industrial environments… amongst others.

Why are the incidents so serious?

The world of ICS has migrated rapidly towards digitisation, Industry 4.0 has advanced with the pandemic by leaps and bounds and is here to stay. However, not all changes have been made with the protection of this infrastructure in mind, nor have they taken into account that the protocols and connections they handle are not necessarily up to date or prepared to handle the traffic that is common in IT networks

This makes some devices much more prone to denials with a simple port scan or some HMI consoles have obsolete operating systems as they support the software for the DCS or SCADA they manage.

Another clear indicator of ICS’s cyber security weaknesses is the increase in vulnerability reports issued by CISA, which in July 2020 alone accounted for a total of 21 reports, while in the same month of 2021 there were 41 reports.

Another clear indicator of the lack of safeguards that have been in place during the pandemic for industry’s migration to digitalisation is the increase in detections of equipment with industrial protocols by Internet engines, as seen in the ZoomEye results.

Every action has consequences …

The sum of all these indicators of poor cyber security management has generated reactions from the different actors involved in the attacks, on the one hand it is clear that the criminal industry has started to direct its actions towards the industrial control sectors, although the history of ICS incidents is long and has very important cases in the last 12 years.

And it has also generated a reaction from states, which have seen how their countries’ critical infrastructures have been affected by these organisations, generating new policies and obligations for the operators of these infrastructures. Undoubtedly, the most affected country has been the United States, which is why at the end of July the White House issued a memorandum that obliges operators responsible for the functioning of critical infrastructure to improve the cyber security of their operations.

Yet is not the only country to have taken presidential action. Following a series of incidents, Australia has decided to implement improvements in state policies to reinforce critical infrastructure protection.

What kind of action should be taken …

Companies have already started to take action and look to the market for options to improve their cyber security posture in industrial control environments, as can be easily seen by how auditing firms have started to enter into commercial agreements with companies in the cyber security sector.

We at Telefónica are aware of the importance of this sector and the need to be at the forefront of cyber security, and for the last year we have been an investor in Nozomi Network. We have also created the C4IN innovation laboratory, launched in 2019, where several developments have been generated to improve industrial cyber security and where Aristeo, the metahoneypot for threat intelligence in the sector, has been created

This gives a clear action that with case studies contributes to the improvement of cyber security in industrial environments and allows to minimise the effectiveness of criminal actions that have increased towards this business sector.

Cyber Security Weekly Briefing 31 July-13 August

Telefónica Tech    13 August, 2021

Vulnerabilities in DNS-as-a-Service

Researchers Shir Tamari and Ami Luttwak, from the security firm Wiz, revealed at the Black Hat security conference multiple vulnerabilities that could affect DNS-as-a-Service (DNSaaS) services. They claimed that one of them had been successfully tested and exploited in at least three cloud suppliers such as AWS, Route53 and Google Cloud Platform. They also pointed out that all DNSaaS providers could be vulnerable. This flaw is due to the fact that most DNS suppliers do not blacklist their own DNS servers within their backends. The researchers confirmed that, if exploited, a threat actor could exfiltrate sensitive information from corporate networks such as internal and external IP addresses, NTLM or Kerberos tickets, and could even map the company. Wiz says they were able to collect information from more than 15,000 organizations in 14 hours, suggesting that the risk is high. For their part, Amazon and Google have issued updates that would solve this flaw, with Google telling The Record Media that they have found no related malicious activity.

