CERT-W Newsletter October 2020

Ethical Hacking & Incident Response

Posted on

Monthly indicators

TOP ATTACKSOPRA STERIA HIT BY NEW VERSION OF RYUK RANSOMWARE
French IT giant Sopra Steria was hit with a cyber-attack that disrupted the business of the firm. The virus has been identified: it is a new version of the Ryuk ransomware, previously unknown to antivirus software providers and security agencies. Fortunately, according to Guillaume POUPARD, ANSSI’s managing director, the attack was foiled.
TOP RANSOMSOFTWARE AG DATA RELEASED AFTER CLOP RANSOMWARE STRIKE
The Clop group attacked Software AG, a German conglomerate with operations in more than 70 countries, threatening to dump stolen data if the whopping $23 million ransom isn’t paid.
TOP EXPLOITWORMABLE APPLE ICLOUD BUG ALLOWS AUTOMATIC PHOTO THEFT
As part of Apple’s Security Bounty, a group of ethical hackers discovered 55 vulnerabilities, earning $300,000. Some of the more interesting vulnerabilities abled wormable stored Cross-Site Scripting and command injection. Here is the link to an extensive blog post detailing the team’s findings.
TOP LEAKVASTAAMO BREACH: HACKERS BLACKMAILING PSYCHOTHERAPY PATIENTS
Cybercriminals have hacked the systems of psychotherapy giant Vastaamo, and are now reaching out to therapy patients, threatening to dump their patient files if they do not pay a ransom. They have already reportedly posted the details of 300 Vastaamo patients.

Cybercrime watch

US TREASURY SANCTIONS RUSSIAN INSTITUTION LINKED TO TRITON MALWARE
Triton, also known as TRISIS and HatMan, was developed to target and manipulate industrial control systems, the US Treasury reports. The US Department of the Treasury’s Office of Foreign Assets Control has sanctioned a Russian government research institution connected to the Triton malware.
US DOJ CHARGES 6 SANDWORM APT MEMBERS IN NOTPETYA CYBERATTACK
The Department of Justice (DOJ) announced charges against six Russian nationals who are allegedly tied to the Sandworm APT. The threat group is believed to have launched several high-profile cyberattacks over the past few years – including the destructive NotPetya cyberattack that targeted hundreds of firms and hospitals worldwide in 2017.
RYUK RANSOMWARE GANG USES ZEROLOGON BUG FOR LIGHTNING-FAST ATTACK
The gang behind the Ryuk ransomware has added a new tool to their arsenal, which allowed them to significantly decrease the time needed to fully encrypt the target system to 2 hours. For more information concerning exploits of the Zerologon vulnerability click here.

Vulnerability watch

CVE-2020-5135CRITICAL VULNERABILITY ALLOWS HACKERS TO DISRUPT SONICWALL FIREWALLS
CVSS score : 9.8 CRITICAL

A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall.

CVE-2020-16898WINDOWS TCP/IP REMOTE CODE EXECUTION VULNERABILITY
CVSS score : 8.8 HIGH

A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.

CVE-2020-16947MICROSOFT OUTLOOK REMOTE CODE EXECUTION VULNERABILITY
CVSS score : 8.8 HIGH

A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory, aka ‘Microsoft Outlook Remote Code Execution Vulnerability’.