The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system.

%PDF-1.7 %���� 1 0 obj <>/Metadata 374 0 R/ViewerPreferences 375 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 841.92\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��W�n�6�o�����Q�\_��@b'Y�� /C�j+��X��\[io�C9���2�Z�Цh��;�|�䰪gW٤F�a\]g�/�\]$�r�)�-��,��Y=+�$\]~����y6ͫ���(9M5�������(���Z�� e)�W�JF�BU����\*���u ������-������<������ۛ{o�:��ޣ1=a������c���&V"�,��AEװ�4u |�N����Oh���;�k^"����\`���u\]��mzR��7��XYK�ܠ,S��DX��\]M@U��O.�??�v+��J���H�����(�8����P+|Z��e$��bG�kt\`���l���5����ne�/�1��C 8� �4�U|���~/��c(IY� �~�v�h�KV\\#��oi�cC� R���|x@)��J�Y��{���\`�P��G&1?����.�\\C˔%.��ю�j� 3������ɥ���5�І|��������9i)i�s���|�/�Ydq ��.��O/S�<��?�\[�^���B����\`}�'��Ǉ\\�g�<�����q\]=n����~@�ڨP=�p.:G#%҄�<� b�l�j\[ϖ�of��\_�ço���{�QM8ߎ� t�}o�v�0�1!{�Aw�uH�&� pA�=�|�}uŕ#6���N�{F�>�^���rmj�볜@�V\\.^�A��p�+G4��Uf��\`=�H�)\[r�s�j�a�p�4�BT�\*q�-� eZ<�dYF��śu����r!(�9rG�����Й3�㣕�G�n��"��3 ��#9�����ƾ���H������y�=C,.��˶x�@7Q��%,H<�o�S����s� ,.�s?�Z�ICw7-�ݭ�i\_�+�w�=�����N��}��Α�uѱ��� �#�����i�)�&$�82mZno�\[ϖ���怒���n7�@+�TUܵPIT�̻��P�\[8���0���V$Ha@i���j��C1C$az �����W$.��Q:Eʷ��-τoj/K���/T�\_�rq+ endstream endobj 5 0 obj <> stream ����JFIF\`\`��JExifMM\*2:(\`\`��XICC\_PROFILEHLinomntrRGB XYZ � 1acspMSFTIEC sRGB���-HP cprtP3desc�lwtpt�bkptrXYZgXYZ,bXYZ@dmndTpdmdd��vuedL�view�$lumi�meas$tech0rTRC<gTRC<bTRC<textCopyright (c) 1998 Hewlett-Packard CompanydescsRGB IEC61966-2.1sRGB IEC61966-2.1XYZ �Q�XYZ XYZ o�8��XYZ b����XYZ $����descIEC http://www.iec.chIEC http://www.iec.chdesc.IEC 61966-2.1 Default RGB colour space - sRGB.IEC 61966-2.1 Default RGB colour space - sRGBdesc,Reference Viewing Condition in IEC61966-2.1,Reference Viewing Condition in IEC61966-2.1view��\_.���\\�XYZ L VPW�meas�sig CRT curv #(-27;@EJOTY^chmrw|������������������������� %+28>ELRY\`gnu|����������������&/8AKT\]gqz������������!-8COZfr~���������� -;HUcq~��������� +:IXgw��������'7HYj{�������+=Oat�������2FZn�������  % : O d y � � � � � �  ' = T j � � � � � �"9Qi������\*C\\u����� & @ Z t � � � � �.Id���� %A^z���� &Ca~����1Om����&Ed����#Cc����'Ij����4Vx���&Il����Ae����@e���� Ek���\*Qw���;c���\*R{���Gp���@j���>i���  A l � � �!!H!u!�!�!�"'"U"�"�"�# #8#f#�#�#�$$M$|$�$�% %8%h%�%�%�&'&W&�&�&�''I'z'�'�( (?(q(�(�))8)k)�)�\*\*5\*h\*�\*�++6+i+�+�,,9,n,�,�--A-v-�-�..L.�.�.�/$/Z/�/�/�050l0�0�11J1�1�1�2\*2c2�2�3 3F33�3�4+4e4�4�55M5�5�5�676r6�6�7$7\`7�7�88P8�8�99B99�9�:6:t:�:�;-;k;�;�<'

CVE-2022-1794

We waited three decades for macro blocking...and now it's going away again!
The post Microsoft appears to be rolling back Office Macro blocking appeared first on Malwarebytes Labs.

