REvil ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:\Windows\System32" and if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products as the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL that just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/7a96d7a1f28bfb6ae36a15263a8a7135.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Ransom.REvilVulnerability: Code ExecutionDescription: REvil looks for and executes DLLs in its current directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products, the malwares flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.Family: REvilType: PE32MD5: 7a96d7a1f28bfb6ae36a15263a8a7135Vuln ID: MVID-2022-0595Disclosure: 05/12/2022Exploit/PoC:1) Compile the following C code as "winhttp.dll" 32-bit2) Place the DLL in same directory as the ransomware3) Optional - Hide it: attrib +s +h "winhttp.dll"4) Run the malware#include "windows.h"//By malvuln//gcc -c winhttp.c -m32//gcc -shared -o winhttp.dll winhttp.o -m32//Purpose: Exploit REvil/** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**/BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){  switch (reason) {  case DLL_PROCESS_ATTACH:   MessageBox(NULL, "REvil\nPWNED By MALVULN", "Code Exec PoC", MB_OK);   TCHAR buf[MAX_PATH];   if(GetCurrentDirectory(MAX_PATH, buf))   if(strcmp("C:\\Windows\\System32", buf) != 0){      HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());     if (NULL != handle) {           TerminateProcess(handle, 0);       CloseHandle(handle);     }   }    break;  }  return TRUE;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Ransom.REvil MVID-2022-0595 Code Execution

Red Hat Security Advisory 2022-2197-01 - The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: rsync security update  
Advisory ID:       RHSA-2022:2197-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:2197  
Issue date:        2022-05-11  
CVE Names:         CVE-2018-25032  
====================================================================  
1. Summary:

An update for rsync is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The rsync utility enables the users to copy and synchronize files locally  
or across a network. Synchronization with rsync is fast because rsync only  
sends the differences in files over the network instead of sending whole  
files. The rsync utility is also used as a mirroring tool.

Security Fix(es):

* zlib: A flaw found in zlib when compressing (not decompressing) certain  
inputs (CVE-2018-25032)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2067945 - CVE-2018-25032 zlib: A flaw found in zlib when compressing (not decompressing) certain inputs

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:  
rsync-3.1.3-6.el8_1.1.src.rpm

aarch64:  
rsync-3.1.3-6.el8_1.1.aarch64.rpm  
rsync-debuginfo-3.1.3-6.el8_1.1.aarch64.rpm  
rsync-debugsource-3.1.3-6.el8_1.1.aarch64.rpm

noarch:  
rsync-daemon-3.1.3-6.el8_1.1.noarch.rpm

ppc64le:  
rsync-3.1.3-6.el8_1.1.ppc64le.rpm  
rsync-debuginfo-3.1.3-6.el8_1.1.ppc64le.rpm  
rsync-debugsource-3.1.3-6.el8_1.1.ppc64le.rpm

s390x:  
rsync-3.1.3-6.el8_1.1.s390x.rpm  
rsync-debuginfo-3.1.3-6.el8_1.1.s390x.rpm  
rsync-debugsource-3.1.3-6.el8_1.1.s390x.rpm

