Sopra Steria …. Ryuked.. Services down

IT services provider Sopra Steria has confirmed that it was hit by a “new version” of the Ryuk ransomware that was “previously unknown to antivirus software providers and security agencies”.

The French-headquartered company detected the cyberattack on 20 October and made it public the following day.

Rreports pointed to hackers using Ryuk ransomware to target Sopra Steria’s Active Directory infrastructure. This saw some IT systems encrypted and payment demanded to unlock them.

Sopra Steria said it has made the virus signature of the new Ryuk ransomware strain available to “all antivirus software providers” so that they can update their defences.

Sopra Steria said that the ransomware attack was launched “a few days before it was detected”, which meant the virus was contained to a “limited part of the Group’s infrastructure”.

It has been revealed that Ryuk operators exploited the Netlogon vulnerability CVE 2020-1472 which hits the domain controllers and exfilterates the data. Microsoft released the patch for this Exploit in August

The company, which provides IT outsourcing services to the NHS and Home Office, said it has not identified any leaked data or damage to client networks.

It may take few weeks for services to up across geographies.

Lockbit stirkes PTI

The computer server of India’s leading news organization, Press Trust of India (PTI), was attacked late Saturday night by ransomware, disrupting news service across the country for several hours.

A ransom was demanded from PTI after the cyber attack. However, the work of the news organization started after about 12 hours of struggle by IT engineers.

A PTI spokesperson said that its servers across the country were attacked by ransomware called Lockbit at 10.00 pm on Saturday. The virus encrypted all data and applications, disrupting its news service.

The origin of the virus is not known, nor was it a deliberate attack. However, a ransom was demanded to return encrypted data after the attack.

A PTI spokesperson said that the work of the news institute was back to normal from 9 am on Sunday after a 12-hour struggle by PTI’s IT engineers. The company did not provide ransom to the attackers.

According to a recent survey by cyberspace company Sophos, ransomware attacks have increased over the years. Eighty-two percent of companies surveyed have accepted ransom attacks between January and June this year.

Only 8 percent of companies can prevent an attack before encrypting their data, compared to their global average of 24 percent. Only one-third of Indian companies said they were able to recover encrypted data from backups, while 66 percent said they would have to pay a ransom to recover data.

Chrome Zero day ! Goes Wild

A new Chrome version has released to patch a zeroday … And the version is 86.0.4240.111 stable version from chrome

The reason for making sure you’ve got this particular update is not only that five security bugs have been patched, including one buffer overflow and three use-after-free vulnerabilities, but also that one of these bugs, designated CVE-2020-15999, is already known to attackers.

As the update notification states, “Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild.”

The bug is described as a heap buffer overflow in Freetype, where Freetype is an open source font rendering software toolkit that allows programmers to support the use of all sorts of modern font files and formats in their applications.

Many web pages these days include special versions of the fonts they need – a corporate typeface, for instance – and these files, known as WOFFs, short for Web Open Font Format, are downloaded into your browser to use as required.

WOFF files are used not only so that websites can rely on fonts that a user is unlikely already to have installed, but also so that they can depend access to specific version of a font that supports particular characters or character sets that might otherwise be missing or display incorrectly.

We’re guessing, therefore, that this bug could be exploited by luring you to a web page that contained an innocent-looking but booby-trapped font file that deliberately triggered the bug, either when the font was loaded or when specific text was displayed.

Despite an attack already being known in the wild, Google has included its customary notification that the update will “roll out over the coming days/weeks”, presumably because some Chrome users may be dependent on a vendor to push out fixes.

Gravity RAT , affects mobile devices

GravityRAT is a malware strain known for checking the CPU temperature of Windows computers to avoid being executed in sandboxes and virtual machines.

The GravityRAT malware Access Trojan (RAT) is believed to be the work of Pakistani hacker groups, it is under development at least since 2015.

The malware researchers found the new Android GravityRAT sample in 2019.The hackers had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

The tainted app is able to steal contacts, emails, and documents from the infected device, then send them back to the command-and-control server.The C&C server was also associated with other two malicious apps targeting the Windows and macOS platforms.

The spyware is able to get information about the system and support multiple features, including:

  • search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
  • get a list of running processes
  • intercept keystrokes
  • take screenshots
  • execute arbitrary shell commands
  • scan ports

The malware was distributed via applications that clone legitimate apps that act as downloader for the GravityRAT payloads.

The applications analyzed by Kaspersky were developed in .NET, Python and Electron framework, they achieve persistence by adding a scheduled task.

Threat actors tricked the victims into installing a malicious app disguised as a secure messenger in order to continue the conversation an proceed to contaminate.

What peculiar about this Gravity RAT , not only infects Windows, now with Android , IOS devices too