We’re seeing several reports indicating that Microsoft may have rolled back its decision to block Macros in Office. Currently no official statement exists—the reports rely on a post by a Microsoft employee in the replies of the original article where the plan to block macros was announced.

Earlier this year, Microsoft decided to disable macros downloaded from the Internet in five Office apps, by default. Users trying to open files downloaded from the Internet that contained macros would see a message, with a link to an article explaining the block.

> SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted

Malicious macros have been popular with criminals for more than three decades, and the step was welcomed by the security community. However, some users of Microsoft products have queried a surprising change. Dangerous files downloaded from the internet are _not_ being treated as expected in Office.

**The shifting sands of macro blocking**

Bizarrely, we’ve only experienced a few months of no macro worries as people discover the currently changing situation. A recent comment on the article describing the block mentioned that macro blocking has now been removed in Office Current Channel:

> Is it just me or have Microsoft rolled this change back on the Current Channel?
> 
> I was trying to reproduce the pinkish-red ‘Security Risk… Learn More’ notification in the Message Bar, in preparation for demonstrating the new default behaviour for a YouTube video I’m putting together about my company’s macro-enabled toolkit.
> 
> Created a simple .xlsm to show a MsgBox in the open event of the workbook, saved it and uploaded it to cloud storage, deleted it from my local storage, re-downloaded it from cloud storage (to a non-trusted location, my Downloads library)… did not use the Unblock checkbox on the Properties dialog to remove the mark of the web… then opened up the file.
> 
> It first went into Protected View (expected behaviour), but then after I clicked Enable Editing, instead of getting the pink/red message about macros being blocked altogether, I just got the old ‘Security warning…’ message with the ‘Enable Content’ button. The file’s VBA project wasn’t digitally signed, wasn’t saved to a Trusted Location, and still had the mark of the web on it… so macros should have been blocked.

A response came from someone called Angela Robertson, billed as “A Microsoft employee on the Microsoft Tech Community”:

> Based on feedback received, a rollback has started. An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available.

**Waiting for more information**

At the time of writing, we can’t say what this community feedback is or why it’s been so influential in triggering the apparent decision to disable macro blocking. The response in security circles is somewhat less than enthusiastic, and there’s no new information outside of waiting to see what’s contained in the promised “update”.

Indeed, all we have currently is a second Microsoft post which confirms the rollback:

> …based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.

We will update this article as soon as Microsoft clarifies what exactly is going on.

Microsoft appears to be rolling back Office Macro blocking

A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems.
"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Fortinet FortiGuard Labs researcher Cara Lin said in a report this week.
Tracked as CVE-2022-30190, the

A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems.

"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Fortinet FortiGuard Labs researcher Cara Lin said in a report this week.

Tracked as CVE-2022-30190, the now-patched Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability has come under heavy exploitation in recent weeks ever since it came to light in late May 2022.

The starting point for the latest attack chain observed by Fortinet is a weaponized Office document that, when opened, connects to a Discord CDN URL to retrieve an HTML file ("index.htm") that, in turn, invokes the diagnostic utility using a PowerShell command to download next-stage payloads from the same CDN attachment space.

This includes the Rozena implant ("Word.exe") and a batch file ("cd.bat") that's designed to terminate MSDT processes, establish the backdoor's persistence by means of Windows Registry modification, and download a harmless Word document as a decoy.

The malware's core function is to inject shellcode that launches a reverse shell to the attacker's host ("microsofto.duckdns\[.\]org"), ultimately allowing the attacker to take control of the system required to monitor and capture information, while also maintaining a backdoor to the compromised system.

The exploitation of the Follina flaw to distribute malware through malicious Word documents comes as social engineering attacks relying on Microsoft Excel, Windows shortcut (LNK), and ISO image files as droppers to deploy malware such as Emotet, QBot, IcedID, and Bumblebee to a victim's device.

