Maze… Into limelight for so long time

Maze ransomware group has been amongst one of the most active and fastest-growing ransomware actors. In around one year, it has targeted a number of large organizations, including the digital printing solutions provider Xerox Corporation, Cognizant, and others within the past few months.

Top targeted sectors


Based on the confirmed attack incidents revealed lately, there were a total of nine notable attacks on organizations across different sectors. The majority of which belongs to IT and healthcare.

IT seems to be the favorite sector being targeted with three victims – Lectra (a France based technology company), Westech International Inc. (New Mexico-based Logistics and IT services provider), and Xerox (Connecticut-based IT, digital and print solutions provider).

Maze carried out two attacks on organizations in the healthcare sector – Regis Aged Care Pty Ltd (Australia) and the Montana Veterans Affairs Health Care System (USA).

Maze also targeted the Thailand-based food and beverage manufacturer ThaiBev, Sydney-based strata management firm Strata Plus, the National Highways Authority Of India (NHAI), and the Texas foundry group X-FAB, suggesting that Maze attacks are not specific to a particular field of interest or geographical area.

Mode of operation

Although the initial attack vector for these attacks is not completely understood, the Maze group has now made it a practice to exfiltrate the entire target system data before encrypting it.
In several cases, such as Regis Aged Care and NHAI, the attackers released around 5% data upfront to prove its attack, and hence pressurize the firms to quickly pay the ransom.

Recent History

Within the past few months, Maze operators have been busy strengthening their tie-ups and association with other threat groups as well.

At the beginning of June 2020, Maze operators were seen hosting and promoting data stolen by the LockBit gang, which provides hints about the cartel of ransomware operations between them.
Very soon, Ragnar Locker also joined their cartel.

Key takeaways

Looking at its pace, Maze operators have emerged as a consistent threat group to watch out for. Although there is no sure shot way to ensure 100% security, organizations can reduce the risks and extent of damage by ensuring proper security measures, such as using strong passwords, multi-factor authentication, and also having a regular backup of the data.

2020-08 Patch Tuesday ! 2 Zero days fixed in wild

  • Microsoft has plugged 120 flaws, two of which are being exploited in attacks in the wild
  • Adobe has delivered security updates for Adobe Acrobat, Reader and Lightroom
  • Apple has released updates for iCloud on Windows
  • Google has updated Chrome with security fixes

Microsoft’s updates

Microsoft has released patched for 120 CVEs, 17 of which are critical and the rest important. One (CVE-2020-1464) is publicly known and being actively exploited, and another one (CVE-2020-1380) is also under attack.

CVE-2020-1464 allows an attacker to bypass security features intended to prevent improperly signed files from being loaded, and affects all supported versions of Windows, so patching it should definitely be a priority.

“CVE-2020-1464 is proof that security organizations should not be making their patching decisions solely off the CVSS score and severity rating and instead should be approaching all the security vulnerabilities as a gap in their attack surface, welcoming any malicious player into their network,”.

“Coming in only at a CVSS of 5.3, this spoofing vulnerability has been reported exploited in both legacy and newer versions of Windows and Windows Server, which is more worrisome as 25% of connected Windows devices are still running Windows 7.”

CVE-2020-1380 is a bug in Internet Explorer’s scripting engine and allow code execution on a system running a vulnerable version of the browser.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft explained.

“The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

This flaw is also under active attack, so IE users should be protected against it as soon as possible

Trend Micro Zero Day Initiative’s Dustin Childs also singled out CVE-2020-1472, a NetLogon Elevation of Privilege Vulnerability, as very important to patch quickly.

“A vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network. An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access,”

“[The patch released today] enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. After applying this patch, you’ll still need to make changes to your DC.

“There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices,” Microsoft has added.

Other critical vulnerabilities have been fixed in the .NET Framework, Media Foundation, Microsoft Edge, the Windows Codecs Library, the MSHTML Engine, the Scripting Engine, Windows Media, and Outlook.