x86_64:  
rsync-3.1.3-6.el8_1.1.x86_64.rpm  
rsync-debuginfo-3.1.3-6.el8_1.1.x86_64.rpm  
rsync-debugsource-3.1.3-6.el8_1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYnw19dzjgjWX9erEAQiq+w//YUJEvnSSUG1jh+EplRlwXQhmFYxtQ//a  
885yoz9+xqVBMFKRuA0BzbxyOEjHhcINGbxM+YoToQk8w2NSI3bmaYaVgMACrG5a  
tjQ4KkfbfBb+S20BbFfWhBIZdljOH/1sRfIOJYVgweyJgF1ucDqsghwk8eq/uU16  
FEaOc3WA4sKvjPZdKBRy7fzrW39ODnIUzqwtCceT29Hewa+q+rS3PkuFqinK0UBo  
1HD94FMF+s44FoGggcD4biu1pz3ROjPVbpykXvm7X3dQ2SPrSmIHYwGX4hLbO2DM  
/jWGg9KWhHnv7GG+ygttNsaxw91rzdQHcvtDrkWb8deCnhnw9qxkqwW5M/AEcIY2  
kC8btY95+a7cErvhAX1u+VCHOVuBcAhBUg3Qtk9LBLo6doHXfrKBYay8kgTiu0rv  
Y4RvnU0wfZN3nKyTBSyUaUBjB+VRsi9okTh43XfPruUfmWtdIJ7R9XjO3iSfC/MN  
fG0FSsl4RLePNMMIyBXCn/+gydu8B+VmY4kPiu5HeaY+ieESPgoXK94sGyWHfKLz  
fslAzT/9vOLgJRiQepiey9cmJ5HDCDk9BstlWQwmhe8oWDmLMkWiHChuc/lClMpf  
HiWexWTphW1J79MkcYPSt6v+1FHjameF2nuHHKRFTk2QbptBLBe3UbUV8kg1atPJ  
8kiir+JRyME=o1J2  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-2197-01

An issue was discovered in Stormshield Network Security (SNS) 4.3.x before 4.3.8. The event logging of the ASQ sofbus lacbus plugin triggers the dereferencing of a NULL pointer, leading to a crash of SNS. An attacker could exploit this vulnerability via forged sofbus lacbus traffic to cause a firmware crash.

Advisory ID

CVE Number

Date discovered

Severity

Advisory revision

STORM-2022-015

CVE-2022-30279

02/09/2022

medium

v1

**Vulnerability details**

The event logging of the ASQ sofbus lacbus plugin could lead to the dereferencing of a null pointer leading to the crash of SNS.

**Impacted products**

Products

Severity

Detail

Stormshield Network Security

medium

SNS is impacted

**Revisions**

Version

Date

Description

v1

 05/12/2022

Initial release

**Stormshield Network Security**

**CVSS v3.1 Overall Score: 6.2      **

**Analysis**

**Impacted version**

An attacker could exploit this vulnerability via forged sofbus lacbus traffic to cause a firmware crash.

*   SNS 4.3.3 to 4.3.7

**Workaround solution**

**Solution**

Disable sofbus lacbus ASQ plugin.  
Or disable the “log by request” option in the plugin configuration (Token Log=0 in ConfigFiles/Protocols/Modbus/0x).

The 4.3.8 update will fix this vulnerability.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability impact

Network

High

Low

None

Unchanged

None

None

High

CVSS Base score: 5.3

CVSS Vector: (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

Exploit Code Maturity

Remediation Level

Report Confidence

Unproven that exploit exists

Official fix

Confirmed

CVSS Temporal score: 4.6

CVSS Vector: (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Confidentiality Requirement

Integrity Requirement

Availability Requirement

High

High

High

CVSS Environmental score: 6.2

CVSS Vector: (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)

CVE-2022-30279: SNS: ASQ sofbus lacbus plugin null pointer dereferencing

By understanding how FaaS works and following best practices to prevent it, your business can protect its customers, revenue, and brand reputation.

The pandemic pivot to digital banking, shopping, and other services was an important health measure, but it created opportunities for organized fraudsters to grow their "business" and expand their offerings to include fraud-as-a-service (FaaS). FaaS takes several forms, all with the goal of making it easier for both experienced and novice criminals to commit fraud. Here's what merchants need to know about this trend and how to prevent FaaS attacks.  

**How Fraud-as-a-Service Works  
**There are two main components to FaaS: bots and brand impersonation. Neither tactic is entirely new. Fraudsters have been using bots for card-testing attacks for years, and brand impersonation is a classic scheme for phishing credentials and payment data.

Now, though, fraud "service providers" are going farther. Criminals can rent bot networks inexpensively to launch large-scale fraud campaigns against websites and to phish victims. However, two-factor authentication (2FA) can prevent thieves from breaking into accounts even with stolen data. SIM-swapping is one option for getting around 2FA, but it's time consuming and requires planning. So, criminals now offer OTP (one-time password) bot services. Fraudsters can plug in victims' names and financial institutions or favorite stores, and the bot handles the rest – phishing the victim for their one-time password so fraudsters can take over the related account – all for as little as 15 cents per bot call.  