The droppers are said to be distributed through emails that contain directly the dropper or a password-protected ZIP as an attachment, an HTML file that extracts the dropper when opened, or a link to download the dropper in the body of the email.

While attacks spotted in early April prominently featured Excel files with XLM macros, Microsoft's decision to block macros by default around the same time is said to have forced the threat actors to pivot to alternative methods like HTML smuggling as well as .LNK and .ISO files.

Last month, Cyble disclosed details of a malware tool called Quantum that's being sold on underground forums so as to equip cybercriminal actors with capabilities to build malicious .LNK and .ISO files.

It's worth noting that macros have been a tried-and-tested attack vector for adversaries looking to drop ransomware and other malware on Windows systems, whether it be through phishing emails or other means.

Microsoft has since temporarily paused its plans to disable Office macros in files downloaded from the internet, with the company telling The Hacker News that it's taking the time to make "additional changes to enhance usability."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploiting Follina Bug to Deploy Rozena Backdoor

Security experts criticize company for reversing course, albeit temporarily, on a decision it made just this February to block macros in files downloaded from the Internet.

_Updated 5:19 p.m. EDT to include Microsoft's clarification that the change is temporary._ 

Several security experts expressed disappointment this week at Microsoft's quiet reversal Wednesday of a decision it had announced in February to disable Office macros in files from the Internet. Likely in response, Microsoft on Friday clarified that the rollback is only temporary while the company makes some additional changes to enhance usability.

In a brief — and barely noticeable — update Wednesday to the February announcement, the company originally said it was taking the step because customers wanted it to do so. "Based on feedback, we're rolling back this change from Current Channel," Microsoft said. "We appreciate the feedback we've received so far, and we're working to make improvements in this experience."

On Friday, the company revised the wording to make clear the rollback was not permanent. "This is a temporary change, and we are fully committed to making the default change for all users," Microsoft noted. The update noted that organizations that wanted to could block Internet macros through the Group Policy setting.

Macros allow users to automate commonly repeated tasks in Microsoft applications such as Word, PowerPoint, and Excel. But they have also long been a favorite attack vector for threat looking to deploy ransomware and other malware on Windows systems via phishing emails and other means. As a glaring example: in January 2022, just before Microsoft announced its decision to block macros from running by default, some 31% of all threats that Netskope blocked involved weaponized Office files.

"Macros in Microsoft Office have been a mixed blessing since their inception," says Mike Parkin, senior technical engineer at Vulcan Cyber. "While they provide a lot of functionality that users like and have leveraged in myriad ways, they’ve also been a popular attack vector since they were introduced."

Microsoft's February announcement that they were doing something about macros as an attack vector was welcomed by people in cybersecurity. So, its change of heart now is a bit disappointing, Parkin says. "While Microsoft has not yet said why they are rolling back the change, it seems likely it’s because users have come to depend on the functionality and would rather keep it in spite of the risk."

A Microsoft spokesman pointed Dark Reading to the company's updated update on the rollback when asked for comment.  

**The Macro Threat**

Microsoft itself has noted the threat that macros pose. In fact, as recently as April, the company urged Windows administrators to ensure Office macros are disabled in the environment to protect against macro malware. The company pointed to several ransomware families that attackers had distributed on Windows systems by abusing macros. Because of this, many security experts reacted with enthusiasm when Microsoft announced that macros from the Internet would be blocked by default in Office starting April 2022.

Starting with Office version 2203, users would no longer be able to enable content macros in files from the Internet by clicking a button, Microsoft had said. Instead, when they attempt to open a download or attachment from the Internet, a message would alert users them about the presence of VBA macros in the file and direct them to learn more about the potential risks associated with the file.

The change prompted a noticeable drop in Office-based attacks. According to Netskope, the percentage of Office malware detected by the company's cloud security platform has declined steadily since February 2022 and hovered at less than 10% for the last five months — compared with 35% a year ago.

Microsoft's reversal this week is going to result in a resurgence of Office malware, says Ray Canzanese, director of Netskope Threat Labs. "We are disappointed with the decision," Canzanese says. "Malicious Office documents are a major infiltration vector for attackers, being used to spread backdoors, info stealers, and ransomware."