The provided Outlook updates should also be quickly implemented, as they fix two vulnerabilities – a RCE and information disclosure bug – that could be triggered from the Preview Pane.

As announced last week, Microsoft has also delivered today a fix for CVE-2020-1337, a privilege escalation vulnerability in the Windows Print Spooler service, which affects all the Windows releases from Windows 7 to Windows 10 (32 and 64-bit). The researchers who unearthed it have promised to publish a PoC exploit this week.

Keep updated your machines to escape from these exploits untill they go wild …

Agent Tesla ! Upgraded & sophisticated of Stealing..

Upgraded version of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients.

Agent Tesla is a commercially available .Net-based infostealer with both remote access Trojan (RAT) and with keylogging capabilities active since at least 2014.

This malware is currently very popular with business email compromise (BEC) scammers who use it to infect their victims for recording keystrokes and taking screenshots of compromised machines.

It can also be used for stealing victims’ clipboard contents data, for collecting system information, and for killing anti-malware and software analysis processes.

Credentials are not so safe

After analyzing recently collected samples of the infostealer malware, Walter discovered dedicated code used for collecting both app configuration data and user credentials from multiple applications.

“The malware has the ability to extract credentials from the registry as well as related configuration or support files,”.

Google Chrome, Chromium, Safari, Brave, FileZilla, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, and Outlook are just a small sample of all the apps targeted by the latest Agent Tesla RAT variants.

Once it harvests credentials and app config data, the infostealer will deliver it to its command-and-control (C2) server via FTP or STMP using credentials bundled within its internal configuration.

“Current variants will often drop or retrieve secondary executables to inject into, or they will attempt to inject into known (and vulnerable) binaries already present on targeted hosts,”.

Agent Tesla one of the most actively used malware in attacks targeting both businesses and home users as shown by a list of the top 10 malware strains analyzed on the interactive malware analysis platform Any.Run during the last week.

While far behind Emotet in the number of samples submitted for analysis on the platform, Agent Tesla takes second place in last week’s threats by the number of uploads.

Conclusion

Noting is safe untill proper process is put in place to overlook security.

Manage Engine hits with a critical flaw

A critical vulnerability (CVE-2020-11552) in ManageEngine ADSelfService Plus, an Active Directory password-reset solution, could allow attackers to remotely execute commands with system level privileges on the target Windows host.

CVE-2020-11552

ManageEngine ADSelfService Plus is developed by ManageEngine, a division of Zoho Corporation, a software development company that focuses on web-based business tools and information technology.

“ADSelfService Plus supports self-service password reset for WFH and remote users by enabling users to reset Windows password from their own machines and updating the cached credentials through a VPN client,” the company touts.

It also supports sending password expiration notifications to remote users through email, SMS, and push notifications; provides admins with a way to force 2-factor authentication for Windows logons; and provides users with secure access to all SAML-supported enterprise applications (e.g., Office 365, G Suite, Salesforce) through AD-based single sign-on.

The ManageEngineADSelfService Plus thick client software enables users to perform a password reset or an account unlock action by using self-service option on the Windows login screen. When one of these options is selected, the client software is launched and connects to a remote ADSelfServicePlus server to facilitate the self-service operations.

“A security alert can/will be triggered when ‘an unauthenticated attacker having physical access to the host issues a self-signed SSLcertificate to the client’. Or, ‘a (default) self-signed SSLcertificate is configured on ADSelfService Plus server’.

“‘ViewCertificate’ option from the security alert will allow an attacker with physical access or a remote attacker with RDP access, to export a displayed certificate to a file. This will further cascade to the standard dialog/wizard which will open file explorer as SYSTEM. By navigating file explorer through ‘C:\windows\system32\’, acmd.exe can be launched as a SYSTEM.”

ManageEngine patched CVE-2020-11552 twice, because the first patch only fixed the issue partially. Admins are advised to upgrade to ADSelfService Plus build 6003, which contains the complete security fix.