Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Kaseya VSA was hit by a Supply Chain Attack on Friday 2nd, that was made possible by a zero-day flaw. After the initial attack, a fake auto update was pushed using the product, which delivered the REvil ransomware. Kaseya VSA is mostly used by managed service providers, with the firm reportedly having 40,000 customers. It is unclear how many of these customers have been infected by the ransomware, but the latest estimates put numbers around 1500. After discovering the attack, Kaseya advised their customers to “IMMEDIATELY shutdown your VSA server”. Attackers used the 4th July holiday weekend as a well timed attack to inflict maximum damage, knowing staff would likely be celebrating instead of working. Investigation into the situation is ongoing, but it may be some time before we fully understand the impact of this attack.
Microsoft recently released an emergency patch addressing the PrintNightmare vulnerability; however, researchers were still able to perform local privilege escalation and remotely execute arbitrary code with the fix installed. Many different researchers were able to bypass the fix and it has been advised that users do not apply the patch at all; not only does it not fix the intended flaw, but it also stops other important patches from applying. Microsoft are currently investigating the failed patch and are taking the “appropriate action to protect their customers”.
Until the flaw has been addressed, you can use some of the mitigation techniques found here.
Over the weekend, the Formula 1 official app was hacked, and its users were sent unusual messages suggesting they check their security. It was confirmed by an F1 spokesperson that the attack was “limited to the Push Notifications Service”; it is also believed that no customer data was accessed as a result of the incident. Many users are concerned about the security of the app after the hack and are calling for improved security measures.
Discord is a community chatting software widely used by gamers, streamers and content creators; however, its popularity has attracted the attention of cybercriminals seeking to exploit the platform’s users. Discord scams are becoming more and more frequent, with cryptocurrency, giveaway and support scams topping the list. Discord is reportedly looking into implementing new security measures to combat these threats, but until then there are a few things you can do: avoid contact with people you don’t know, do not click on any links sent by strangers, use multi-factor authentication and report any suspicious users.
Vulnerabilities & Updates
A group of cybercriminals known as WildPressure are branching out in their latest campaign, choosing to target macOS users in their attacks. A new macOS malware variant has been seen in use, and Kaspersky have released a report of their latest findings; it was found that they are using a variant of a trojan called Milum, which uses a PyInstaller that is compatible with macOS.
More details on WildPressure’s campaigns can be found here.
Four vulnerabilities have been found affecting the Sage X3 ERP platform, one of which was given a CVSS score of 10 out of 10. If used together, these flaws can allow an attacker to completely take over the target system and execute arbitrary code with elevated privileges. These vulnerabilities were addressed in the latest update for Sage; we recommend applying the fixes as soon as possible.
More details on the CVEs can be found here.
A critical remote code execution flaw has been discovered in PowerShell 7, affecting its .Net components in all Windows, Linux and macOS platforms. No mitigation techniques have been released, and all customers are urged to update to version 7.0.6 and 7.1.3 as soon as possible. Microsoft have also recognised that updating PowerShell is not as simple as it should be, and are looking into making the process easier. Until then, guidance on how to update PowerShell can be found in Microsoft’s initial advisory.
And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.
Stay Safe, Secure and Healthy!
Edition #149 – 9th July 2021
Why not follow us on social media:
Ironshare – Security Simplified