Critical Zcash Bug Could Have Allowed ‘Infinite Counterfeit’ Cryptocurrency validmn, astra-shoporg
REvil, the infamous ransomware cartel behind some of the biggest cyberattacks targeting JBS and Kaseya, has mysteriously disappeared from the dark web, leading to speculations that the criminal enterprise may have been taken down.
Multiple darknet and clearnet sites maintained by the Russia-linked cybercrime syndicate, including the data leak, extortion, and payment portals, remained inaccessible, displaying an error message “Onionsite not found.”
The group’s Tor network infrastructure on the dark web consists of one data leak blog site and 22 data hosting sites. It’s not immediately clear what prompted the infrastructure to be knocked offline.
REvil is one of the most prolific ransomware-as-a-service (RaaS) groups that first appeared on the threat landscape in April 2019. It’s an evolution of the GandCrab ransomware, which hit the underground markets in early 2018.
“If REvil has been permanently disrupted, it’ll mark the end of a group which has been responsible for >360 attacks on the U.S. public and private sectors this year alone,” Emsisoft’s Brett Callow tweeted .
The sudden development comes close on the heels of a wide-scale supply chain ransomware attack aimed at technology services provider Kaseya, for which REvil (aka Sodinokibi) took responsibility for and demanded a $70 million ransom to unlock access to encrypted systems in exchange for a universal decryption key that would unlock all victims data.
The disastrous attack saw the ransomware gang encrypting approximately 60 managed service providers (MSPs) and over 1,500 downstream businesses using a zero-day vulnerability in the Kaseya VSA remote management software. In late May, REvil also masterminded the attack on the world’s largest meat producer JBS, which ended up paying $11 million to the extortionists to recover from the incident.
The outage also coincides with U.S. President Joe Biden’s phone call with Russian President Vladimir Putin last week, pressing the latter to take steps to disrupt ransomware groups operating in the country, while warning of retaliatory action to defend critical infrastructure.
“The situation is still unfolding, but evidence suggests REvil has suffered a planned, concurrent takedown of their infrastructure, either by the operators themselves or via industry or law enforcement action,” FireEye Mandiant’s John Hultquist told CNBC.
It appears that REvil’s Happy Blog was taken offline around 1 AM EST on Tuesday, with vx-underground noting that the group’s public-facing representative, Unknown, has not posted on popular hacking forums such as Exploit and XSS since July 8.
Subsequently, a representative for LockBit ransomware posted to the XSS Russian-speaking hacking forum that REvil’s attack infrastructure received a government legal request, causing the servers to be dismantled. “REvil is banned from XSS,” vx-underground later added .
It’s not uncommon for ransomware groups to go under the ground following highly publicized incidents. After the DarkSide gang targeted Colonial Pipeline in May, the operators announced plans to wind up its RaaS affiliate program for good, claiming that its servers had been seized by an unknown law enforcement agency, raising questions as to whether the group actually retired, or rebranded under a new name.
This theory was validated a few weeks later when the U.S. Department of Justice revealed last month that it was able to recover most of the money paid by Colonial Pipeline to the DarkSide group through an analysis of the bitcoin trails.
REvil’s unexplained shutdown, in a similar fashion, may as well be a case of planned retirement, or a temporary setback, forcing it to seemingly disband only to eventually reassemble under a new identity so as to attract less attention, or a consequence of increased international scrutiny in the wake of the global ransomware crisis.
If it indeed turns out that the group has permanently shuttered operations, the move is bound to leave the group’s targets in the lurch, with no viable means to negotiate ransoms and get hold of the decryption keys necessary to regain control of their systems, thus permanently locking them out of their data.
“I don’t know what this means, but regardless, I’m happy!” tweeted Katie Nickels, director of intelligence at Red Canary. “If it’s a government takedown – awesome, they’re taking action. If the actors voluntarily went quiet – excellent, maybe they’re scared.”
IT infrastructure management provider SolarWinds on Thursday released a new update to its Orion networking monitoring tool with fixes for four security vulnerabilities, counting two weaknesses that could be exploited by an authenticated attacker to achieve remote code execution (RCE).
Chief among them is a JSON deserialization flaw that allows an authenticated user to execute arbitrary code via the test alert actions feature available in the Orion Web Console, which lets users simulate network events (e.g., an unresponsive server) that can be configured to trigger an alert during setup. It has been rated critical in severity.
A second issue concerns a high-risk vulnerability that could be leveraged by an adversary to achieve RCE in the Orion Job Scheduler. “In order to exploit this, an attacker first needs to know the credentials of an unprivileged local account on the Orion Server,” SolarWinds said in its release notes.
