Windows zero-day exploited in Nokoyawa ransomware attacks
Yesterday’s summary of Patch Tuesday included CVE-2023-28252, which has been described as a privilege escalation flaw affecting the Windows Common Log File System (CLFS) driver. According to Kaspersky, a known ransomware cybercrime group has been exploiting this vulnerability to deliver the Nokoyawa ransomware. Nokoyawa is a ransomware family designed to target Windows systems, and emerged in February 2022. Code similarities suggest ties to the Karma and Nemty ransomware families, while attack chain similarities connect it to the notorious Hive operation, disrupted recently by law enforcement. Kaspersky plans on releasing additional information nine days after Patch Tuesday.
LinkedIn and Microsoft Entra introduce a new way to verify professional contacts
Microsoft has announced a new verification feature for LinkedIn members who will be able to verify their place of work with a Microsoft Entra Verified ID credential. This, they state, will allow people to be more confident that those with whom they collaborate are authentic and that work affiliations on their profiles are accurate. Verified ID is built on open standards for decentralized identity, which operates on a “triangle of trust” model involving an issuer – usually an employer, a holder – the individual, and a verifier that can cryptographically authenticate that the digital employee ID is genuine and was issued by the place of work the employee claims. The service is currently being field tested with a full rollout expected at the end of the month.
Russian places Ukraine internet infrastructure clearly in its sights, both high tech and low
Two reports from Cyberscoop this week reveal two sides of the cyber war that Russia is conducting against Ukraine. One shows how tactics are becoming lower-tech. Whereas in February 2022, Russia disabled the satellite internet provider Viasat with a wiper malware, it has now turned to stepping up its missile and artillery attacks on Ukraine’s energy infrastructure, to cause localized internet outages. This is according to findings released by Cloudflare, however, Microsoft’s Digital Threat Analysis Center stated that although it “does not necessarily think that Russia will launch a stream of cyberattacks […] we are currently seeing patterns of targeted threat activity in Ukraine similar to the early days of the invasion.” Clint Watts, general manager of Microsoft’s Digital Threat Analysis Center, told CyberScoop in a statement that “Russian state actors are working to gain accesses in Ukrainian and European networks and refining their malicious toolkits, further suggesting preparations are underway for espionage or destruction.”
(Cyberscoop and Cyberscoop)
Eliminating 2% of exposures could protect 90% of critical assets
“Only 2% of all exposures enable attackers seamless access to critical assets, while 75% of exposures along attack paths lead to dead ends.” This statement is among the findings from the latest report by XM Cyber, which “analyzed over 60 million exposures in over 10 million entities on-premise and in the cloud.” Melissa Bischoping, Tanium security director of endpoint security research, stated, “instead of focusing on a list of 20,000 vulnerabilities to address, focus on identifying the quickest wins in your external-facing infrastructure, then work to reduce the scope of permissions that your user and service accounts have.”
Thanks to this week’s episode sponsor, AppOmni
Over 40% of cybersecurity teams told to keep breaches confidential
A new report from Bitdefender suggests that “42% of the total IT/security professionals surveyed said they have been told to keep a breach confidential when they knew it should be reported and 30% said they have kept a breach confidential.” The U.S. showed the highest number of such incidences, with 71% of IT/security professionals being told to keep quiet. The U.K. was next at at 44%, and Italy, Germany, and Spain in the mid 30 percents. In addition, 52% of global respondents said they have experienced a data breach or data leak in the last 12 months.
SAP fixes two critical bugs
SAP’s April 2023 security updates include a total of 24 notes, 19 of which are new vulnerabilities. The most critical being: CVE-2023-27267: missing authentication and insufficient input validation in the OSCommand Bridge of SAP Diagnostics Agent, and CVE-2023-28765, affecting SAP BusinessObjects Business Intelligence Platform. The complete list of the notes is reported in the latest security bulletin, and of course, SAP administrators are urged to apply the available security patches as soon as possible.
Malicious Android apps sold for up to $20,000 on Darknet
Kaspersky describes these findings in an article published on Monday, in which it said its team collected examples from nine different darknet forums where these apps are being sold. “To publish a malicious app, cybercriminals need a Google Play account and a malicious downloader code (Google Play Loader).” Developer accounts can be bought for $60–$200 each, Kaspersky stated, while, the cost of malicious loaders ranges between $2,000 and $20,000, “depending on the complexity of malware and malicious code, as well as additional functions.” The tools often come disguised as cryptocurrency trackers, financial apps, QR-code scanners or dating apps.
Minnesota school district cancels classes after alleged cyberattack
Classes were cancelled in Rochester, Minnesota last week after its school system was hit by a suspected cyberattack. On Friday, Rochester Public Schools released a message explaining that it “discovered irregular activity on its network” and needed to “shut down district-wide internet connection to review and address the issue.” The incident follows a similar one at a school district in Minneapolis, where a ransomware attack exposed sensitive student information.