9 July 2021 | Asia Cyber Summary


Commentary: REvil Ransomware Strikes Again, Thousands of SMB's Potentially Infected

Affiliates of the REvil RaaS (Ransomware-as-a-Service) threat actors executed a supply-chain attack through Kaseya’s remote IT management software, specifically affecting its Virtual System Administrator (VSA).

Kaseya, is a software platform designed to help manage IT services remotely. The attack affected hundreds and likely thousands of businesses globally with the REvil ransomware demanding USD 70 Million in Bitcoin to restore the encrypted data being held captive.

CISA and the FBI have released Guidance for MSPs and their customers affected by the Kaseya VSA Supply-Chain Ransomware Attack and encouraged all affected organizations to "follow Kaseya's guidance to shut down VSA servers immediately." Kaseya has also been posting regular updates as to their diligent resolution of this vicious attack.

Read more here.

In the Spotlight This Week:

  • QNAP fixes critical bug in NAS backup, disaster recovery app

  • Microsoft issues urgent security warning: Update your PC immediately

  • Widespread brute-force attacks tied to Russia’s APT28

  • TrickBot botnet found deploying a new ransomware called Diavol

  • Apps with 5.8 million Google Play downloads stole users’ Facebook passwords

  • Critical vulnerabilities in Philips Vue PACS devices could allow remote takeover

QNAP Fixes Critical Bug In NAS Backup, Disaster Recovery App

Taiwan-based network-attached storage (NAS) maker QNAP has addressed a critical security vulnerability enabling attackers to compromise vulnerable NAS devices' security.

The improper access control vulnerability tracked as CVE-2021-28809 was found by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs in HBS 3 Hybrid Backup Sync, QNAP's disaster recovery and data backup solution.

The security issue is caused by buggy software that does not correctly restrict attackers from gaining access to system resources allowing them to escalate privileges, execute commands remotely, or read sensitive info without authorization.

Microsoft Issues Urgent Security Warning: Update Your PC Immediately

Microsoft is urging Windows users to immediately install an update after security researchers found a serious vulnerability in the operating system.

The security flaw, known as PrintNightmare, affects the Windows Print Spooler service. Researchers at cybersecurity company Sangfor accidentally published a how-to guide for exploiting it.

The researchers tweeted in late May that they had found vulnerabilities in Print Spooler, which allows multiple users to access a printer. They published a proof-of-concept online by mistake and subsequently deleted it -- but not before it was published elsewhere online, including developer site GitHub.

Widespread Brute-Force Attacks Tied to Russia’s APT28

The ongoing attacks are targeting cloud services such as Office 365 to steal passwords and password-spray a vast range of targets, including in U.S. and European governments and military.

U.S. and U.K. authorities are warning that the APT28 advanced-threat actor (APT) – a.k.a. Fancy Bear or Strontium, among other names – has been using a Kubernetes cluster in a widespread campaign of brute-force password-spraying attacks against hundreds of government and private sector targets worldwide.

The joint alert (PDF) – posted on Thursday by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the U.K.’s National Cyber Security Centre (NCSC) – attributes the campaign to the APT group, which has long been suspected of having ties to the General Staff Main Intelligence Directorate (GRU) arm of Russia’s military intelligence.

The attacks have been launched since at least mid-2019 through early 2021 and are “almost certainly still ongoing,” according to the advisory.

TrickBot Botnet Found Deploying A New Ransomware Called Diavol

Threat actors behind the infamous TrickBot malware have been linked to a new ransomware strain named "Diavol," according to the latest research.

Diavol and Conti ransomware payloads were deployed on different systems in a case of an unsuccessful attack targeting one of its customers earlier this month, researchers from Fortinet's FortiGuard Labs said last week.

TrickBot, a banking Trojan first detected in 2016, has been traditionally a Windows-based crimeware solution, employing different modules to perform a wide range of malicious activities on target networks, including credential theft and conduct ransomware attacks.

Despite efforts by law enforcement to neutralize the bot network, the ever-evolving malware has proven to be a resilient threat, with the Russia-based operators — dubbed "Wizard Spider" — quickly adapting new tools to carry out further attacks.

Apps With 5.8 Million Google Play Downloads Stole Users’ Facebook Passwords

Google has given the boot to nine Android apps downloaded more than 5.8 million times from the company's Play marketplace after researchers said these apps used a sneaky way to steal users' Facebook login credentials.

In a bid to win users’ trust and lower their guard, the apps provided fully functioning services for photo editing and framing, exercise and training, horoscopes, and removal of junk files from Android devices, according to a post published by security firm Dr. Web. All of the identified apps offered users an option to disable in-app ads by logging into their Facebook accounts. Users who chose the option saw a genuine Facebook login form containing fields for entering usernames and passwords.

Critical Vulnerabilities In Philips Vue PACS Devices Could Allow Remote Takeover

Multiple critical vulnerabilities in Philips Clinical Collaboration Platform Portal could enable an attacker to take control over an affected system, according to a recent Department of Homeland Security Cybersecurity and Infrastructure Agency alert.

The collaboration platform portal is registered as a VUE Picture Archiving and Communication Systems (PACS). A total of 15 vulnerabilities were reported to CISA as impacting the Philips Vue PACS, MyVue, Vue Speech, and Vue Motion versions 12.2 and earlier.

Four of the flaws have been given a Common Vulnerability Scoring System (CVSS) base score of 9.8, spotlighting the critical need to urgently apply the provided patch or workarounds.

The first is an improper input validation issue, as the VUE platform receives input or data but fails to validate whether the provided input has the required properties to ensure the data is safely and correctly processed.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.