More information: https://www.blackhat.com/us-21/briefings/schedule/#a-new-class-of-dns-vulnerabilities-affecting-many-dns-as-service-platforms-23563

​Malicious campaigns using Prometheus TDS for malware distribution

Researchers from GROUP IB have published the analysis of two malicious campaigns that use the clandestine Prometheus Traffic Direction System (TDS) service for the distribution of different malware families such as BazarLoader, IcedID, QBot, SocGholish, Hancitor and Buer Loader. The Cyber Kill Chain used in an infection where the Prometheus TDS service has been used is multi-phase. First, the victim receives a malicious email where three different elements could be attached; an HTML file, a link to a webshell or a Google Docs document, all of which would end up redirecting the victim to malicious websites controlled by Prometheus. After accessing the malicious URL, the second phase begins, which aims to download the Prometheus Backdoor, a tool responsible for collecting user data such as IP, User Agent or referer, among others. Once the data is collected, it is sent to the panel managed by Prometheus TDS, and, after being analysed, the victim is either redirected to a new URL or sent a malicious Word, Excel, ZIP or RAR file that will download one of the malware families mentioned above. According to the researchers, they have identified two different active campaigns, one targeting the Belgian population and the other targeting companies, universities and governmental organisations in the United States.

More information: https://blog.group-ib.com/prometheus-tds

StealthWorker botnet brute-force attacks against Synology devices

Synology’s incident response team has detected an increase in the volume of brute force attacks against its devices. Researchers believe the attacks originate from the botnet known as StealthWorker, which was identified by Malwarebytes in a brute-force campaign in February 2019. These attacks use a variety of already-infected devices to launch brute-force attacks in which the most common administration credentials on other devices are tested. If successful, the threat actor would gain access to the system to install malware that could include encryption capabilities (ransomware). According to the data collected, the affected systems could in turn be used in attacks on other Linux-based devices, including Synology NAS (Network-Attached-Storage) devices. The firm strongly recommends that customers review their systems to modify weak credentials, enable automatic locking and account protection, and have MFA (Multi-Factor Authentication) authentication in place if possible.

More information: https://blog.cyble.com/2021/08/08/one-million-credit-cards-leaked-in-a-cybercrime-forum-for-free/

Microsoft’s monthly bulletin

Microsoft has published its August security bulletin which includes fixes for 44 vulnerabilities, seven of them critical. Within the set of vulnerabilities, the firm has fixed three new 0-days, one of which is already being actively exploited:

  • CVE-2021-36948: Privilege escalation vulnerability in the Windows Update Medic system, for which active exploitation has been detected.
  • CVE-2021-36942: Spoofing vulnerability in Windows LSA.
  • CVE-2021-36936: Remote code execution vulnerability in Windows Print Spooler.

It is also important to mention that Microsoft has patched important vulnerabilities that have appeared over the last few weeks, including the following:

  • PrintNightmare CVE-2021-34527: While the remote code execution part was patched, the local escalation of privilege component CVE-2021-34481 was not. This component could be exploited via the Point and Print function to install malicious print drivers.
  • PetitPotam CVE-2021-36942: The vector that made it possible to exploit the security flaw by not being able to force a domain controller to authenticate against another server has been corrected.

Finally, it is also worth noting the update of a vulnerability CVE-2020-0765 in Remote Desktop Connection Manager (RDCMan), an application that Microsoft advised against its use in March 2020 but which was brought back to life this June with the release of the 2.8 version. In the August bulletin, Microsoft announces a new vulnerability in the application and recommends upgrading to version 2.82.

More information: https://msrc.microsoft.com/update-guide/releaseNote/2021-Aug

LockBit announces Accenture data breach

Ransomware-as-a-Service group, Lockbit, announced yesterday on its dark web portal the publication of a series of data related to the company Accenture, which may have been stolen during a ransomware attack on the group. According to a report by Cyberscoop, the multinational company managed to detect the incident on July 30th and as a result, the breached servers were isolated, the threat was mitigated, and the affected systems were restored by means of backups. This would mean that, currently, the level of risk of possible infection is practically non-existent for systems that communicate directly with Accenture’s networks. The firm also acknowledges that the attackers would have had access to documents that would refer to a small number of clients and work materials that the firm would have prepared for its clients, but that in no case are these documents highly confidential. As to the leaks from LockBit operators, the group published on Wednesday a first leak that was deleted shortly afterwards to immediately postpone the date and time of publication of new information. A day later they provided evidence of the breach of Accenture’s systems and again restarted the countdown on their portal, announcing a third date for August 13 at 10:43 p.m. (Spanish time).