**Detecting and Preventing Fraud-as-a-Service Attacks  
**The best practices that protect businesses from fraud are more important than ever . This is a good time to make sure your organization's anti-fraud program includes these elements:

**1\. Limit data entry attempts and velocity:** One of the telltale signs of a bot attack is the speed at which it moves. Bots can load up carts, check out, and place orders much faster than humans can. They can also repeatedly enter different passwords and one-time codes until they hit a match.

If your website allows customers to make unlimited attempts to enter their data correctly, setting a limit on the number of attempts before they're locked out can protect your store from bots. Likewise, flagging orders for velocity can help to separate busy shoppers who are reordering familiar items from botnets that are programmed to scoop up as many items as they can, as fast as possible.

**2\. Screen every order:** Because there are billions of compromised credentials available to fraudsters now, because FaaS scams are harvesting more credentials, and because FaaS bots can use those credentials to crack accounts at scale, businesses can no longer assume that returning customers are who they appear to be.

That means it's no longer safe to automatically approve orders from known customers. Every order needs to be screened for payment data as well as for device, geolocation, and behavioral biometrics to help validate the customer or flag the order as possible account takeover fraud.

**3\. Run batch analyses to detect fraud at scale:** Bot rental and compromised credentials allow fraudsters to get creative with their attacks on businesses. For example, a gang can target an online store with a spate of orders that appear to come from different customers using different payment methods. Each of these orders may pass muster with the fraud screening solution and get approved.

However, if the merchant also selects random orders for analysis as a group, the fraud solution may find patterns that indicate criminal activity. Maybe that burst of orders from different customers were all shipping to the same address. Or perhaps all of the cards they used to pay had the same bank identification number, indicating that the customers might be synthetic identities. Batch analysis can reveal these issues so that fraudulent orders can be canceled before items ship.

**4\. Avoid automatic declines:** Stopping fraud can only save a company money if it doesn't also stop good customers from completing their orders and coming back for repeat purchases. Automatic declines may seem like a way to save money and time on order decisioning, but this approach typically generates a high rate of false declines. A recent ClearSale five-country survey of online shoppers found that 40% won't ever go back to a website that declines their order. That represents a lot of lost customer lifetime value.

**5\. Use manual review:** The alternative to automatic declines is manual review by fraud specialists, who can distinguish between fraud and unusual but valid customer behavior. Manual review of flagged orders costs more than auto-declines up front, but the ROI includes more approved orders and less customer churn due to false declines.

**6\. Continuously train your ML:** Manual review results can and should feed the automated fraud solution's machine learning algorithms. This helps the AI get better at detecting sophisticated fraud and customer behavior that's not completely normal but also isn't fraudulent. This can result in fewer flagged orders and reduce the need for manual review over the long term.

**7\. Monitor brand mentions:** FaaS schemes often impersonate brands to trick consumers into sharing their credentials and even authentication codes. Every business should keep an eye out for social media accounts, websites, email campaigns, and even SMS campaigns that impersonate their brand. Depending on the channel, a company can report imposters to the platform, Web host, or Federal Communications Commission and alert their customers there's a scam operating under the company's brand.

FaaS shows how fraud continues to evolve, and how the technologies that make life more convenient for customers also make fraud easier for criminals. By understanding how FaaS works and following best practices to prevent it, your business can help protect your customers, your revenue, and your brand reputation.

How Can Your Business Defend Itself Against Fraud-as-a-Service?

Researcher shares how he unearthed newer bugs in Apple's operating system by closer scrutiny of previous research, including vulnerabilities that came out of the Pwn2Own competition.

Sometimes all it takes to root out a new software vulnerability is to study and analyze previous bug reports. That's how researcher Csaba Fitzl says he sniffed out some new Apple macOS vulnerabilities, one of which was a mirror image of a logic flaw that a group of researchers competing in the 2020 Pwn2Own contest found and executed there.

Fitzl, a content developer for Offensive Security, says he reread and studied the winning six-exploit chain that the researchers used to hack macOS. One of the exploits in that chain weaponized a privilege escalation bug, which Apple later fixed. But there still was a hole, and he found it: "Although Apple fixed it properly, but still there was an extra function ... that basically opened up another vulnerability to be utilized a bit differently than the original one," Fitzl explains.

Apple's original fix for the flaw allowed an attacker to change ownership of a directory in macOS. But Fitzl discovered that he could create a new directory on the targeted system, which could allow an attacker to escalate their privileges on macOS. "Although you had to use different techniques to get through to the system, but because you could create an arbitrary directory anywhere on the system, you could elevate your privileges to root," he says.

It was basically the same logic flaw but in a different piece of the code. Apple has since patched the vulnerability Fitzl found as well.

This week at Black Hat Singapore, Fitzl will share technical details of this and two other vulns he found while drilling down on previous vuln research on macOS during a session entitled "macOS Vulnerabilities Hiding in Plain Sight."

Apple had not responded to a request for comment as of this posting.

**'Something Is Not Right'  
**Fitzl says he didn't actually spot traces of the new flaws linked to previous research until after he reread the research papers. "At some point it hit me that there is something not right. It turned out that there is a vulnerability not like the one initially documented," he explains of his findings. "That eventually led to me to find or identify new vulnerabilities."

The other two flaws he found include one that built upon research from Mickey Jin, who discovered a bypass for an Apple patch for the so-called XCSSET malware that targeted Apple's built-in Transparency, Consent, and Control (TCC) privacy and security framework. XCSSET pilfers sensitive user and developer information from applications on a Mac machine.

Fitzl says he noticed an underlying weakness in the TCC framework that would allow an attacker to bypass TCC. He consulted with fellow researcher Wojciech Regula, head of mobile security and principal security consultant at SecuRing, on the issue.

"We found that we can still generically bypass TCC because there was an inherent vulnerability" that came out of the previous research, he says. It was a flaw in TCC that could allow an attacker to bypass the macOS privacy and security framework.

While macOS relies heavily on code-signing and verification of code-signing, Fitzl explains, TCC was not verifying a process that was running but rather verifying binary code on the disk. "This allowed all these abuses by malware," he says. "So we just replaced the binary on the disk and that's it: We could bypass TCC again."

Apple has since fixed the issue, he says.

The third macOS vuln Fitzl found builds off a flaw used in a 2017 Pwn2Own macOS exploit chain: another privilege escalation flaw that Apple later patched in its disk arbitration framework to elevate to root access. Then Fitzl found that the new version of Apple's disk arbitration source code included the "exact same" logic bug that could lead to privilege escalation. "You could use the same logic bug to escape the \[macOS\] sandbox" that keeps applications from getting access to other parts of the machine they don't need, he says.

For example, an attacker could abuse the vulnerability to escape Safari's sandbox and gain broader access across the victim's machine.

**Protecting macOS  
**Fitzl recommends that organizations religiously update their Macs with the latest versions of macOS to keep their endpoints protected from attacks such as these. They should also run anti-malware and endpoint detection and response on their machines.

Known macOS Vulnerabilities Led Researcher to Root Out New Flaws

Researchers discovered a simple malware builder designed to steal credentials, then pinging them to Discord webhooks.

Researchers discovered a simple malware builder designed to steal credentials, then pinging them to Discord webhooks.

On April 23rd, 2022, a Discord user with the handle “Portu” began advertising a new password-stealing malware builder.

Malware builders are programs which so-called script kiddie hackers can craft their own executables on top of. Script kiddie is cybersecurity parlance for a novice hacker who uses a preexisting code to slightly modify it for their own nefarious purposes.

Four days later, threat analysts from Uptycs discovered the first sample of a Portu-inspired malware sample in the wild researchers dubbed “KurayStealer.” According to researchers, the malware has been used to target Discord users.

**How KurayStealer Works**

The author behind KurayStealer has clearly taken inspiration – and code – from those other attacks. “We have seen several other similar versions floating around in public repositories like github,” the researchers noted, concluding that “the KurayStelaer builder has several components of different password stealers.”

When it’s first executed, KurayStealer runs a check to determine if the malicious user is running the free or “VIP” (paid) version.

Next, it attempts to replace the string “api/webhooks” with “Kisses” in BetterDiscord – an extended version of the Discord app, with greater functionality for developers. If this action is successful, the hacker can undermine the app in order to set up webhooks.

Webhooks are a mechanism by which webpages and applications can send real-time data to one another over HTTP. They’re like APIs, the key difference being that webhooks send information automatically, without the need for a request from the receiver.

With webhooks in place, the program takes a screenshot and grabs the geo-location of the target machine. Then it begins credential hunting: probing for passwords, tokens, IP addresses and more from Discord, Microsoft Edge, Chrome, and 18 other apps. Any data scoured in this process funnels back to the attacker via the webhooks.

**What We Know of the Author**

Script kiddies are rarely subtle.

Within KurayStealer’s code is a reference to who wrote it: “Suleymansha & Portu,” and an invite to a Discord channel run by the user “Portu#0022.” Portu#0022’s profile contains a link to their profile on Shoppy – an ecommerce platform – with samples of other malicious programs. It also points to their YouTube channel, which used to have a video up that demonstrated how to use KurayStealer. The channel is barren now, but for a cartoon profile picture and an indication that Portu is from Spain.

On April 26th, Portu announced they were working on a new ransomware program. “Based on the announcement and the observations,” the researchers concluded, “we believe that the authors might come up with newer versions of password stealers and other malware.”

“Our research on KurayStealer backed with OSINT highlights the rise in prevalence of password stealers using Discord tokens as a C2 for harvesting the victims’ credentials. Enterprises must have tight security controls and multi-layered visibility and security solutions to identify and detect such attacks.”

Malware Builder Leverages Discord Webhooks

WannaCry continues to be a reminder of the challenges that organizations face dealing with the ransomware threat.

The ransomware landscape has evolved considerably since WannaCry dramatically drove home the potential severity of the threat five years ago on May 12. What has changed somewhat less over the same period is enterprise preparedness in the face of ransomware attacks. 

Ransomware emerged and has remained entrenched as one of the most difficult security issues for organizations across sectors in the past few years. WannaCry itself, while nowhere near as widespread as it was initially, remains a potent threat and even figured in some vendor lists of top malware threats as recently as last November.

By most accounts, enterprise organizations have gotten better at remediating vulnerabilities and updating obsolete and outdated software. Even so, the vulnerable version of the Server Message Block (SMB) protocol that WannaCry used to spread like wildfire remains in widespread use across organizations and regions. Most attacks against the SMB protocol still attempt to exploit EternalBlue, the exploit that was used in the WannaCry attacks. Patching and vulnerability management programs continue to pose challenges, as do practices such as threat detection, remediation, and response.

Meanwhile, ransomware and the manner in which it is used has changed. Many ransomware attacks these days are highly targeted and involve hands-on tactics for maximum effectiveness. Tools are increasingly becoming multiplatform, meaning they can be used to attack different operating systems. Examples of these tools include Conti, BlackCat, and Deadbolt. 

And the proliferation of ransomware-as-a-service offerings has lowered the barrier to entry for common cybercriminals, even as it has fostered increasingly businesslike hierarchies and processes within the criminal industry. A high percentage of ransomware attacks these days also involve data theft and denial-of-service attacks as additional forms of extortion.

**Alive and Kicking  
**"WannaCry, though not nearly as prevalent of a threat as it once was, is still alive and kicking," says Tessa Mishoe, senior threat analyst at LogicHub. Over the time between its first attacks and now, the ransomware industry has learned from WannaCry's efforts and the responses to it — whether it be new tactics such as auctioning data and blackmailing customers or new techniques like more complex virtual machine escapes and persistence. "Ransomware's increase in market share should be a good indicator of how WannaCry launched more intrigue into ransomware," Mishoe says.

WannaCry surfaced on May 12, 2017, and in a matter of days spread to some 300,000 computers worldwide. Though many have described it as ransomware, one of its main functions was to wipe data clean from infected systems. 

Numerous organizations were affected in the outbreak, including FedEx, Nissan, and, perhaps most notably, the United Kingdom's National Health Service. The US Department of Justice and numerous others have attributed the malware and the attacks to North Korea's Lazarus Group. Over the years, researchers have estimated damages associated with the malware to be more than $1 billion dollars.

The malware spread via a publicly leaked, US National Security Agency (NSA)-developed exploit called EternalBlue that targeted a critical remote code execution vulnerability (MS17-010) in Microsoft's Server Message Block 1.0 (SMBv1) file-sharing protocol. Once installed on a system, WannaCry quickly spread to other devices running a vulnerable SMB version. Most of these were older Windows systems, such as those running on Windows Vista, Windows 7, and Windows 8.1. 

Though Microsoft had issued a patch for the SMB flaw more than a month before WannaCry, millions of computers were unpatched against the problem when the malware hit.

**A Continuing Threat  
**Five years later, attackers are continuing to use the EternalBlue exploit to deploy WannaCry and other malware on enterprise systems.

A recent analysis conducted by Barracuda Networks of attacks over a three-month period shows a staggering 92% of all attacks on SMB port 445 involve attempts to use the EternalBlue exploit. 

"There are still machines out there that have never been patched against these sorts of exploits and likely won't ever be," says Jonathan Tanner, senior security researcher at Barracuda. "So, it's not a lot of work on the attackers' part to try to find and exploit these systems."

Much of this also is due to continued delays in organizations updating their infrastructures. A survey of 500 IT decision-makers by vendor ExtraHop found 68% of respondents admitting to still running SMBv1, even though newer, more secure versions of the file-sharing protocol have been around for years. The company will be discussing the obstacles that companies face in hardening themselves for ransomware attacks at the upcoming RSA Conference (RSAC), in a session aptly entitled, "What Will It Take to Stop Ransomware?"

SMBv1 has been deprecated since 2014, notes Jeff Costlow, ExtraHop's CISO. "I wish it was surprising that 68% of organizations are still running SMBv1, but I see example after example of organizations running outdated, insecure, or unencrypted protocols — either knowingly or unknowingly," he says. The risk is huge, he adds. "SMBv1 doesn’t need to be installed on every device in the environment to be used to launch a catastrophic attack. It only needs to be on one."

Brian Donahue, principal information security specialist at Red Canary, says that, for the most part, organizations are less vulnerable to WannaCry now than they were before. Even so, many organizations still have not updated to MS17-010 and their SMB installations remain susceptible to the EternalBlue exploit, he says. 

"More generally, enterprise patch-adoption lags behind vendor updates, and organizations will always struggle to keep up to date with new software releases," he notes.

Organizations also need to keep on top of cybercriminal innovation. To that end, Red Canary's Katie Nickels, also a SANS Institute director, will be part of a panel during June's RSAC entitled "The 5 Most Most Dangerous New Attack Techniques," which is aimed at highlighting emerging threat vectors for ransomware (and other cyberattacks). 

**A Dominant and Evolving Threat  
**Donahue says ransomware was one of the most dominant threats in 2017 and remains a major threat in 2022. Worm-like ransomware threats have transitioned from being an emergent threat to the de facto standard for ransomware campaigns. Even more than that, the adoption of exfiltration techniques to perform double extortion was uncommon in 2017, but it's extremely common now.

The ransomware industry has evolved in other ways as well since the WannaCry outbreak. Researchers at Bishop Fox who analyzed the threat space recently spotted a trend toward the use of ransomware as a decoy in state-sponsored attacks, cyber warfare, and criminal activity. They noted how WannaCry, NotPetya, and WhisperGate were disk wipers disguised as ransomware that tricked victims into believing they could get their data back if they paid a ransom. 

In the same manner, attackers are using ransomware to distract victims from an attacker's true motives, according to Bishop Fox.

Today's ransomware attacks are also a lot more tailored and customized compared to WannaCry, which spread indiscriminately in automated fashion, says Trevin Edgeworth, red-team practice director at Bishop Fox. He points to DarkSide, the ransomware that hit Colonial Pipeline, as an example of ransomware that is being largely human-deployed and aimed at specific organizations. 