Microsoft's decision suggests the company decided to prioritize the usability concerns of a vocal minority of customers over the security benefits inherent in disabling macros by default for all Office users, he says. "Instead of having users who preferred the old behavior opt-out of the enhanced security measure, users and admins will now have to opt-in," Canzanese says. "With this reversal, we expect Office documents to regain their previous popularity among attackers."

Ian McShane, vice president of strategy at Arctic Wolf, says disabling Office macros by default was a huge step forward in securing a tried and tested attack path for adversaries. Re-enabling macros now means Office users are less secure today than they were a week ago. McShane says it would have been better for Microsoft to have continued blocking macros by default than leaving it up to organizations to do it. via group policy settings. The multiple steps and settings that are often involved in doing this can be confusing, he says. 

Instead, the better approach would have been to let those who need macros to enable it via group settings. "Opt-in security benefits no one and is dangerous," he says.

Microsoft Reverses Course on Blocking Office Macros by Default

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 1 and July 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for July 1 to July 8

Threat actor released decryption keys after abandoning malware to focus on cryptojacking

Adam Bannister 08 July 2022 at 15:40 UTC

Threat actor released decryption keys after abandoning malware to focus on cryptojacking

Malware protection specialist Emsisoft has released free decryption tools for the AstraLocker and Yashma ransomware variants.

The decryptors were recently uploaded to the VirusTotal malware analysis platform by the ransomware’s developer after they reportedly shut down their operation in order to pivot to cryptojacking.

The AstraLocker decryptor and Yashma decryptor join a host of other decryptors made available for free by Emsisoft, a New Zealand-based outfit.

**Using the decryptor**

“Be sure to quarantine the malware from your system first, or it may repeatedly lock

your system or encrypt files,” reads a guide (PDF) on how to use the AstraLocker tool.

For systems compromised via Windows Remote Desktop, users are advised to change passwords for all users permitted to login remotely and check local user accounts for additional accounts the attacker might have added.

Catch up with the latest ransomware news and attacks

By default, the AstraLocker decryptor pre-populates locations selected for decryption from network and connected drives, but users can add other locations before initiating the decryption process.

The decryptor also defaults to leaving encrypted files in place, although users can enable automatic deletion if disk space is an issue.

“Since the ransomware does not save any information about the unencrypted files, the decryptor can’t guarantee that the decrypted data is identical to the one that was previously encrypted,” the guide warns.

**BabyK offspring**

AstraLocker, which emerged in 2021, is seemingly built on Babuk (or BabyK), a variant deployed via a ransomware-as-a-service (RaaS) model, according to a ReversingLabs analysis of the latter’s leaked source code.

Files are encrypted using a modified HC-128 encryption algorithm and Curve25519 cryptographic function, and or extensions are appended to encrypted files.

Yashma – or ‘AstraLocker 2.0’ – harnesses AES-128 and RSA-2048 to encrypt files and appends encrypted files with the extension or a random four-character alphanumeric combination.

According to ReversingLabs, AstraLocker 2.0 is smuggled into networks via malicious Microsoft Office files.

This ‘smash and grab’ attack methodology is suggestive of a low-skill threat actor, argued Joseph Edwards, senior malware researcher at ReversingLabs.

“This underscores the risk posed to organizations following code leaks like that affecting Babuk, as a large population of low-skill, high-motivation actors leverage the leaked code for use in their own attacks.”

RELATED Ransomware market evolution results in fewer variants, but rise in off-the-shelf cybercrime kits continues

AstraLocker ransomware decryptors released by Emsisoft

Latest campaigns are a break from its usual financially motivated attacks and appear aligned with Russian interests, security researchers say.

In a break from precedent, Russia's hitherto purely financially motivated Trickbot threat group has systematically been attacking targets in Ukraine over the past three months, apparently in support of Russian government interests in the region.

Researchers from IBM's X-Force threat intelligence group this week said they had uncovered two campaigns — and analyzed four others that Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed — where Trickbot went after targets in Ukraine. The campaigns began after Russia’s invasion of Ukraine in February and have targeted Ukrainian state authorities, government organizations, specific individuals, and the general population. Several of the attacks have involved phishing emails with various themes designed to grab the attention of Ukrainian users — included some that are war-related.