The advisory is light on technical specifics, but the two shortcomings are said to have been reported via Trend Micro’s Zero Day Initiative.
Besides the aforementioned two flaws, the update squashes two other bugs, including a high-severity stored cross-site scripting (XSS) vulnerability in the “add custom tab” within customize view page (CVE-2020-35856) and a reverse tabnabbing and open redirect vulnerability in the custom menu item options page (CVE-2021-3109), both of which require an Orion administrator account for successful exploitation.
The new update also brings a number of security improvements, with fixes for preventing XSS attacks and enabling UAC protection for Orion database manager, among others.
The latest round of fixes arrives almost two months after the Texas-based company addressed two severe security vulnerabilities impacting Orion Platform (CVE-2021-25274 and CVE-2021-25275), which could have been exploited to achieve remote code execution with elevated privileges.
Orion users are recommended to update to the latest release, “Orion Platform 2020.2.5,” to mitigate the risk associated with the security issues.
Microsoft on Tuesday issued fixes for 87 newly discovered security vulnerabilities as part of its October 2020 Patch Tuesday , including two critical remote code execution (RCE) flaws in Windows TCP/IP stack and Microsoft Outlook.
The flaws, 11 of which are categorized as Critical, 75 are ranked Important, and one is classified Moderate in severity, affect Windows, Office and Office Services and Web Apps, Visual Studio, Azure Functions, .NET Framework, Microsoft Dynamics, Open Source Software, Exchange Server, and the Windows Codecs Library.
Although none of these flaws are listed as being under active attack, six vulnerabilities are listed as publicly known at the time of release.
Chief among the most critical bugs patched this month include CVE-2020-16898 (CVSS score 9.8). According to Microsoft, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer to exploit the RCE flaw in the TCP/IP stack to execute arbitrary code on the target client or server.
According to McAfee security experts, ‘this type of bug could be made wormable,’ allowing hackers to launch an attack that can spread from one vulnerable computer to another without any human interaction.
A second vulnerability to keep track of is CVE-2020-16947 , which concerns an RCE flaw on affected versions of Outlook that could allow code execution just by viewing a specially crafted email.
“If the current user is logged on with administrative user rights, an attacker could take control of the affected system,” Microsoft noted in its advisory. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Another critical RCE vulnerability in Windows Hyper-V ( CVE-2020-16891 , CVSS score 8.8) exists due to improper validation of input from an authenticated user on a guest operating system.
As a result, an adversary could exploit this flaw to run a specially crafted program on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.
Two other critical RCE flaws ( CVE-2020-16967 and CVE-2020-16968 ) affect Windows Camera Codec Pack, permitting an attacker to send a malicious file that, when opened, exploits the flaw to run arbitrary code in the context of the current user.
Finally, the patch also addresses a privilege escalation flaw ( CVE-2020-16909 ) associated with Windows Error Reporting (WER) component that could allow an authenticated attacker to execute malicious applications with escalated privileges and gain access to sensitive information.
Other critical flaws fixed by Microsoft this month include RCE flaws in SharePoint, Media Foundation Library, Base3D rendering engine, Graphics Components, and the Windows Graphics Device Interface (GDI).
It’s highly recommended that Windows users and system administrators apply the latest security patches to mitigate the threats associated with these issues.
For installing the latest security updates , Windows users can head to Start > Settings > Update & Security > Windows Update, or by selecting Check for Windows updates.
Open-source Tor browser has been updated to version 10.0.18 with fixes for multiple issues, including a privacy-defeating bug that could be used to uniquely fingerprint users across different browsers based on the apps installed on a computer.
In addition to updating Tor to 0.4.5.9, the browser’s Android version has been upgraded to Firefox to version 89.1.1, alongside incorporating patches rolled out by Mozilla for several security vulnerabilities addressed in Firefox 89.
Chief among the rectified issues is a new fingerprinting attack that came to light last month. Dubbed scheme flooding , the vulnerability enables a malicious website to leverage information about installed apps on the system to assign users a permanent unique identifier even when they switch browsers, use incognito mode, or a VPN.
Put differently, the weakness takes advantage of custom URL schemes in apps as an attack vector, allowing a bad actor to track a device’s user between different browsers, including Chrome, Firefox, Microsoft Edge, Safari, and even Tor, effectively circumventing cross-browser anonymity protections on Windows, Linux, and macOS.
“A website exploiting the scheme flooding vulnerability could create a stable and unique identifier that can link those browsing identities together,” FingerprintJS researcher Konstantin Darutkin said.
