Cybersecurity News & Trends – 06-04-2021

/0 Comments/in /by

This week Cozy Bear meddled in politics, REvil disrupted the global meat supply and schools fortified their defenses.

SonicWall in the News

Radio Interview with SonicWall President and CEO Bill Conner — KRLD 
SonicWall President and CEO Bill Conner discusses who is responsible for rising attacks on enterprises, governments and SMBs worldwide — and what’s to be done.

SonicWall, The Conference of Italian University Rectors to Collaborate on Cybersecurity Training, Research and Digital Innovation — FE News
SonicWall today announced its partnership with the Conference of Italian University Rectors (CRUI) to promote and enable mutual collaboration in research, development, transformation and digital innovation activities.

Industry News

Meat giant JBS now fully operational after ransomware attack — Bleeping Computer
JBS, the world’s largest beef producer, has confirmed that all its global facilities are fully operational and operate at normal capacity after the REvil ransomware attack that hit its systems last weekend.

Why One Hack on One Firm Can Shake Global Meat Supply — Bloomberg
In the last three years, a fire, a pandemic and now a cyberattack have disrupted the U.S. meat industry. Here’s how one hack impacts the global economy.

U.S. schools land IBM grants to protect themselves against ransomware — ZDNet
All U.S. K-12 public school districts were eligible to apply for the grants, designed to help school officials “proactively prepare for and respond to cyberattacks.”

U.S. seizes two domains used in cyberattacks that mimicked USAID communications — Reuters
The U.S. Justice Department said it had seized two Internet domains used in spear-phishing attacks mimicking email communications from the U.S. Agency for International Development.

Cyber-Insurance Fuels Ransomware Payment Surge — Threat Post 
Companies relying on their cyber-insurance policies to pay off ransomware groups are being blamed for a recent uptick in ransomware attacks.

New breach from hackers behind SolarWinds ‘mostly unsuccessful,’ Microsoft says — The Washington Times 
Microsoft said the latest hack was largely unsuccessful, meaning Microsoft has not discovered a significant number of compromised organizations.

Swedish Health Agency shuts down SmiNet after hacking attempts — ZDNet
The Swedish Public Health Agency shut down SmiNet, the country’s infectious diseases database, after it was targeted in several hacking attempts.

Kenyan Arrested in Qatar First Targeted By Phishing Attack — Bloomberg
A Kenyan security guard writing compelling, anonymous accounts of being a low-paid worker there found himself targeted by a phishing attack that could have revealed his location just before his arrest, analysts say.

New Russian hacks spark calls for tougher Biden actions — The Hill
Officials are calling for harsher measures against Russia following reports that SolarWinds hackers were continuing to launch cyberattacks against U.S. government agencies and other organizations.

Interpol intercepts $83 million fighting financial cybercrime — Bleeping Computer
The International Criminal Police Organisation has intercepted $83 million belonging to victims of online financial crime from being transferred to the accounts of their attackers.

This Android trojan malware is using fake apps to infect smartphones, steal bank details — ZDNet
TeaBot malware tells victims they need to click a link because their phone is damaged with a virus  — then infects them via the link.

Pulse Secure VPN hacking also hit transportation, telecom firms, FireEye says — Cyberscoop
The U.S. government has also been affected.

Hong Kong recorded phishing surge in 2020 as scum sought to cash in on viral worries — The Register 
Criminals tried to exploit Hong Kong residents’ COVID-related anxiety, according to new security data released yesterday.

UF Health Florida hospitals back to pen and paper after cyberattack — Bleeping Computer
UF Health Central Florida has suffered a reported ransomware attack that forced two hospitals to shut down portions of their IT network.

Fujifilm confirms ransomware attack disrupted business operations — Bleeping Computer
Today, Japanese multinational conglomerate Fujifilm officially confirmed that they had suffered a ransomware attack earlier this week that disrupted business operations.

Cozy Bear revisits one of its greatest hits, researchers say: election skulduggery — Cyberscoop
The recent spearphishing campaign uses an election fraud document as a lure. The emails purport to be from the U.S. Agency for International Development, and have targeted government agencies, research institutions and nongovernmental organizations.

In Case You Missed It

SonicWall’s Bill Conner Talks Ransomware on the Radio — Lindsey Lockhart
Infiltrate, Adapt, Repeat: A Look at Tomorrow’s Malware Landscape — Brook Chelmo
Join us for the 2021 SonicWall Partner Virtual Roadshow — David Bankemper
Capture Client 3.6 Launch Brings Key Features — Brook Chelmo
Using Client VPN with Your Firewall for WFH: a Setup for Disaster? — Jean-Pier Talbot

Microsoft Visual Studio RCE Vulnerability

/in /by

Overview:

  Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft. It can be used to develop console and graphical user interface (GUI) applications along with web sites, web applications, and web services. This is achieved in combination with native and managed code for all platforms supported by Microsoft Windows, Windows Mobile, Windows CE, .NET Framework, .NET Compact Framework and Microsoft Silverlight.

  The IDE supports a wide variety of programming languages and technologies; either built-in or as extensions. Built-in languages include C, C++, C++/CLI, Visual Basic .NET, C#, F#, JavaScript, TypeScript, XML, XSLT, HTML, and CSS. Support for other languages such as Python, Ruby, Node.js, and M among others is also available via extensions.

  A remote code execution vulnerability has been reported in the Python interpreter services, a component of the Python language support extension for Microsoft Visual Studio. The vulnerability is due to a design weakness. The python language interpreter “python.exe” may be provided in a Python project workspace. The embedded interpreter will be executed when the project is opened without confirmation from the user.

  A remote, unauthenticated attacker can exploit this vulnerability by enticing a user to open a malicious Python project/workspace. The workspace contains a crafted “python.exe” file in a subdirectory. Successful exploitation results in code execution in the context of the Microsoft Visual Studio IDE.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-27068

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is required.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.3 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Upon opening a workspace/folder containing python source files, the workspace initialization procedure begins at the method InitializeCurrentContext in PythonWorkspaceContextProvder.cs. This procedure involves discovering Python interpreters within the workspace. The Python interpreter, in a Windows OS environment is the binary file “python.exe”. The initialization process requires the interpreter in other to retrieve interpreter information. The method FindInterpretersInSubFolders in WorkspaceInterpreterFactoryProvider.cs invokes the method CreateEnvironmentInfo for each interpreter path discovered within the workspace. The method CreateEnvironmentInfo is also defined in WorkspaceInterpreterFactoryProvider.cs and will in turn invoke the method PrefixFromSysPrefix defined in the same class file, on the discovered path. The method PrefixFromSysPrefix will build and execute the following template command line:

  (full path to interpreter within workspace) -c "import sys; print(sys.prefix)"

  The method CreateEnvironmentInfo, made no attempt to validate the integrity of the discovered python interpreter. Therefore, an attacker can craft a Python workspace such that an included python.exe is in fact a malicious binary which will be executed autonomously on opening the crafted workspace within Visual Studio.

  A remote, unauthenticated attacker can exploit this vulnerability by enticing a user to open a malicious Python project/workspace. The workspace contains a crafted “python.exe” file in a subdirectory. Successful exploitation results in code execution in the context of Microsoft Visual Studio.

Triggering the Problem:

  • A vulnerable version of Microsoft Visual Studio is installed.
  • The attacker must be able to deliver a malicious Python project to the target user.

Triggering Conditions:

  The attacker creates a malicious Python project for Microsoft Visual Studio and delivers it to the target user. The Python project contains a maliciously crafted python.exe file within a subdirectory. The vulnerability is triggered when this project is processed by a vulnerable version of Microsoft Visual Studio.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP
    • SSH, over port 22/TCP
    • FTP, over port 21/TCP
    • SMB/CIFS, over ports 139/TCP, 445/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15579 Microsoft Visual Studio Remote Code Execution (CVE-2021-27068)

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Not cloning and opening untrusted Python projects within Visual Studio.
    • Upgrading to a non-vulnerable version of Visual Studio.
    • Filtering malicious traffic.
  The vendor, Microsoft, has released the following advisory regarding this vulnerability:
  Vendor Advisory

SonicWall’s Bill Conner Talks Ransomware on the Radio

/0 Comments/in , /by

This week’s Brazil-based JBS attack, the world’s largest meat producer, marks the third cyberattack on a major U.S. entity since January 2021. With ransomware attacks now impacting global economies and the daily lives of citizens, the waging cyberwar has taken center stage.

SonicWall President and CEO Bill Conner discusses who is responsible for rising attacks on enterprises, governments and SMBs worldwide and what’s to be done with KRLD NewsRadio 1080 radio host Dave Johnson in a recent interview.

“We’re past the tipping point now in [the] arms race,” said Conner. “The new tools that the bad guys are using are the stuff we use as good guys. So, they’re now using the cloud to take terabytes of data and store it anywhere in the world.

“They’re using cloud applications to target [organizations], just like they did with SolarWinds, and now they’re taking advantage of Microsoft Windows and authentication. It is past an arms race at this point.”

Conner and Johnson go on to discuss what governments need to do to “go on the offensive collectively” to thwart sophisticated and increasingly targeted attacks. Through April 2021, SonicWall Capture Labs threat researcher recorded a 90% year-to-date increase in ransomware. In fact, April 2021 was the highest single month of ransomware ever recorded by SonicWall.

“[Attackers] are going after everything,” warned Conner. “The ones that you’re just reading about are the ones that they’re actually getting away with and getting through [systems] today. Tomorrow is another story.”

The two go on to discuss the cybersecurity industry’s pressing issues such as disclosure, legislation and the world-wide phenomena of ransomware attacks.

Listen to the full interview below.

LISTEN NOW

CEO Spotlight with David Johnson, KRLD NewsRadio 1080