Tag Archive for: abused
Researchers compile list of vulnerabilities abused by ransomware gangs
/in Internet Security
Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims’ networks.
All this started with a call to action made by Allan Liska, a member of Recorded Future’s CSIRT (computer security incident response team), on Twitter over the weekend.
Since then, with the help of several other contributors that joined his efforts, the list quickly grew to include security flaws found in products from over a dozen different software and hardware vendors.
While these bugs have been or still are exploited by one ransomware group or another in past and ongoing attacks, the list has also been expanded to include actively exploited flaws, as security researcher Pancak3 explained.
The list comes in the form of a diagram providing defenders with a starting point for shielding their network infrastructure from incoming ransomware attacks.
Vulnerabilities targeted by ransomware groups in 2021
This year alone, ransomware groups and affiliates have added multiple exploits to their arsenal, targeting actively exploited vulnerabilities.
For instance, this week, an undisclosed number of ransomware-as-a-service affiliates have started using RCE exploits targeting the recently patched Windows MSHTML vulnerability (CVE-2021-40444).
In early September, Conti ransomware also began targeting Microsoft Exchange servers, breaching enterprise networks using ProxyShell vulnerability exploits (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
In August, LockFile started leveraging the PetitPotam NTLM relay attack method (CVE-2021-36942) to take over the Windows domain worldwide, Magniber jumped on the PrintNightmare exploitation train (CVE-2021-34527), and eCh0raix was spotted targeting both QNAP and Synology NAS devices (CVE-2021-28799).
HelloKitty ransomware targeted vulnerable SonicWall devices (CVE-2019-7481) in July, while REvil breached Kaseya’s network (CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120) and hit roughly 60 MSPs using on-premise VSA servers and 1,500 downstream business customers [1, 2, 3].
FiveHands ransomware was busy exploiting the CVE-2021-20016 SonicWall vulnerability before being patched…
SEO wizardry abused to push malware into Google search rankings
/in Computer Security
Cybercriminals are deploying search engine optimization (SEO) tricks to push malicious domains up the Google search rankings, security researchers have discovered.
According to a report from the security team at AT&T, in addition to distributing malware via email campaigns, the operators behind the infamous Sodinokini ransomware are targeting keyphrases commonly punched into Google.
In the scenario analyzed in the report, a client ended up downloading a rigged JavaScript file from a malicious domain. The website had appeared on the first page of Google, in eighth position, for the search term “Missouri and Kansas tax reciprocity”.
“There’s a saying that nothing can be certain, except death and taxes; in today’s cyber threat landscape, we can add ransomware to that shortlist,” wrote Ken Ng, a researcher at AT&T. “In this incident, one of [our] customers almost had an incident at the crossroads of taxes and ransomware.”
SEO for cybercriminals
Although the attack was mitigated automatically by the security protections in place, AT&T believed the incident warranted further investigation, as it was not immediately clear how the individual had ended up with the infection.
“Once we had an idea of what the JavaScript led to, we could attempt to find how the user potentially got the file,” AT&T explained. “Leveraging the information from the file name, plus some context with the one PDF the user was able to get from a legitimate site, we were able to emulate the user’s actions.”
When researchers eventually tracked down the offending domain, they found it stood out because it used HTTP, not HTTPS (a more secure protocol), and because the URL itself had nothing to do with the headline of the page, which had been crafted with SEO in mind.
The page itself was reportedly “extremely suspicious and sparse”, containing a link to download the answer to the original search query: “does Missouri have a reciprocal agreement with Kansas?”.
The specificity of this level of targeting is alarming (after all, a comparatively small number of people are likely to be making this particular query) and begs the question: how many other key terms are Sodinokibi and other…