More information: https://www.cyberscoop.com/accenture-ransomware-lockbit/

The Technological Revolution in The Medical Sector

Telefónica Tech    11 August, 2021

The medical sector, and everything around it, is one of the most sensitive sectors, due to the delicacy and importance of its data, and the direct relationship it has with all of us. Even more so, since the start of the COVID-19 pandemic, in which it has acquired so much importance.

That is why it is particularly important at this time to take medicine to the next level, applying technology to streamline processes that can eventually save lives.

In this article we compile several of the posts we have recently published related to this sector.

Security in mobile applications

The security and privacy of our data is crucial, but if we are talking about data related to our health, it is even more important. Being able to use apps to make appointments or check test results makes our lives easier, but are mobile applications related to the IoMT (Internet of Medical Things) secure?

IoTM Mobile Applications and The Relevance Of Their Security

Technology and data in laboratories

Medical laboratories have been of particular relevance in recent times with research and development focused, as mentioned above, on the search for an effective vaccine, or several vaccines, against the coronavirus.

In this post by our expert Carlos Ávila, we analyse how laboratories manage data and the security of the mobile applications they use.

Laboratory Information Management System (LIMS) and its Mobile Applications

ArgoCD, the easy way to start implementing GitOps in your business

Álvaro Paniagua    10 August, 2021

GitOps practices are becoming especially relevant in 2021, boosted by the increasing use of Kubernetes in all types of organisations, a step forward from Infrastructure as Code (IaC). The configurations that are necessary to bring an application to a container environment are growing day by day, and if we take into account the number of working environments that are usually in place, this amount is becoming difficult to manage. And let’s not talk about having to do a rollback because of an unsuccessful configuration. But what if I tell you that applying GitOps solves this problem and that going back to a previous version can be as easy as a “Control + Z”? 

One of the main advantages of GitOps is what is known as the source of truth, a repository where the current version of the configuration of the elements we must have deployed is located. By having to apply every change to this source of truth, we can keep track of all versions and easily restore a previous version and have a record of it. 

Implementing GitOps on Kubernetes

One of the most widely used tools for implementing GitOps on Kubernetes is ArgoCD. This is because ArgoCD is a very simple tool, with a single purpose, which makes it great. Its function is to keep the configuration in the Kubernetes cluster marked in a Git repository. With every change we make to that Git repository, Argo will detect the modification and take care of the necessary commands to get to the new state in the Kubernetes cluster. This is very relevant, because unlike other tools, ArgoCD works in a declarative way. This means, for example, that if I declare in a file (hosted in Git) that I want 3 replicas of this application and that it can be accessed externally with a URL X, ArgoCD will make sure that this configuration is the one that exists in the cluster. The use of declarative language instead of imperative makes the adoption of these technologies much easier, since for each change we do not have to tell Kubernetes which commands to execute, but rather the target snapshot, ArgoCD takes care of executing the necessary commands to be able to get to the target snapshot. 

Once ArgoCD has implemented that statement, it monitors manual changes on the platform, and in case they occur, it has two behaviours. The first, and more common for the uninitiated in GitOps, warns that someone or something has modified the state of the cluster. The second is more imposing, as it detects this modification and starts executing commands to return to the previous state of the cluster, which appears in Git as the current state. 

The learning curve of ArgoCD is low for those who are already used to working with Kubernetes, but the hardest part as always is the change management to get the operations in the cluster always done through this tool and start working on GitOps. 

ArgoCD is a CNCF project and is available with support within OpenShift. This means that Telefónica’s Cloud Garden users also have this support.

#CyberSecurityReport21H1: More than 246 million OT cyber security events detected in six months

Innovation and Laboratory Area in ElevenPaths    9 August, 2021

There are many reports on security trends and summaries, but at Telefónica Tech we want to make a difference. From the Innovation and Lab team, we have just launched our own report on cybersecurity that summarises the highlights of the first half of 2021. Its philosophy is to offer a global, concrete and useful overview of the most relevant data and facts about cybersecurity, and it is designed to be consumed by both professionals and amateurs in a simple and visually attractive way.