"Whether it is patient information that a healthcare provider maintains, or the continued operation of systems critical to a manufacturing company, today's attacks are tailored and customized to each targeted organization and what is critical to them," he says.

In a report this week, Kaspersky said it had identified recent instances of ransomware groups taking sides in geopolitical conflicts — such as that involving Russia's war in Ukraine. Groups behind the Conti ransomware family, for instance, have allied themselves with Russian interests, while others such as the IT Army of Ukraine are on the opposite side. That alignment could have an impact on targeted organizations.

WannaCry was a wake-up call for many organizations around their patching practices, and it did foster stronger vulnerability management programs. However, many organizations continue to prioritize operating system patching over patching key applications such as Java, Office, and Adobe products that are installed ubiquitously throughout their environment, Edgeworth says.

"Ransomware preparedness starts first with excelling at basic security hygiene, such as secure network architecture, reducing unnecessary attack surfaces, and enforcing least privilege around Active Directory and 'crown jewels' systems," Edgeworth says. "Organizations must have a plan in advance on how to respond to a ransomware attack."

5 Years That Altered the Ransomware Landscape

A biotech threat intelligence group is gaining supporters as urgency mounts around an overlooked vulnerable sector.

A new partnership between the cybersecurity nonprofit Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) and the Johns Hopkins University Applied Physics Laboratory (APL), which works on emerging research with US government agencies, is highlighting the need for more resources to better secure biomedical, bioindustrial, and biomanufacturing entities.

The Covid-19 pandemic sparked regular people around the world to think about the logistics of vaccine development and production in a tangible and immediate way. But the so-called bioeconomy is silently embedded everywhere, from breeding programs used in agriculture to the development of biofuels. And as industry after industry faces a reckoning about the state of their cybersecurity defenses, researchers are increasingly realizing that the bioeconomy is vulnerable. During the pandemic, for example, Russia, China, and other state actors raced to hack vaccine makers and distributors for intelligence gathering, in a scramble that US officials warned could have been disruptive.

“A lot of the bioeconomy is small companies; that’s the real lifeblood of American biotech,” says BIO-ISAC cofounder Charles Fracchia. “Imagine if Moderna got hacked four years ago, even with some totally non-sophisticated malware, or they faced a ransomware attack. Small companies can go bankrupt really easily, and then we lose the work they're doing for the future. I'm very grateful that APL understood the mission of the BIO-ISAC and joined as a founding member. They want to help.”

Information sharing and analysis centers exist for many industries, from financial services to health care. And Charles Frick, a principal staff member at APL, says that the lab has been supporting ISACs and collaborating with them for many years. During the George W. Bush and Barack Obama administrations, Frick says, APL collaborated with the Department of Homeland Security and the National Security Agency to study the most efficient methods for large-scale threat intelligence sharing and security automation. APL participated in a 2018 financial services pilot for automatically screening and processing machine-readable threat intelligence data in which a process that had one taken 14 hours got whittled down to eight minutes.

All of this matters, because digital attacks on critical services and trends in attacks creep up quickly. The more information an organization can not only gather but also share, the better chance others have of defending themselves against similar hacks. APL's funding for the BIO-ISAC will go toward regular operations, including research, information sharing, and public disclosures. And crucially, it will also support incident response services the BIO-ISAC is launching so biotech and biomanufacturing organizations have someone to call if they're dealing with a digital attack or otherwise suspect that something is wrong. The services will be pay what you can to make them accessible to as many organizations as possible. Depending on demand, though, the BIO-ISAC may not have the capacity immediately to respond to every request. But the group hopes to begin filling a crucial gap in the services that are currently available.

“As we start identifying threats, it's a natural fit for us to say, well, we have an existing set of capabilities and skills that can be applied to this area, and we've demonstrated our ability to work with ISACs in collaboration," says Brian Haberman, an APL program area manager. "So this accomplishes our mission of supporting national priorities in a much faster way when you’re not going it alone. It's the biggest bang for your buck."