Currently, the attack checks a list of 24 installed applications that consists of Adobe, Battle.net, Discord, Epic Games, ExpressVPN, Facebook Messenger, Figma, Hotspot Shield, iTunes, Microsoft Word, NordVPN, Notion, Postman, Sketch, Skype, Slack, Spotify, Steam, TeamViewer, Telegram, Visual Studio Code, WhatsApp, Xcode, and Zoom.
The issue has serious implications for privacy as it could be exploited by adversaries to unmask Tor users by correlating their browsing activities as they switch to a non-anonymizing browser, such as Google Chrome. To counter the attack , Tor now sets “network.protocol-handler.external” to false so as to block the browser from probing installed apps.
Of the other three browsers, while Google Chrome features built-in safeguards against scheme flooding — it prevents launching any application unless it’s triggered by a user gesture, like a mouse click — the browser’s PDF Viewer was found to bypass this mitigation.
“Until this vulnerability is fixed, the only way to have private browsing sessions not associated with your primary device is to use another device altogether,” Darutkin said. Tor browser users are recommended to move quickly to apply the update to ensure they are protected.
The development arrives little over a week after encrypted messaging service Wire addressed two critical vulnerabilities in its iOS and web app that could lead to a denial-of-service ( CVE-2021-32666 ) and permit an attacker to take control of a user account ( CVE-2021-32683 ).
A newly devised variant of the NAT Slipstreaming attack can be leveraged to compromise and expose any device in an internal network, according to the latest research.
Detailed by enterprise IoT security firm Armis, the new attack (CVE-2020-16043 and CVE-2021-23961) builds on the previously disclosed technique to bypass routers and firewalls and reach any unmanaged device within the internal network from the Internet.
Although partial mitigations were released on November 11 to thwart the attack in Chrome 87 , Firefox 84 , and Safari by preventing connections on port 5060 or 5061, Armis researchers Ben Seri and Gregory Vishnipolsky revealed that “NAT Slipstreaming 2.0” puts “embedded, unmanaged, devices at greater risk, by allowing attackers to expose devices located on internal networks, directly to the Internet.”
Vulnerable devices that could be potentially exposed as a consequence of this attack include office printers, industrial controllers, IP cameras, and other unauthenticated interfaces that could be exploited once the NAT/firewall is tricked into opening network traffic to the victim device.
“Using the new variant of the NAT Slipstreaming attack to access these types of interfaces from the Internet, can result in attacks that range from a nuisance to a sophisticated ransomware threat,” the researchers said.
Google, Apple, Mozilla, and Microsoft have all released patches to Chrome ( v87.0.4280.141 ), Safari ( v14.0.3 ), Firefox ( v85.0 ), and Edge ( v87.0.664.75 ) browsers to address the new attack.
Put simply, NAT Slipstreaming allows a bad actor to bypass NAT/firewall and remotely access any TCP/UDP service bound to a victim machine as a result of the target visiting a malware-infected website specially crafted for this purpose.
“This is achieved by carefully setting the [Maximum Segment Size] value of an attacker controlled TCP connection from the victim browser to an attacker’s server, so that a TCP segment in the ‘middle’ of the HTTP request will be entirely controlled by the attacker,” the researchers explained.
As a consequence, this causes the NAT application-level gateway (ALG) to open arbitrary ports for inbound connections to the client’s device via the internal IP address.
NAT Slipstreaming 2.0 is similar to the aforementioned attack in that it uses the same approach but relies on H.323 VoIP protocol instead of SIP to send multiple fetch requests to the attacker’s server on H.323 port (1720), thereby allowing the attacker to iterate through a range of IP addresses and ports, and opening each one of them to the Internet.
“A long lasting solution, unfortunately, would require some [overhaul] of the Internet infrastructure we’re accustomed to,” the researchers concluded.
“It is important to understand that security was not the principal agenda for the creation of NATs, rather it was mainly a by-product of the potential exhaustion of IPv4 addresses. Legacy requirements such as ALGs are still a dominant theme in the design of NATs today, and are the primary reason bypassing attacks are found again and again.”
Networking equipment company Netgear has released patches to remediate a high-severity remote code execution vulnerability affecting multiple routers that could be exploited by remote attackers to take control of an affected system.
Traced as CVE-2021-40847 (CVSS score: 8.1), the security weakness impacts the following models –
According to GRIMM security researcher Adam Nichols, the vulnerability resides within Circle , a third-party component included in the firmware that offers parental control features in Netgear devices. Particularly, the issue concerns the Circle update daemon, which is enabled to run by default even if the router hasn’t been configured to limit daily internet time for websites and apps, resulting in a scenario that could permit bad actors with network access to gain remote code execution (RCE) as root via a Man-in-the-Middle (MitM) attack.
