CERT-W Newsletter November 2020

Ethical Hacking & Incident Response

Posted on

Monthly indicators

TOP ATTACKBrazilian government recovers from “worst-ever” cyberattack
After suffering the most severe cyberattack ever orchestrated against a Brazilian public sector institution on the 3rd , the Superior Electoral Court (STJ, in the Portuguese acronym) has managed to get its systems back up and running. The Court had to suspend all STJ sessions for a few days and then operate with limited functionality for urgent cases until the systems were fully re-established in November 20. The ransomware would have relied on a vulnerability discovered during a Chinese hacking competition.
TOP ATTACKThe Egregor ransomware disrupts the distribution of the daily “Ouest France”
Ouest-France, the leading French daily by its distribution, will publish only one edition of its Sunday newspaper, against ten usually, after being the victim of the Egregor ransomware in the night from 20th to 21st of November.
TOP EXPLOITGitPaste-12 worm targets Linux servers, IoT devices
Security researchers have discovered a new worm and botnet dubbed Gitpaste-12, named for its usage of GitHub and Pastebin to host component code and the 12 known vulnerabilities it exploits to compromise systems.
TOP LEAKMillions of hotel worldwide caught up in mass data leak
Widely used hotel reservation platforms (including Booking.com and Expedia) has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket. The incident has affected 24.4 GB worth of data in total, threating travellers with identity theft, scams, credit-card fraud and vacation-stealing, according to the security team at Website Planet, which uncovered the bucket. 

Cybercrime watch

Two charged in SIM swapping, vishing scams
Two young men from the eastern united states have been hit with identity theft and conspiracy charges for allegedly stealing bitcoin and social media accounts by tricking employees at wireless phone companies into giving away credentials needed to remotely access and modify customer account information.
New Regret Locker ransomware targets Windows Virtual Machines
A new ransomware called Regret Locker was discovered in October. It may be a simple ransomware in terms of appearance, but it makes up for in advanced features. In fact, Regret Locker uses an interesting technique of mounting a virtual disk file so each of its files can be encrypted individually.
Ragnar Locker ransomware gang takes out Facebook ads in key tactic
The Ragnar Locker ransomware group has decided to ratchet up the pressure on its latest high-profile victim, Italian liquor conglomerate Campari, by taking out Facebook ads threatening to release the 2TB of sensitive data it stole in a Nov. 3 attack – unless a $15 million ransom is paid in Bitcoin.
Ransomware Activity targeting the Healthcare and Public Health Sector
CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.

Vulnerability watch

CVE-2020-17051Remote kernel heap overflow in NFSv3 Windows Server
CVSS score: 9.8 CRITICAL

A critical vulnerability in the Windows NFSv3 (Network File System) server. NFS is typically used in heterogenous environments of Windows and Unix/Linux for file sharing. The vulnerability can be reproduced to cause an immediate BSOD (Blue Screen of Death) within the nfssvr.sys driver.

CVE-2020-17087Windows Kernel Local Elevation of Privilege Vulnerability
CVSS score : 7.8 HIGH

A privilege escalation flaw that would allow an attacker who has already compromised a less powerful user account on a system to gain administrative control. In essence, it would have to be chained with another exploit.

CVE-2020-3556CISCO AnyConnect VPN Zero-Day
CVSS score : 7.3 HIGH

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener.