FFT news digest Jul 9 2021

Kaseya

This week's top story has been the ransomware attack that exploited a widely-used monitoring and management tool to target hundreds of organisations around the world. The attack on Kaseya is one of the most serious such incidents, and its impact included the closure of the Coop supermarket chain in Sweden and disruption to the country's public broadcaster.

Affiliates of the Russian group REvil are thought to be behind the attack and have demanded $50 million in return for unlocking the data they have encrypted. REvil operates a Ransomware as a Service model, allowing other groups to rent its tools in return for a share of any resulting payments. REvil was responsible for last month's attack that halted work at the world's largest meat processor which ended up paying the equivalent of $11 million to restart operations.

Kaseya has been promising regular updates, but is still working on a patch for the vulnerability exploited by the attackers. Unidentified scumbags have taken advantage of the delay to launch a phishing campaign that masquerades as the hotly-awaited update. Malwarebytes says the email lure contains an attachment called "Securityupdates[dot]exe".

President Biden has said the Kaseya attack caused "minimal damage" to US organisations, but American officials are due to discuss the issue with their Russian counterparts on Tuesday. The attack came as the Republican National Committee said one of its contractors had been hacked. Bloomberg reported that Russian government hackers were responsible. "If the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action, or reserve the right to take action, on our own," the White House spokeswoman said.

Threats

Social engineering: New surveys illustrate the scale of cybercrime; an 87% increase in social engineering scams during the first quarter of 2021 compared to the same period last year. And 65% of organisations have experienced targeted ('spear phishing') attacks in the last 12 months.

PayPal: Devious and highly credible campaign tries to steal PayPal credentials by claiming target's profile is out of date. Armorblox

Dropbox: Suspected Chinese attacks impersonated the Afghan President as part of a campaign against the Kabul government. Check Point

Facebook: Scam tries to persuade targets to link their Facebook account to Android apps. It also offers what promises to be an ad-free interface for Facebook but which again is designed to harvest user credentials. Dr.Web

Leavers: Almost a quarter of people have access to accounts from previous jobs, according to a survey by Beyond Identity. The same research also found 41.7% of those interviewed said they shared passwords.

Unreal: We know how easy it is to alter pictures. It's not often one sees such a vivid demonstration as this example, explained on TikTok by Beka Day. A warning; the Instagram account in question shows a woman's transformation from scantily dressed adult to barely dressed teen.

Gamers: Criminals are trying to exploit the increase in gaming during the pandemic. The most common tactic employs malicious links disguised as free versions, updates and cheats. Kaspersky

Framed 

Framing government opponents by planting compromising documents on their computers is a common threat. Now, new details have emerged about an alleged example in India. Arsenal Consulting, which has made a speciality of investigating such incidents, says incriminating files were placed on the computers of two activists in India. The documents were used as evidence to link them to a banned Maoist militant group and the activists have been in prison since 2018. Arsenal believes the computers were compromised through the use of booby-trapped emails and commercially available software.

Beware

There are some great online resources for anyone wanting to make themselves more secure. Unfortunately, criminals have figured this out and one group created a fake website designed to trap the unwary. As Proofpoint reports, the detailed, legitimate looking “Privacy Tools” website was designed to lure visitors into downloading a tool that would protect their data. In fact, once installed, it would allow information to be stolen from the infected computer. Proofpoint thinks this isn't the first time this group has used this tactic. It's a good reminder that resources on the web should be treated with care.

WiFi

Another reason to be cautious about public WiFi networks. Last month, a researcher discovered that specific characters in the name of a hotspot could break an iPhone's WiFi capability. Now it turns out the problem is more serious than previously thought. Additional work by Carl Shou revealed that the damage is more persistent and can be fixed only by editing a configuration file. Even worse, there are suggestions that the damaging characters can be hidden so there's nothing to suggest a WiFi hotspot is malicious. Until Apple fixes the issue, the best advice is to go to Settings | Wi-Fi and set 'Auto-Join Hotspots' to 'Ask to Join' or 'Never' on your iPhone (and iPad). And steer clear of any WiFi networks with a % in the name.

Spyware

A comprehensive database has been created to illustrate how spyware sold by the NSO group supports state attacks on journalists, activists and human rights groups. Forensic Architecture used reports and interviews with those targeted to reveal the links between government surveillance and real-world intimidation, violence and, in some cases, death. The research also demonstrates that the use of spyware is seldom restricted to a specific target, but extends to friends, colleagues and family members. The report came as the NSO Group published a 'transparency report.' Amnesty International described it as reading like a "sales brochure."

In brief

Password manager: Kaspersky really mucked this up. It turns out its password manager (KPM) used a hopelessly ineffective method of generating...passwords. Users are advised to regenerate any passwords created before October 2019. Ledger Donjon

Superheroes: And on the subject of passwords...don't be tempted like hundreds of thousands of people to use the name of your favourite superhero. Specops

LinkedIn: Want to make sure your LinkedIn profile can't be seen in China? Just add Tiananmen Square to your interests and you will become invisible to users behind the great firewall. Kevin Beaumont

Retouched: New regulations in Norway will require influencers and advertisers to label retouched photos as part of efforts to combat unrealistic beauty standards. Norwegian Parliament

Reamination: "Experts are exploring ways artificial intelligence might confer a kind of digital immortality, preserving the personalities of the departed in virtual form and then allowing them to evolve..." Wall Street Journal ($)

Updates

PrintNightmare: Many Windows users have been experiencing disruption as administrators frantically update systems to address a printing-related vulnerability that can be exploited remotely. The issue derives from bugs in the Windows Print Spooler service which manages printing on local networks, so the number of users affected is vast. Microsoft has denied reports that the updates don't work, saying they do resolve the issue.

Microsoft: Is working to fix an issue that is blocking Azure Virtual Desktops devices from downloading and installing recent security updates via Windows Server Update Services (WSUS). Two workrounds are offered.

QNAP: Update addresses a critical security vulnerability in some network attached storage devices. Users are also advised to follow QNAP's best practice guidelines.

Audacity: Owner of popular, free audio editor published changes to its privacy policy to allow it to gather (limited) information about users. Cue outrage and accusations that the app should now be regarded as spyware. That charge might be exaggerated, but some of the new terms and conditions do appear slightly excessive. Are Technica has a balanced view.

SonicWall: Another reason to check on-premises deployments of SonicWall’s Network Security Manager (NSM) product. Positive Technologies explains the potential impact of a recently-addressed vulnerability.

Cisco: Security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

Tor: Version 10.5 of the Tor Browser includes warnings about out of date URLs, and enhanced mechanisms to combat censorship.

SecureDrop: Version 2.0.1 is a maintenance release that updates dependencies and signs the SecureDrop release tag with an updated signing key.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved