A new ransomware hits the scene while an old one shoots itself in the foot. And what’s this about the Department of Homeland Security?
It’s quite the interesting month indeed, as this week’s Threat Thursday reveals!
Gee, Thanks 2020: An All New Ransomware is Set to Dethrone Ryuk
Still not had enough of 2020? Then the developers behind Conti, a rising new strain of ransomware, are determined to make your year that little bit worse.
Sporting codes and functions similar to Ryuk, Conti seems set to replace that long-running malware with powers far beyond its fearsome forebearer. Able to perform more than 30 encryption demands at once, Conti compromises and encrypts files at a staggering rate when compared to similar malware. In a blog post by Carbon Black, VMWare’s threat analysis unit, it’s revealed that Conti’s spread might even be controlled by the threat actor themselves; expect Conti’s developers to use more direct methods than mass phishing campaigns should they wish to seize control of your servers.
All in all, Conti’s just another setback 2020 didn’t need. And because it’s not spreading by the typical malware methods – be they dodgy URLs or phishing emails – we’ll have to be more vigilant than ever to keep this rising threat off our systems.
Those Poor, Unfortunate SAPS: Exploit in Popular ERP Software Allows for Full System Takeover
Yeesh. You know a threat’s worth taking seriously when the USA’s Department of Homeland Security gets involved.
In a bulletin issued by their Cybersecurity and Infrastructure Security Agency (CISA), the department unveiled a critical vulnerability in SAP’s NetWeaver Application Server Java. The bug, which has been given the typically punchy name of ‘RECON’ (Remotely Exploitable Code on NetWeaver) carries the highest possible score of 10 on the industry’s Common Vulnerability Scoring System (CvSS). See, look at all those acronyms; this is obviously a big deal.
According to CISA’s bulletin:
“This vulnerability can lead to compromise of vulnerable SAP installations, including the modification or extraction of highly sensitive information, as well as the disruption of critical business processes. A remote, unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet.”
And it’s not limited to just one SAP product, either. NetWeaver Java – and its associated vulnerability – is used in a wealth of SAP business applications, the full list of which is revealed here.
Thankfully, a patch was released on Monday to fix all affected systems. Given that the cat is very much out of the bag now, it’s vital to update your SAP systems as soon as possible, lest cyber criminals catch wind of this exploit and use it for their own nefarious ends. You’d think the Department of Homeland Security would be a little more covert, but there you go.
Trickbot’s Latest Slip-Up Fools Nobody
A good magician never reveals his tricks – a lesson apparently ignored by the developers of the ironically-named TrickBot this week. The most recent release of this malware loader is apparently an in-progress build – and it’s started warning its victims of any in-progress data theft. Big whoops.
First reported on Advanced Intel, the website of ethical hacker Vitali Kremez, the slip-up causes a new browser window to open with the following, adorably translated warning message:
You see this message because the program named grabber gathered some information from your browser.
If you do not know what is happening it is the time to start be worrying.
Please, ask your system administrator for details.”
Typically, a message such as this would demand some sort of ransom payment were it meant to be seen by victims; the fact that this is little more than a warning suggests it’s an early development build, or may once have been used for something other than data theft. Whatever reason it exists, it’s currently undermining Trickbot’s typically clandestine operations.
Still, while development of the malware appears to continue, at least the devs have had the decency to warn us this time.
Remember, Trickbot typically spreads via the usual murky methods – phishing emails with links to dodgy URLs or bug-infested attachments. As always, brush up on your phishing email awareness and don’t open anything you weren’t expecting.
Zoom Chucks Lingering Vulnerabilities Out the Window
Windows 7 might well have been abandoned by Microsoft, but it’s estimated that nearly one in five businesses worldwide are still relying on the popular operating system. Couple that with the millions of users relying on Zoom for their online conferencing, and it’s easy to imagine at least a few of our readers being affected by this newly discovered Zoom vulnerability.
This zero-day exploit – thankfully discovered before it could be used in the wild – was only achievable with victims running Microsoft’s legacy software; nonetheless, it potentially allowed for remote code execution possibilities, compromising the affected user’s systems and security.
Unfortunately, no technical details around the exploit have been divulged. A patch, however, has been. If you’re still using Windows 7 and haven’t updated your Zoom Windows client, we’d suggest downloading the latest update. Actually, scratch that: upgrade to Windows 10, then install the latest update. Stop us if you’ve heard it before, but sticking with your outdated Windows 7 systems is very much a bad idea.
Twits and Bits – Twitter Hacked in an Unprecedented Attack on Social Media
Twitter, the futile argument capital of the internet, suffered something of a shocker yesterday evening after the accounts of such prominent public figures as Bill Gates, Jeff Bezos and Barack Obama were hacked. While details of the hack are unclear, the official response from Twitter is that it was co-ordinated, targeting their employees “with access to internal systems and tools”.
The hack appears to be a Bitcoin-begging effort, leveraging the popularity of compromised accounts to encourage donations from their hapless followers. Apple’s official Twitter account even offered to double any Bitcoin payments they received. Indeed, the scope of this scheme was so widespread that Twitter was forced to disable all verified accounts – those with the little blue stamp next to their name – until midnight today. As far as social media hacks go, this is one of the most high-concept in recent memory.
The scope and scale of this attack suggests it begins with Twitter’s own security; not least when so many powerful figures are the victim of the attack. The fact that employees with internal access were targeted, as Twitter reported, might even point to something as simple as a phishing email or social conditioning attack being the catalyst for its success.
Jack Dorsey, Twitter CEO, summed up his feelings in a single Tweet: “Tough Day for us at Twitter. We all feel terrible this happened”.
Try to Contain Your Excitement – It’s the Patch Tuesday Rundown!
Threat Thursday’s low-frills monthly event returns, as we detail the major patches now available for your favourite operating systems and SaaS applications! For extra added fun, try guessing how many Remote Code Execution vulnerabilities were patched this month.
It’s easy as 1-2-3 for Windows this July as 123 patches, around 20 of them critical, were released across the product range. Several Office applications have had critical Remote Code Execution vulnerabilities patched, as well as an Escalation of Privilege Vulnerability in the SharePoint and Skype for Business servers.
Five Adobe platforms each received critical patches today, most notably on their popular Creative Cloud Desktop service, Download Manager and Media Encoder. These critical vulnerabilities would have allowed for arbitrary code execution, unauthorised file access and privilege escalation exploits. Elsewhere, patches for Adobe ColdFusion and Genuine Service fixed privilege escalation exploits in both.
For most users, these patches will be applied automatically – as per the developer’s recommendation. For everyone else, now’s the time to check for updates and get applyin’.
Blimey, it’s been a big one this month. As always, many thanks for joining us and remember – if you’d like us to come to you next time, subscribe to the Threat Thursday newsletter.
For all the latest cyber security updates straight to your inbox, simply enter your email in the box on the right ➡️ of this page.
We’ll ensure you get weekly Threat Thursday updates sent out to you every week!