The aim of this report is to summarise the cyber security information of the past months, taking a viewpoint covering most aspects of the discipline, in order to help the reader understand the risks of the current landscape.

The information gathered is largely based on the compilation and synthesis of internal data, cross-checked with public information from sources we consider to be of high quality. The following are some of the points that are important to us.

Mobile Security


The first half of 2021 closed with more than 200 vulnerabilities patched in iOS, of which almost 50 are considered high-risk, with the possibility of executing arbitrary code. Some of them affect the core of the system itself.

Total vulnerabilities found – Category within “arbitrary code execution”

Typically, Google releases a set of security patches every month. So six bulletins have been published, with a total of 246 CVEs or vulnerabilities fixed in Android. 26 of them are critical.

Total vulnerabilities found – Category within “arbitrary code execution”

Windows security


In this period we have analysed 384 accredited vulnerabilities out of a total of more than 440. From all of them we have extracted their severity through the official NIST CVSS. We understand that most of the uncredited bugs may come from vulnerabilities found in 0-days or other circumstances where the author is not known and has not been reported anonymously. In these cases, Microsoft does not credit anyone in particular. This difference between credited and “uncredited” vulnerabilities, which is not the same as anonymous, is reflected in the following graph:

Total vulnerabilities found- Category within “arbitrary code execution” – Level Accredited – Non-Accredited

OT Security


The following information comes from the OT threat capture and analysis system, Aristeo. Aristeo incorporates a network of decoys, made of real industrial hardware, which appear to be real industrial systems in production, and behave as such, but are extracting all the information about the threats accessing the system. With the information from all the devices deployed in the different node-signposts, Aristeo applies relationships and intelligence to go beyond the data, being able to proactively detect campaigns, targeted or sectorised attacks, 0-day vulnerabilities, etc.

Each node-nested token has its own characteristics and reproduces a different process. Therefore, protocols, devices, productive sectors… change in each of them. In addition, the nodes are alive, which means that they can undergo alterations in their configuration at the will of the team of researchers working with them, or of the client who has temporary or permanent use of them. This variability may lead to slight discrepancies in the data shown in this section when compared between semesters.

More information at: https://aristeo.elevenlabs.tech

It has always been said that criminals are the ones who know society and its realities, its legislation… When we deployed the first Aristeo node, we began to perceive a variation in the data as the pandemic was increasing or decreasing in incidence. We decided to analyse the data to see if our perception was correct. The answer is the graph below, which plots the Covid data against the RDP event data for the month of January 2021 separated by week. S0 is the latest from December 2020 (to observe the change since the start of that wave).

SARS-COV-2 infections & RDP attacks – Covid cases – RDP Events

The cyber threat data comes entirely from our system, while the SARS-COV-2 threat data comes from several governments and reputable research organisations. Attackers increased the number of attacks against devices exposing an RDP (in our case, an engineering bay that controls the industrial process and serves to manage industrial devices on a node).

In addition, more than 246 million cybersecurity events were detected in the first half of 2021. Most of the events were related to more or less sophisticated RDP attacks. The distribution by country is as follows:

TOP-10 Countries

Below, we can observe the Top-10 IP addresses with the most interaction with the Aristeo system and their reference countries.

TOP-10 IP attackers

Blockchain News: Everything You Need to Know About One of The Technologies of The Future

Telefónica Tech    6 August, 2021

There is no doubt that Blockchain technology is one of the most popular technologies of recent times. In many blogs, forums, social networks and even in general media news, people talk about Blockchain, but are you aware of the main concepts on which this technology is based?

In this compilation article, we have selected a series of articles written by Telefónica Tech experts on this subject in response to everyday questions:

Digital identity, privacy and Blockchain

Digital identity, privacy and Blockchain – What are all the differences? Is it possible to recover the keys? Find out in this article from María Teresa Nieto.

