Threat Advisory – APRIL 28 – MAY 4

Microsoft Windows Security Binary

CYSEC NEWS

This article demonstrates a flaw that allows attackers to bypass a Windows security mechanism which protects anti-malware products from various forms of attack. This is of particular interest because we build and maintain two anti-malware products that benefit from this protection.
Reference: https://elastic.github.io/security-research/whitepapers/2022/02/02.sandboxing-antimalware-products-for-fun-and-profit/article/#

A new Onyx ransomware operation is destroying files larger than 2MB instead of encrypting them, preventing those files from being decrypted even if a ransom is paid.
Reference: https://www.bleepingcomputer.com/news/security/beware-onyx-ransomware-destroys-files-instead-of-encrypting-them/

Microsoft warned customers today that it will start disabling Basic Authentication in random tenants worldwide on October 1, 2022. This reminder comes after the company’s September announcement and after seeing that there are still lots of customers who haven’t yet moved their clients and apps to Modern Authentication.
Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-exchange-online-basic-auth-will-be-disabled/

A vulnerability in the domain name system (DNS) component of a popular C standard library that is present in a wide range of IoT products may put millions of devices at DNS poisoning attack risk. A threat actor can use DNS poisoning or DNS spoofing to redirect the victim to a malicious website hosted at an IP address on a server controlled by the attacker instead of the legitimate location. The library uClibc and its fork from the OpenWRT team, uClibc-ng. Both variants are widely used by major vendors like Netgear, Axis, and Linksys, as well as Linux distributions suitable for embedded applications. According to researchers at Nozomi Networks, a fix is not currently available from the developer of uClibc, leaving products of up to 200 vendors at risk.
Reference: https://www.bleepingcomputer.com/news/security/unpatched-dns-bug-affects-millions-of-routers-and-iot-devices/

Security researchers have discovered five vulnerabilities in network equipment from Aruba (owned by HP) and Avaya (owned by ExtremeNetworks), that could allow malicious actors to execute code remotely on the devices.
Reference: https://www.bleepingcomputer.com/news/security/aruba-and-avaya-network-switches-are-vulnerable-to-rce-attacks/

Microsoft has addressed a chain of critical vulnerabilities found in the Azure Database for PostgreSQL Flexible Server that could let malicious users escalate privileges and gain access to other customers’ databases after bypassing authentication.
Reference: https://www.bleepingcomputer.com/news/security/microsoft-fixes-extrareplica-azure-bugs-that-exposed-user-databases/

Network-attached storage (NAS) appliance maker QNAP on Wednesday said it’s working on updating its QTS and QuTS operating systems after Netatalk last month released patches to contain seven security flaws in its software.
Reference: https://thehackernews.com/2022/04/qnap-advises-to-mitigate-remote-hacking.html

In parallel with the war in Ukraine, cybersecurity researchers have witnessed a sudden increase in the number of wiper malware deployments. Although these haven’t been officially attributed to Russian state-sponsored threat actors, their goals align with the Russian military’s. It is widely theorized that these cyberattacks are intentionally being launched in concert with the invasion.
Reference: https://otx.alienvault.com/pulse/626bc73ca6cd90172e9a1b25

LockBit is a Ransomware as a Service (RaaS) operation that has been active since 2019 (previously known as “ABCD”). It commonly leverages the double extortion technique, employing tools such as StealBit, WinSCP, and cloud-based backup solutions for data exfiltration prior to deploying the ransomware. Like most ransomware groups, LockBit’s post-exploitation tool of choice is Cobalt Strike.
Reference: https://otx.alienvault.com/pulse/626bc047f1a3ebc6be0a2856

In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for this case was an IcedID payload delivered via email. We have observed IcedID malware being utilized as the initial access by various ransomware groups.
Reference: https://otx.alienvault.com/pulse/6267bb8eb8865618367f89eb

 

HAVE ANY QUESTIONS?
Do not hesitate to contact us!

Address: Mesogeion Ave. 41, 11524 Athens, Greece
Phone: (+30) 211 800 5 800
Email: info@devoq.gr
Website: www.devoq.gr

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.