The attacks highlight an unprecedented shift for Trickbot, and it's notable because threat groups in former Soviet Union states have typically avoided attacking targets in each other’s countries, IBM said.

Prior to the Russian invasion, ITG23, which is the name by which IBM tracks Trickbot, had not been known to target Ukraine. "Much of the group's malware was even configured to not execute on systems if the Ukrainian language was detected," IBM said in a report summarizing its findings this week. "ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection."

**Multiple Malware Tools**

IBM said it has observed Trickbot distributing several known malware tools such as IcedID, Cobalt Strike, AnchorMail, and Meterpreter in its attacks on Ukrainian targets. Some of the attacks involved the use of new tools such as a malicious Excel downloader, a self-extracting archive for dropping various malware payloads and a new malware encryption and obfuscation tool.

One of the two Trickbot campaigns that IBM uncovered was in early May. In those attacks, IBM observed the threat actor using a weaponized Excel file to download its AnchorMail backdoor on compromised systems. AnchorMail is a revamped version of Trickbot’s AnchorDNS, a backdoor that members of the closely affiliated Conti group have been using to deploy Conti ransomware. IBM X-Force researchers have previously described the malware as notable for communicating with its command-and-control (C2) server using the DNS protocol.

The second recent Trickbot campaign that IBM X-Force researchers spotted occurred likely in late May or early June. In that campaign, Trickbot actors used an ISO image file — or archive file containing the contents of an optical disk — as part of an attack chain to drop the Cobalt Strike post-exploit attack kit on target system. In June, Trickbot users were observed exploiting the so-called “Follina” zero-day bug in the Windows Microsoft Support Diagnostic Tool (MSDT) to deploy Cobalt Strike.

The campaigns that CERT-UA disclosed, and which IBM X-Force researchers analyzed, involved Trickbot attempts to deploy IcedID, a banking Trojan turned malware distributor; Metasploit attack payload, Meterpreter; and Cobalt Strike. In five of the six observed campaigns, Trickbot actors directly downloaded Cobalt Strike, AnchorMail, or Meterpreter on target systems — another break from their usual habit of deploying these tools as secondary payloads. IBM said the switch suggests "these attacks are part of targeted campaigns during which ITG23 is willing to immediately deploy higher-value backdoors."

IBM described the new malicious Excel downloader that Trickbot is using in the Ukrainian attacks as designed to download malware from a hard-coded URL. The downloader is stored as a macro within the Excel file and runs automatically if the file is opened — provided the user has macros enabled. The new dropper for AnchorMail that IBM observed is in the form of a WinRAR Self Extracting Archive. The dropper is rigged to extract and execute a script for building and configuring AnchorMail on infected systems.

Trickbot is a highly successful threat group that has been around since at least 2016. The group initially used its eponymously named malware to steal credentials to banking accounts. Over the years, the group evolved into a sort of initial access broker and a distributor for several ransomware and malware tools, most notably Conti and Ryuk and Emotet. Trickbot is used variously for stealing data, enabling cryptomining, enumerating systems, and other malicious activities.

Court documents in connection with the arrest of a key member of the group last year showed that nearly 20 cybercriminals — including several malware experts — collaborated in building the malware. A massive 2020 international law enforcement operation to take the threat actor down temporarily disrupted its activities but failed to stop them.

In Switch, Trickbot Group Now Attacking Ukrainian Targets

Acronyms serve as a gatekeeper — if you don't sling the lingo, you don't belong. So here's a quick guide to the letter salad of cloud cybersecurity.

**Question: There are so many cloud security acronyms nobody seems to be spelling out. What do they mean?**

**Answer:** Acronyms are confusing jargon that can often serve as a gatekeeper — if you don't sling the lingo, the thinking goes, you don't belong. But if you're reading this, you _do_ belong in cybersecurity, which has to become more welcoming if we ever hope to close the talent gap. So here's a quick guide to some of the acronyms you may come across when talking about cloud security.

**CDR – Cloud detection and response.** These tools continuously aggregate, normalize, and analyze data provided by SaaS (software-as-a-service) and cloud services about accounts, privileges, configurations, and activity to power insights, situational knowledge, and threat alerts. It provides single-pane visibility into cloud environments while maintaining user context.