This is made possible owing to the manner in which the update daemon (called “circled”) connects to Circle and Netgear to fetch updates to the filtering database — which are both unsigned and downloaded using HTTP — thereby making it possible for an interloper to stage an MitM attack and respond to the update request with a specially-crafted compressed database file, extracting which gives the attacker the ability to overwrite executable binaries with malicious code.
“Since this code is run as root on the affected routers, exploiting it to obtain RCE is just as damaging as a RCE vulnerability found in the core Netgear firmware,” Nichols said . “This particular vulnerability once again demonstrates the importance of attack surface reduction.”
The disclosure comes weeks after Google security engineer Gynvael Coldwind revealed details of three severe security vulnerabilities dubbed Demon’s Cries, Draconian Fear , and Seventh Inferno , impacting over a dozen of its smart switches, allowing threat actors to bypass authentication and gain full control of vulnerable devices.
UPDATE: Following the publication of the story, Circle shared the below statement with The Hacker News —
“Circle created software fixes to resolve recently publicized security vulnerabilities for a loader on Netgear routers and has worked with Netgear to ensure that it is available for Netgear customers. Circle recommends that Netgear users ensure that they are using the latest firmware for their Netgear routers. No other Circle customers are impacted by this vulnerability.”
An “aggressive” financially motivated threat actor has been identified as linked to a string of RYUK ransomware attacks since October 2018, while maintaining close partnerships with TrickBot-affiliated threat actors and using a publicly available arsenal of tools such as Cobalt Strike Beacon payloads to interact with victim networks.
Cybersecurity firm Mandiant attributed the intrusions to a Russian-speaking hacker group rechristened as FIN12, and previously tracked under the name UNC1878 , with a disproportionate focus on healthcare organizations with more than $300 million in revenue, among others, including education, financial, manufacturing, and technology sectors, located in North America, Europe, and the Asia Pacific.
The designation marks the first time a ransomware affiliate group has been promoted to the status of a distinct threat actor.
“FIN12 relies on partners to obtain initial access to victim environments,” Mandiant researchers said . “Notably, instead of conducting multifaceted extortion, a tactic widely adopted by other ransomware threat actors, FIN12 appears to prioritize speed and higher revenue victims.”
The use of initial access brokers to facilitate ransomware deployments isn’t new. In June 2021, findings from enterprise security company Proofpoint revealed that ransomware actors are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major entities, with Ryuk infections mainly leveraging accesses obtained via malware families like TrickBot and BazaLoader.
Furthermore, an in-depth analysis of initial access brokers by cybersecurity firm KELA in August 2021 found that the average cost of network access was $5,400 for the period July 2020 to June 2021, with select actors adopting an ethical stance against trading access to healthcare companies. FIN12’s targeting of the healthcare sector suggests that its initial access brokers “cast a wider net and allow FIN12 actors to choose from a list of victims after accesses are already obtained.”
Mandiant also noted that it observed, in May 2021, threat actors obtaining a foothold in the network through phishing email campaigns distributed internally from compromised user accounts, before leading to the deployment of Cobalt Strike Beacon and WEIRDLOOP payloads. Attacks mounted between mid-February and mid-April of 2021 are said to also have taken advantage of remote logins by getting hold of credentials to victims’ Citrix environments.
Although FIN12’s tactics in late 2019 involved using TrickBot as a means to maintain a foothold in the network and carry out latter-stage tasks, including reconnaissance, delivering malware droppers, and deploying the ransomware, the group has since consistently banked on Cobalt Strike Beacon payloads for performing post-exploitation activities.
FIN12 also distinguishes itself from other intrusion threat actors in that it rarely engages in data theft extortion — a tactic that’s used to leak exfiltrated data when victims refuse to pay up — which Mandiant says stems from the threat actor’s desire to move quickly and strike targets that are willing to settle with minimal negotiation to recover critical systems, a factor that perhaps explains their increasing interest in attacking healthcare networks.
“The average time to ransom (TTR) across our FIN12 engagements involving data theft was 12.4 days (12 days, 9 hours, 44 minutes) compared to 2.48 days (2 days, 11 hours, 37 minutes) where data theft was not observed,” the researchers said. “FIN12’s apparent success without the need to incorporate additional extortion methods likely reinforces this notion.”
“[FIN12 is the] first FIN actor that we are promoting who specializes in a specific phase of the attack lifecycle — ransomware deployment — while relying on other threat actors for gaining initial access to victims,” Mandiant noted. “This specialization reflects the current ransomware ecosystem, which is comprised of various loosely affiliated actors partnering together, but not exclusively with one another.”