Unscheduled emergency patches ! To be patched

Microsoft has released two unscheduled security updates to address the remote code execution (RCE) bugs that were impacting Windows Codecs Library and Visual Studio Code users. The first vulnerability tracked as CVE-2020-17022 was found to be targeting user running Windows 10 version 1709 or later while the second one, CVE-2020-17023 was affecting the Visual Studio Code app.

The company has rated the severity of the two vulnerabilities as “important” that are now getting a fix with the security update.

Starting with the CVE-2020-17022 vulnerability, Microsoft explains that the bug exists in the way that “Microsoft Windows Codecs Library handles objects in memory.” Attackers could take advantage of the vulnerability when users run “malicious images” on their system – planted by the hacker. However, it is said that users who installed optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store are only affected. Users can the check whether the system has HEVC codec by heading to Settings > Apps > Features > HEVC, Advanced Options.

The second CVE-2020-17023 vulnerability impacting Visual Studio Code is executed by tricking users to opening a malicious ‘package.json’ file. Once the bug is loaded in the Visual Studio Code via package.json file, the attacker can then execute malicious codes. The severity of this vulnerability also depends on the permission given to the users who is using the Visual Studio Code. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system,”.

Meanwhile, the company also released its monthly security update (October security patch) that patched 87 vulnerabilities across a wide range of Microsoft products.

Haldiram’s renowned Snack maker. Hit by Unknown

Hackers have allegedly stolen crucial data of popular food and snack company Haldiram’s and have demanded Rs 7,50,000

The unidentified accused hacked the server of the company based in the industrial Sector 62 of Noida using a cyber malware popularly called possible Ransomware Attack.

The cyber attack took place on the intervening night of October 12 and 13 and the hackers may have stolen “entire or substantial data” of the company which runs several restaurants and outlets.

The complaint made by a Haldiram’s official said that an IT official of Haldiram’s consequently accessed the Firewall programme on the company’s servers and found some traffic generating from servers, showing certain IP addresses.

The officials of the company found out that some programme was being executed on the aforementioned servers and all the data of the company was being diverted from and going out from the servers of the company. Before disconnecting the entire connection substantial data has been exfilterated

The company said its official raised a complaint with its data security and cyber security firm, Trend Micro, and alleged that all files and sensitive data of the firm had been encrypted by the hacker, thereby, preventing its officials from interacting with their files, data, applications and systems.

It said that the hackers, to give effect to a pre-planned criminal conspiracy, have not only stolen data from the servers and systems of the company but have also contacted company officials through certain servers to illegally extort money to provide back the access to the company’s own data and to delete the stolen data from the servers and systems.

The data includes but not limited to financial, HR, sales/purchase and other data/information)

FIN 11 , Email Campaign on the go

FIN11, a financially-motivated hacker group, has been launching successful hybrid extortion attacks across the Commonwealth of Independent States (CIS) countries. It is believed that the FIN11 operators have changed their TTPs to include a diverse set of sectors and geographic regions.

Hybrid extortion attacks

Recently, the group has switched from large-scale phishing campaigns to ransomware attacks.

  • FIN 11 has shifted its primary monetization method to ransomware deployment, along with data theft, to pressurize their victims into accepting the extortion demands.
  • The report has connected the FIN11 group with several dropper families such as SPOONBEARD, FORKBEARD, and MINEDOOR to drop a variety of associated payloads ( AndroMut, AZORult, CLOP, FlawedAmmyy, FRIENDSPEAK, Meterpreter, MIXLABEL) to target its victims.

FIN11 & TA505 Collaboration

The researchers given a variation between FIN11 and TA505 despite the significant overlap in tactics, techniques, and malware used by both hacker groups. It indicates that some earlier attacks attributed to TA505 were actually undertaken by FIN11. It is suspected that FIN11 is a smaller portion of the bigger TA505 umbrella family.

Attack strategy

The FIN11 group had lured its targets into downloading a malicious Microsoft Office attachment to start an infection chain. The chain creates multiple backdoors into compromised systems, with the capability to grab admin credentials and move laterally across networks.

Recent FIN11 lightson

The group has incorporated additional delivery techniques that are switched over almost on a monthly basis, while also continuing to use techniques from prior campaigns.

  • FIN11 had implemented new evasion techniques to selectively choose which victims (mostly Germany-based) were redirected to domains that delivered malicious Office files.
  • The threat actor continued to modify its delivery tactics during Q3 2020; the changes were relatively minor as the victims had to complete a CAPTCHA challenge before being served an Excel spreadsheet with malicious macro code.

Concluding notes

The tactics adopted by FIN11, including data-theft and extortion, aimed at increasing the pressure on victims suggest that its motivations are emblematic and exclusively financial. FIN11 is expected to continue launching hybrid extortion attacks for more effectiveness and financial

Ransom Gangs with Network Sellers collaboration. Deadly combošŸ‘¹

Accenture Cyber Threat Intelligence team outlined a trend of collaboration between network access sellers and ransomware gangs. Several cybercriminals are increasingly offering initial network access to already-compromised companies used by Ransomware gangs

Deadly deals

Researchers have warned that hackers are seen selling credentials for RDP connections, Citrix, and Pulse Secure VPN clients to ransomware groups such as Avaddon, Exorcist, Lockbit, Maze, NetWalker, and Sodinokibi.

  • Ransomware operators get direct access to corporate and government networks. Thus, they can concentrate on establishing persistence and moving laterally.
  • The network-access sellers have been observed using attack vectors such as remote working tools, zero-day exploits, or malware such as Cerberus Trojan to attempt corporate network access in the future.
  • The network access credentials are usually offered between $300 and $10,000, depending on the size and revenue of the victim.

The destructive relationship

Accenture has tracked more than 25 persistent network access sellers, as well as the occasional one-off seller, with more entering every week.

  • In August, four actors were seen utilizing the source code of Cerberus Trojan to gain corporate and government network access credentials, which they sold to other cybercrime groups for a handsome profit.
  • In July, the threat actor Frankknox aborted a sale of a self-developed Zero-day targeting a well-known brand of a mail server and began exploiting the vulnerability to gain corporate network access to multiple victims. Until September, Frankknox has advertised access to 36 corporations for between $2,000 and $20,000, of which at least 11 they claim to have sold.