**CIEM – Cloud infrastructure entitlement management.** Such tools address the issue of excessive permissions and entitlements to cloud resources. They detect over-permissioned accounts and roles and unused permissions and accounts. Note that this is distinct from SIEM (security information and event management), which analyzes alerts in real time, and CIAM (customer identity and access management), which aims to give users secure access to resources.

**CNAPP – Cloud-native application protection platform.** CNAPP addresses the inevitable increased number of moving parts and interlocking systems in cloud-native applications. Using a modular approach, existing CI/CD (continuous integration and continuous delivery) pipelines and runtime platforms can be extended and updated as better methods are discovered. Leveraging a CNAPP gives you in-depth, multilayered, agent-based, and agentless coverage across all aspects of your environment — everything from proactive validation of workloads to auditing policies on the public cloud platform you're running on. Providing more than just convergence of CIEM, CWPP, and CSPM (read on for more about the latter two), CNAPP allows CISOs (chief information security officers) to see the value that cloud security suites deliver, as opposed to a series of disjoint point solutions needing painstaking integration.

**CSPM – Cloud security posture management.** This refers to a set of controls that detect when your deployed accounts and resources deviate from best practices. CSPM tools embed a variety of standards that allow you to continuously evaluate all cloud accounts and workloads and quickly identify areas of drift and misconfiguration.

**CWPP – Cloud workload protection platform.** These protect workloads and focus on securing the entire application life cycle, providing cloud-based security solutions that protect instances on AWS, Google Cloud Platform, Microsoft Azure, and other cloud vendors' platforms. CWPP focuses on specific application use cases, such as runtime detection, system hardening, vulnerability management, network security, compliance, and incident response.

**SSPM – SaaS security posture management.** Such tools monitor security risks in SaaS applications. SSPM looks for and surfaces misconfigurations, compliance risks, unnecessary or defunct user accounts, excessive user permissions, and other cloud security issues so that security personnel can resolve them.

What Do All of Those Cloud Cybersecurity Acronyms Mean?

Dark Reading's digest of the other don't-miss stories of the week, including a new ransomware targeting QNAP gear, and a destructive attack against the College of the Desert that lingers on.

Cybercrime never sleeps — but editors do. To cap off this short Fourth of July week, Dark Reading's editors are collecting all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would be remiss to not cover.  

We're talking a critical Cisco vulnerability, a Microsoft alert on upgrades to the Hive ransomware, QNAP issues, and a pair of cyberattacks.

In this week's "in case you missed it" (ICYMI) digest, read on for more about the following:

*   **Critical Cisco Security Vulnerability Allows Root Access to OS**
*   **Hive Ransomware Gets a Rust-y Upgrade**
*   **QNAP Warns on "Checkmate" Ransomware Attacks**
*   **"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**
*   **California College Remains Offline After Ransomware Hit**

**Critical Cisco Security Vulnerability Allows Root Access to OS**

Cisco has rolled out patches for 10 security bugs, including a critical flaw that could allow cyberattackers to manipulate application source code, or configuration and critical system files.

The critical issue (CVE-2022-20812, CVSS severity score of 9.0) is a path-traversal vulnerability affecting the Cisco Expressway Series software and Cisco TelePresence VCS software, if they are in the default

"A vulnerability in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS could allow an authenticated, remote attacker with Administrator read-write privileges on the application to conduct absolute path traversal attacks on an affected device and overwrite files on the underlying operating system as a root user," according to the advisory, the latest since Cisco's last bug disclosure in May.

The vulnerability arises thanks to insufficient input validation of user-supplied command arguments, the networking giant noted.

"An attacker could exploit this vulnerability by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command."

**Hive Ransomware Gets a Rust-y Upgrade**

The ransomware-as-a-service (RaaS) offering known as Hive has overhauled its infrastructure, using the programming language Rust.

That's the buzz from Microsoft, whose security researchers noted that Hive is an exemplar of adapting to the rapid change found in the underground economy.

"With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest-evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," researchers said in a post this week. "The most notable changes include a full code migration to another programming language \[from GoLang to Rust\] and the use of a more complex encryption method."