A few years ago, the idea of designating US election systems as government “critical infrastructure” was controversial to some. The designation simply unlocks funding and expanded resources from US government agencies, including the Cybersecurity and Infrastructure Security Agency, for critical sectors that work in the public interest. But while health care, food, and agriculture industries obviously have critical infrastructure designations that cover parts of the bioeconomy, the sector as a whole doesn't specifically have its own designation. Instead the US government has classified the bioeconomy with a “critical emerging tech” label.  As a result, groups like the BIO-ISAC are working ad hoc in a largely open field.

“The bioeconomy is an emerging sector of our economy if we really want to make meaningful change and impact, now is the time to get involved—not after it’s already this big thing and we try to go in reverse," says Andrew Kilianski, senior director for emerging infectious diseases at the International AIDS Vaccine Initiative. "We’ve done some of these sectors where we try to build out IT infrastructure and cybersecurity defenses later and it doesn’t work well." Kiliansk worked closely with the US government's Covid Operation Warp Speed initiative and a new member of the BIO-ISAC's national security advisory board.

“There's that squishy, beautiful life sciences spirit that, hey, we share everything, we’re open," Kilianski adds. "But now these discoveries have huge commercial value, not just societal value, and that makes all of this even more sensitive.”

The Hidden Race to Protect the US Bioeconomy From Hacker Threats

A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the address bar was not correct if navigation fails in a loop.

**CVE ID** **DATE ISSUED** **ADVISORY TITLE** **AFFECTED PRODUCTS** CVE-2022-28874 23-May-2022 Multiple Denial-of-Service (DoS) Vulnerabilities All F-Secure endpoint protection products for Windows and Mac CVE-2022-28873  
12-May-2022 Multiple Address Bar Spoofing Vulnerabilities in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 19.0 and below CVE-2022-28872  
12-May-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 19.0 and below CVE-2022-28871 25-Apr-2022 Denial-of-Service (DoS) Vulnerability All F-Secure endpoint protection products for Windows and Mac CVE-2022-28870 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2022-28869 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2022-28868 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2021-44751 25-Mar-2022 F-Secure SAFE Browser vulnerable to USSD attacks F-Secure SAFE Browser for Android Version 18.5 and below CVE-2021-44750 09-Mar-2022 Arbitrary Code Execution F-Secure FREEDOME VPN, F-Secure SAFE, F-Secure KEY, and F-Secure Internet Security/Anti-Virus CVE-2021-44749 03-Mar-2022 Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser Protection for Android F-Secure SAFE Browser for Android Version 18.5 CVE-2021-44748 03-Mar-2022 Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser Protection for Android F-Secure SAFE Browser for Android Version 18.5

CVE-2022-28872: Security advisories | F-Secure

A vulnerability affecting F-Secure SAFE browser was discovered. An attacker can potentially exploit Javascript window.open functionality in SAFE Browser which could lead address bar spoofing attacks.

**CVE ID** **DATE ISSUED** **ADVISORY TITLE** **AFFECTED PRODUCTS** CVE-2022-28873  
12-May-2022 Multiple Address Bar Spoofing Vulnerabilities in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 19.0 and below CVE-2022-28872  
12-May-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 19.0 and below CVE-2022-28871 25-Apr-2022 Denial-of-Service (DoS) Vulnerability All F-Secure endpoint protection products on Windows and Mac CVE-2022-28870 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2022-28869 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2022-28868 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2021-44751 25-Mar-2022 F-Secure SAFE Browser vulnerable to USSD attacks F-Secure SAFE Browser for Android Version 18.5 and below CVE-2021-44750 09-Mar-2022 Arbitrary Code Execution F-Secure FREEDOME VPN, F-Secure SAFE, F-Secure KEY, and F-Secure Internet Security/Anti-Virus CVE-2021-44749 03-Mar-2022 Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser Protection for Android F-Secure SAFE Browser for Android Version 18.5 CVE-2021-44748 03-Mar-2022 Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser Protection for Android F-Secure SAFE Browser for Android Version 18.5

Tag

#mac