Ukraine CERT-UA warns of new attacks launched by Russia-linked Armageddon APT
A warning from Ukraine’s Computer Emergency Response Team (CERT-UA) regarding a phishing campaign that carries the subject line “On revenge in Kherson!” and which carries an attachment named Plan Kherson.htm. This file, when activated delivers the GammaLoad.PS1_v2 malware onto a victim’s computer. The attack is attributed to the Russia-linked Armageddon APT (UAC-0010) (aka Gamaredon, Primitive Bear, Armageddon, Winterflounder, or Iron Tilden) which has been involved in a long string of attacks against the local state organizations.
Microsoft fixes new PetitPotam Windows NTLM relay attack vector
Microsoft has released a security update for a Windows NTLM Relay Attack, which has been confirmed to be a previously unfixed vector for the PetitPotam attack. The update was released as part of the May 2022 Patch Tuesday, and was aimed specifically at an actively exploited NTLM Relay Attack labeled as a ‘Windows LSA Spoofing Vulnerability’ and tracked as CVE-2022-26925. According to Bleeping Computer, “an NTLM Relay Attack allows threat actors to force devices, even domain controllers, to authenticate against malicious servers they control. Once a device authenticates, the malicious server can impersonate the device and gain all of its privileges.”
Hackers are exploiting critical bug in Zyxel firewalls and VPNs
Threat actors and hackers are already exploiting a recently patched critical vulnerability, tracked as CVE-2022-30525, which impacts Zyxel firewall and VPN devices for businesses. The vulnerability allows a remote attackers to inject arbitrary commands remotely without authentication, which enables them to set up a reverse shell. NSA Cybersecurity Director Rob Joyce deemed the threat serious enough for his agency to warn users and to update the device firmware version if it is vulnerable.
Sysrv-K, a new variant of the Sysrv botnet, includes new exploits
Microsoft’s Security Intelligence team is warning of a new variant of the Sysrv botnet, tracked as Sysrv-K. This new version includes exploits for vulnerabilities in the Spring Framework and in WordPress. The botnet is being used for a cryptomining campaign aimed at Windows and Linux servers. It botnet also supports scanning capabilities for WordPress configuration files and their backups, which feature allows operators to access sensitive data, including database credentials.
Thanks to our episode sponsor, Torq
Incorrect. Proactive management of security incidents is just as important, like automatically scanning IaC configurations to detect vulnerabilities, automating collaboration between devs, IT ops and SecOps to prevent risks before they’re threats. To learn more about the realities of automation, head to torq.io.
D-Wave deploys first US-based Advantage quantum system
D-Wave Systems, which builds quantum computing technology, has announced the availability of an Advantage quantum computer which is accessible via the cloud but which is physically located in the US. D-Wave states that this newly deployed system is “the first of its Advantage line of quantum computers available via its Leap quantum cloud service.” Based at the University of Southern California, as part of the USC-Lockheed Martin Quantum Computing Center hosted at USC’s Information Sciences Institute, it is intended to encourage U.S. organizations interested in evaluating quantum computing, and who need the reassurance of accessing facilities based in the U.S.
Intel memory bug poses risk for hundreds of products
According to an advisory issued by the company on Tuesday, the bug is firmware-based and rated as “high” risk. The vulnerability resides inside some of the Intel Optane SSD and Intel Optane Data Center (DC) products, the impact of which allows privilege escalation, denial of service (DoS), or information disclosure. Dell and HP were among the first to release patches and fixes for the bug.
Last week’s ransomware roundup
Ransomware attacks have slowed somewhat as a result of Russia’s invasion of Ukraine and the sanctions that subsequently came about, but malware threats continue. Costa Rica declared a national emergency after suffering a massive IT systems outage caused by a Conti Ransomware attack in April. The US offered $15 million reward for information on the Conti ransomware gang. Secureworks has analyzed new REvil ransomware samples, confirming previous reports that the ransomware gang has returned. Lincoln College in Lincoln, Illinois, is to close after 157 years due in part to a ransomware attack, and in part to Covid-19. A week before Oregon’s primary election, the secretary of state’s office is moving to protect the integrity of its online system where campaign finance records are published after a web hosting provider was hit by a ransomware attack. Ransomware names and dropped files that appeared last week include .kekpop, TitanCrypt,.japan, BlueSky and TxLocker, and a new Xoris variant appending the .WanaCray2023+ and dropping a ransom note named HOW TO DECRYPT FILES.txt.