Digital Identity, Privacy and Blockchain – Can They All Be In The Same Equation?

New AI and Blockchain Solutions Are Arriving to Businesses

Early a third of IT professionals surveyed in the IBM Global AI Adoption Index 2021 say their company is using AI, and 43% say they are accelerating AI adoption as a result of the COVID-19 pandemic. But using multiple Cloud and IT platforms while deploying and adopting advanced technologies can be a challenge. Fernando Navarro tells you everything about it in this article.

New AI and Blockchain Solutions Are Arriving to Businesses

Alastria 3.0: the Spanish Blockchain consortium

You may be wondering if there is any institution or association that is committed to the Blockchain and its ability to promote the digital economy and improve Spain’s competitiveness with technology. Well, indeed, there is one and it is called Alastria, if you want to know more details about this initiative, you can’t miss this post by José Luis Núñez.

Alastria 3.0: the spanish blockchain consortium

Edge Computing and Cyber Security: Benefits and Challenges

Moncho Terol    4 August, 2021

Digital transformation and economic growth are two key themes, closely related to the future of connectivity. One of the most important challenges that organisations of all types face in relation to digital transformation and its evolution to the cloud, which to a large extent benefits from next-generation connectivity, is that of cybersecurity or IT security.

As John Chambers, former CEO of Cisco, says: “I think there are two types of companies; those that have been hacked and those that have not yet realised it”. In this context, and as part of the technologies that will be key in the coming years: what is Edge Computing and what does it offer in terms of IT security?

The importance of Edge Computing

Edge computing, also known as computing at the edge, is an innovative technology for data storage and processing, which emerges as an alternative to address some of the limitations currently presented by some cloud computing services:

  • System overload: With the rise of the Internet of Things (IoT) in the development of smart cities and the large number of energy sensors (smart grid), millions of mobile devices are connected to the Internet every day. Many of these devices require very low latency or response times, which conventional cloud services struggle to provide due to their physical distance. In addition, the growing volume of traffic they generate could saturate the central nodes where they are currently processed.
  • Lack of control over end-to-end connectivity: the cloud may be far away from users and in some cases, traffic may traverse unsecured networks on its way.

Edge computing technology is based on a distributed system that brings information processing closer to the edge of the network, i.e. to the device or person that generates or requires the information. This technology, coupled with 5G and fibre access networks, solves the problems of latency, connectivity and possible congestion in the cloud.

The importance of this service lies in its efficiency. Imagine a patient in a hospital who has his health device connected to the Internet. A transmission of information with the lowest latency and the best connectivity (for which a good 5G and fibre coverage is also essential) could save the patient’s life.

Within that context, it is also important to understand how Edge Computing poses new challenges for cyber security.

Keys to Edge Computing and IT Security

Some studies, including one by Zhang, Chen et. al. (2018), suggest adapting some of the solutions embodied by other technologies to Edge Computing. For example, Cloud Computing. In this sense, some contributions have been generated:

  • Integrity. Data integrity is about preventing unauthorised persons from accessing and modifying the system.
  • Availability. One of the most important attributes of computer security is that information is available for consumption. Distributed processing technology brings information closer to the user. It also provides a greater ability to perform maintenance in the event of incidents.
  • Secure data search. Depending on the service/application, data is encrypted on edge servers, so static search systems can no longer operate. Alternatives such as dynamic search have emerged. This allows users to search by keyword without the need to decrypt the data.

With the development of Edge Computing and next generation networks such as 5G, these problems will gradually be solved as new standards and security measures are developed.

New Threat, Old Techniques

Diego Samuel Espitia    3 August, 2021

For some years now, the techniques used by malware developers have focused on evading detection mechanisms, finding that obfuscated macros and the use of Windows proprietary tools are an effective mechanism to accomplish their goals, even if they use old office document formats.

