New Windows security updates break network printing
As part of its September Patch Tuesday released this week, Microsoft issued a fix for the last remaining PrintNightmare vulnerability tracked as CVE-2021-36958. This vulnerability is deemed critical as it is used by numerous ransomware gangs and threat actors to immediately gain SYSTEM privileges on vulnerable devices. Windows system administrators are now reporting that their computers can no longer print to network printers after installing the fixes across specific builds of Windows Server 2008, 2012, and 2019 as well as Windows 7 and Windows 10. Those with USB printers connected directly to their computers are not having any issues.
Bitdefender releases decryptor as REvil shows signs of return
On Thursday, cybersecurity firm Bitdefender released a free decryption tool for organizations who were victimized by the notorious REvil ransomware gang prior to July 13. The Romania-based company released the decryptor earlier than planned as law enforcement braces for the revival of one of the most successful ransomware gangs which is responsible for the JBS and Kaseya attacks earlier this year. Bitdefender wrote in a blog post, “We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two month hiatus.”
Biden announces joint deal with U.K. and Australia to counter China
Earlier this week, President Joe Biden announced a new working group with Britain and Australia, dubbed AUKUS, which will share advanced technologies in a thinly veiled bid to counter China. The trilateral alliance will enable the three countries to more efficiently share information in key technological areas like artificial intelligence, cyber, quantum, underwater systems including nuclear submarines, and long-range strike capabilities. AUKUS will work over the next 18 months to determine how best to deliver these technologies, which the U.S. historically has only shared with the U.K. President Biden stated from the White House, “This is about investing in our greatest source of strength, our alliances and updating them to better meet the threats of today and tomorrow.”
(Politico)
Windows MSHTML 0-Day exploited in Cobalt Strike attacks
On Wednesday, Microsoft disclosed details of a targeted phishing campaign leveraging the flaw in its MSHTML platform which underpins the now-defunct Internet Explorer browser, to deploy Cobalt Strike Beacon on compromised Windows systems. Cobalt Strike is commonly utilized to communicate with ransomware operator infrastructure. The newly identified exploit dupes victims into clicking malicious attachments within emails impersonating contracts and legal agreements, which use a DLL to kick off a shell code that ultimately delivers Cobalt Strike via the Microsoft address import tool. A patch for the vulnerability tagged as CVE-2021-40444 was included in Microsoft’s September Patch Tuesday roll- out earlier this week.
Thanks to our episode sponsor, Sonrai
Azure zero-day flaws highlight lurking supply-chain risk
Four Microsoft zero-day vulnerabilities identified within Azure Open Management Infrastructure (OMI), which is embedded in a host of services, reveal a significant security blind spot in the cloud platform. Collectively dubbed “OMIGOD” the flaws affect thousands of Azure customers and millions of endpoints, according to the cloud infrastructure security firm Wiz. The most severe of the bugs, CVE-2021-38647, has a 9.8 severity rating and can be exploited when an Azure product using OMI opens an HTTPS port, or port 5986,which potentially exposes millions of endpoints to an attacker who could use a single packet to remotely become root on a machine. Though addressed this week in Microsoft’s Patch Tuesday release, the bugs in OMI highlight the supply chain risk arising from companies unknowingly running open-source code on their systems.
Misconfigured APIs account for two-thirds of cloud breaches
A new report from IBM Security X-Force reveals that attackers are increasingly exploiting weaknesses in enterprise protections resulting from human error. Over half of breaches last year resulted from shadow IT systems being spun up without being subject to corporate security controls such as vulnerability and risk assessments and hardened security protocols. Additionally, two-thirds of the incidents studied involved improperly configured APIs which could result in either threat actors accessing data due to deficient authentication controls or sensitive data leaks due to APIs being granted excessive permissions. The report also highlights that threat actors often jump from on-premises to cloud environments highlighting that business need to manage their distributed infrastructure as a single environment.
OWASP updates top 10 security vulnerability ranking
The Open Web Application Security Project (OWASP) released an updated draft of its ranking of the top 10 vulnerabilities, marking the first changes to the list since November 2017. The revisions feature three new categories including Insecure Design, Software and Data Integrity Failures, and Server-Side Request Forgery, as well as several naming and scoping changes, and some consolidation. Ben Pick, Senior Application Security Consultant at nVisium, notes that the OWASP framework is not intended to be a compliance mechanism, adding, “Overall, this living document matches the risks I have observed within various assessments, and I will continue to use this resource to learn about new types of threats.”
Law firm secures High Court judgment against unknown cybercriminals
A London law firm, 4 New Square Ltd, raised some amusement in cyber security circles back in July when it applied for a High Court injunction which would prohibit unknown cyberattackers from publishing data stolen as part of a ransomware infection. On Thursday, the High Court ruled in the firm’s favour by default, as the criminals had “not engaged with the proceedings and have not filed an Acknowledgement of Service or Defence.” The judgment might prompt one to wonder if the power of the High Court of England and Wales compelled the crooks to ‘fess up. Sadly, that has yet to be the case.