Rust, a language also used by the BlackCat ransomware, allows advances in coding control, memory usage, resistance to reverse engineering, and access to a range cryptographic libraries, the researchers said.

As for the encryption, "the new Hive variant uses string encryption that can make it more evasive," according to the advisory. “The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.”

**QNAP Warns on "Checkmate" Ransomware Attacks**

QNAP, the network-attached storage (NAS) vendor, is flagging activity against its devices that results in the execution of the Checkmate ransomware.

The cyberattackers are specifically targeting SMB file-sharing services exposed to the Internet, using a dictionary attack to break accounts with weak passwords.

"Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name '!CHECKMATE\_DECRYPTION\_README' in each folder," according to QNAP's advisory this week. It added, "We are thoroughly investigating the case and will provide further information as soon as possible."

Customers of the Taiwan-based appliance maker have been suffering ongoing, relentless ransomware activity — which Dark Reading broke down earlier this week (along with potential defenses) in an extensive roundtable of experts.

To protect their businesses and avoid a ransomware checkmate, users should avoid exposing the SMB service to the internet and should employ strong passwords in any event.

**"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**

IT-supplier bigwig SHI International said this week that it was the target of "a coordinated and professional malware attack."

The New Jersey-based vendor, which has 5,000 employees and 15,000 customers around the world, said that it moved quickly to stop the infection and minimize the impact on SHI’s systems and operations. That meant that some systems, such as SHI’s public websites and email, were knocked offline "while the attack was investigated and the integrity of those systems was assessed."

The SHI staff regained access to email, but as of Thursday the main website was still not operational. The company said in a website notice that IT teams continue to work to bring other systems back online.

It's unclear what the cyberattackers' goal was, but some researchers noted that a supply chain compromise attempt is a real possibility.

“Apart from being a large enterprise, SHI is a major software and hardware provider to several Fortune 500 companies, and while there is no evidence regarding third-party suppliers getting breached or customer data getting exfiltrated, this is certainly too close for comfort for many of their customers," Rajiv Pimplaskar, CEO at Dispersive Holdings, said via email.

**California College Remains Offline After Ransomware Hit**

As the latest example of what happens when IT isn't prepared for a hit, the 12,500-student College of the Desert, a community college in Palm Desert, Calif., remains offline after suffering which researchers suspect was a ransomware attack.

The cyberattack brought down the school's online services and campus phone lines on July 4. As of late Thursday, the school's website still returned a notice that it "is currently experiencing a system-wide outage of most services," including the ability for students to request transcripts, add or drop classes, or register for classes.

"Educational institutions have continued to be a prime target for ransomware groups over the last couple of years," says Josh Rickard, senior security solutions architect at Swimlane, noting that this is the second time College of the Desert has been hit with a malware attack; the first incident took place in August 2020. "To prevent similar attacks in the future and ensure that operations continue to run smoothly, education institutions such as College of the Desert need to devote more resources to information security teams, tools, processes, and products."

Rickard suspects the incident was ransomware due to the severe operational disruption, but it should be noted that College of the Desert has not confirmed that, admitting only to a "computer network disruption."

ICYMI: Critical Cisco RCE Bug, Microsoft Breaks Down Hive, SHI Cyberattack

Five months after announcing plans to disable Visual Basic for Applications (VBA) macros by default in the Office productivity suite, Microsoft appears to have rolled back its plans.
"Based on feedback received, a rollback has started," Microsoft employee Angela Robertson said in a July 6 comment. "An update about the rollback is in progress. I apologize for any inconvenience of the rollback

Five months after announcing plans to disable Visual Basic for Applications (VBA) macros by default in the Office productivity suite, Microsoft appears to have rolled back its plans.

"Based on feedback received, a rollback has started," Microsoft employee Angela Robertson said in a July 6 comment. "An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available."

In February 2022, the tech giant said it was disabling macros by default across its products, including Word, Excel, PowerPoint, Access, and Visio, for documents downloaded from the web in an attempt to mitigate potential attacks that abuse the functionality for deploying malware.

"Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access," Microsoft noted at the time.

It's not immediately clear what the "feedback" was or what prompted Redmond to reverse course without any official notice. We have reached out to Microsoft for further comment, and we will update the story if we hear back.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft