Pwn2Own Toronto 2022 nets almost $1M for 63 zero days
The Zero Day Initiative’s Pwn2Own Toronto 2022 hacking competition has ended and the final numbers for the event are, $989,750 awarded, 63 unique zero-days, 66 entries, and 36 different teams representing 14 countries. In a session closure announcement ZDI stated, “The Master of Pwn title came down to the wire, but the team from DEVCORE claimed their second title with winnings of $142,500 and 18.5 points.” Printers from Lexmark and Canon had the dubious honor of being the subject of three separate exploits.
Antivirus and EDR solutions tricked into acting as data wipers
A security researcher has found a way to exploit the data deletion capabilities of widely used endpoint detection and response (EDR) and antivirus (AV) software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG to turn them into data wipers. SafeBreach researcher Or Yair came up with the idea to exploit existing security tools on a targeted system to make the attacks more stealthy and remove the need for a threat actor to be a privileged user. Also, abusing EDRs and AVs for data wiping is a good way to bypass security defenses as the file deletion capabilities of security solutions are expected behavior and would likely be missed.
Iran-linked MuddyWater APT launches new campaign
Deep Instinct’s Threat Research team has uncovered a new campaign conducted by the MuddyWater APT (aka SeedWorm, TEMP.Zagros, and Static Kitten) targeting numerous countries in the Middle East and Central Asia. The campaign observed by Deep Instinct started in September differs from past ones for the use of a new remote administration tool named “Syncro.” The group used an HTML attachment as a lure and used additional providers for hosting the archives containing the installers of the remote administration tool. HTML attachments are often delivered to the recipients and not blocked by antivirus and email security solutions.
More than 4,000 Pulse Connect Secure hosts exposed and vulnerable
Pulse Connect Secure is a widely-deployed SSL VPN solution for remote and mobile users, and as such has been a frequent target of attacks by multiple threat actors. Now Censys researchers have discovered that 4,460 Pulse Connect Secure hosts out of 30,266 installs, are exposed to the Internet while lacking security patches.
Thanks to this week’s episode sponsor, Fortra
Healthcare organizations warned of Royal Ransomware attacks
The US Department of Health and Human Services (HHS) is warning healthcare organizations of the threat posed by ongoing Royal ransomware attacks. Initially spotted in September 2022, the ransomware family is employed by a financially-motivated threat actor that also uses known tools for persistence, credential exfiltration, and lateral movement. Unlike other ransomware families that employ the ransomware-as-a-service (RaaS) business model, Royal is operated by a private group, which likely consists of experienced actors from other groups. The group makes ransom demands ranging from $250,000 to $2 million, and also steals victim data to engage in double-extortion tactics. After compromising a network, the group deploys specific post-exploitation tools to ensure a persistent foothold, and then deploy the Royal ransomware to encrypt the victim’s data.
TSA to expand facial recognition across America
America’s Transport Security Administration, has been testing facial recognition software in 16 airports to automatically screen passengers flying across the country. It is now looking into rolling it out nationwide next year. Flyers will be able to pass through security checkpoints by scanning a copy of a government-issued ID, such as a driver’s license stored on their mobile phones, and standing in front of a camera system. The equipment will snap a live photo of their face and check whether it matches with the one captured on their ID. It aims to reduce security screening wait times by automating the process so TSA agents do not need to manually check IDs. The pilot program, tested the Credential Authentication Technology 2 (CAT-2) system.
Australia’s Telstra suffers privacy breach
Australia’s largest telecoms firm Telstra Corp Ltd said on Sunday that 132,000 customers were impacted by an internal error that led to disclosure of customer details. Telstra, which has 18.8 million customer accounts equivalent to three-quarters of Australia’s population, said an internal review found the details were made publicly available due to “a misalignment of databases.” Telstra chief financial officer Michael Ackland said in a statement that no cyber activity was involved.
(Reuters)
Last week in ransomware
Last week, Rackspace suffered a massive outage on their hosted Microsoft Exchange environment, preventing customers from accessing their emails. On Tuesday, they finally confirmed that a ransomware attack caused the outage. An attack against New Zealand MSP Mercury IT has led to a series of outages for its customers, many of which are local governments in the country. There was also a ransomware attack on the André-Mignot teaching hospital in Paris has also led to significant disruption, causing some patients to be rerouted to other hospitals. Brian Krebs had a very interesting report on new tactics used by the Venus and Clop ransomware gangs to breach networks and convince victims to pay.