One of the malware campaigns that has most exploited the technique of ancient and obfuscated macros (some simply hidden) is Emotet, named after an ancient Egyptian king. Since 2014 it has become the most feared banking trojan, with a very strong peak of incidents in 2019.



Figure 1: https://any.run/malware-trends/emotet

But this week McAfee Labs published a new infection technique that not only uses Office macros as its main tool at the start of the attack, but complements it with the download of malicious DLLs, and which so far in 2021 has mainly affected Spain, Canada and the United States, which has been considered the return of a variant of the Zloader banking malware, which first appeared in 2006 as a variant of the Zeus banking trojan.




Figur2 2: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique

The initial attack vector is through an email with an attached Microsoft Word file, which downloads a password-protected Microsoft Excel file from a remote server. With the two documents on the machine, they initiate a scheduled interaction with the VBA macros in both files and modify some registry policies to avoid alerts when running the dynamic macros from excel, to finally download the Zloader executable containing a malicious DLL.

This is the typical behaviour we have described in Fileless attacks and which the innovation area has sought to prevent with the creation of DIARIO, to detect the malicious content of these macros in the first step of the threat flow while respecting the privacy of the documents. In this case it is not the exception that can be used, as the hash that appears as the main IoC is the Word document with which the attack starts, which is 210f12d1282e90aadb532e7e7e891cbe4f089ef4f4f3ec0568dc459fb5d546c95eaf and that as can be seen in the web answer.

Figure 3: https://diario.elevenpaths.com/

We already detected it as malicious, because all 5 macros contain malicious processes and where, when checking them in our tool, you can clearly see how one of them is loading the moment where the Excel is opened with the password from Word.

And how from the other macro the download URL is created for this same file

DIARIO was designed in the innovation area thinking that the most effective way to detect malicious code of this type is the use of machine learning, so that any other document that contains a variant of the malicious process of this detection, will be immediately recognised and marked as a malicious document.

If users were trained and aware enough to analyse every single attachment that arrives in their mail, having a tool like DIARIO within the Outlook client would allow them to mitigate the risk of this type of attack and counter the threat from the first step of the attack flow.

Cybercrime in robotics, the Alias Robotics research that is travelling to Black Hat

Víctor Mayoral-Vilches    2 August, 2021

Are industrial robots safe? This is the opening question of this analysis that Alias Robotics has worked on, together with TrendMicro, as part of an investigation into robotic security, in which researchers from the Alpen-Adria-Universität Klagenfurt in Austria have also participated. This analysis has resulted in a detailed report that includes new findings in the field of robotics threat and vulnerability research that warns of the serious risks of these OT industrial devices.

The research, which will be presented at the prestigious Black Hat 2021 cyber security event, includes a new methodology with a complementary offensive approach to protecting industrial robots in a feasible and timely manner.

Black Hat 2021

As mentioned above, this is one of the most respected and important events on the international cyber security scene, and this year it is being held in Las Vegas between 31 July and 5 August. The increased concern for the security of OT environments and the risks faced by the industrial sector has led the event organisers to select us as speakers, something that few companies in the world can say and which demonstrates how this startup is leading the field of cyber security for robots since 2018.

Programmed obsolescence

Much like Ford in the 1920s, many robot manufacturers engage in obsolescence practices by organising distributors and integrators into private networks, providing spare parts only to certain companies in an attempt to discourage repairs and eliminate competition.

The research uncovered more than 100 vulnerabilities affecting various manufacturers. Among the findings was a trend at Teradyne, where two of the robotics companies it owns (Universal Robots and Mobile Industrial Robots) had dozens of vulnerabilities. This is a particularly interesting case because their robots are advertised as collaborative, meaning that they augment human physical capabilities without causing harm.

The research results show that robot teardowns can help the robotics industry and the supply chain by significantly improving quality, safety and security, and, as mentioned above, there is evidence of planned obsolescence practices. We advocate the “right to repair” in robotics and encourage end-users to bring their safety needs to the attention of both their supply chains and manufacturers.

Cyber Security Weekly Briefing 24-30 July

Telefónica Tech    30 July, 2021

PetitPotam: new NTLM relay attack

Security researcher Gilles Lionel, also known as Topotam, has discovered a flaw in Windows systems with enabled Active Directory Certificate Services (ADCS) that would allow attackers to take control of domain controllers via an NTLM relay attack. Lionel has published a proof of concept that would allow this flaw to be exploited via an SMB request. This attack leverages the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) to force a device, including domain controllers, to authenticate and share its password hashes with the attacker, allowing the attacker to take full control of the victim’s network. According to researchers, this flaw affects most versions of Windows Server. Microsoft has not yet fixed the issue; however, it has released mitigations to reduce the impact.

All the details: https://msrc.microsoft.com/update-guide/vulnerability/ADV210003

​​Analysis of the new AvosLocker ransomware family

Researchers at Malwarebytes Lab have published an analysis of a new ransomware family known as AvosLocker. At the end of June, security analyst Rakesh Krishnan shared via his official Twitter profile what it seemed to be a new ransomware family that would have chosen to continue the current trend of operating: seeking affiliates in underground forums, known as Ransomware-as-a-Service (RaaS), and creating a blog on the Dark Web where to share and extort money from its victims, known as double extortion. AvosLocker is a RaaS written in C++ that uses two different encryption algorithms: AES for files and RSA for generated AES keys. Malwarebytes determines that this family appears to be manually operated once it gains initial access to the victim’s device, estimating that it creates one sample per victim since the ID is encoded in the sample. Once the ransomware is deployed, its operators direct the victim to a Dark Web domain where they can see the amount requested and the time they have to pay the amount, increasing the amount if they fail to meet the deadline. Researchers say this new ransomware family is quite active, and according to Rakesh Krishnan, it could be targeting companies in the legal, logistics and real estate sectors in the US, the UK and Europe.

All the details: https://blog.malwarebytes.com/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/

Apple fixes a 0-day vulnerability

Apple has released a security update to fix an exploited 0-day vulnerability affecting iOS, iPadOS and macOS devices. The vulnerability, registered as CVE-2021-30807, involves a memory corruption flaw in the IOMobileFramebuffer kernel extension that allows arbitrary code with kernel privileges to be executed on a vulnerable device. Apple has fixed the bug in iOS 14.7.1, iPadOS 14.7.1 and macOS Big Sur 11.5.1. The company also confirms that the vulnerability could be actively exploited, although no further details have been shared. Following Apple’s publication of the flaw, security researchers speculated that it might be a jailbreak, rather than a 0-day exploit. Finally, another researcher has published a detailed analysis of it, for which a Proof of Concept (PoC) has also been released.

All the details: https://support.apple.com/en-us/HT212623

​​​​​HTML smuggling malspam campaign

The Microsoft Security Intelligence team has analysed a malware distribution campaign that has been active for several weeks and is exploiting a technique known as HTML smuggling to evade victims’ email security solutions. In this campaign, attackers send emails with malicious links that, after being accessed, display HTML embedded components via HTML smuggling. This technique creates a malicious file inside the victim’s browser, in this case a ZIP file containing a JavaScript that downloads other malicious files, including the Casbaneiro trojan payload. Although Microsoft has not detailed the scope of this campaign, the activity of this trojan tends to focus on Latin American countries.

​​​​​​Analysis of Hanon ransomware

Investigators of Korean security firm S2W have published an analysis of a new ransomware family called Haron, which started operations this month. Haron uses tactics of matures ransomware families such as exfiltration of data for later publication at their Dark Web blog. Analysts have linked this new sample with Thanos and Avaddon families, now defunct, confirming that this new ransomware would rather be the union of different aspects of these families based on the similarity of Dark Web blogs, payment pages, ransom notes, icons and pictures, among others. S2W does not clarify the reason for these similarities, hypothesizing that perhaps Haron bought some parts from the Avaddon operators or that some actor of the extinct family joined the operators of the new sample.

All the details: https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4