Overview of security incidents for the period from 3 to 9 July 2021

[D2]

The outgoing week turned out to be very eventful in the world of information security - massive attacks by the REvil ransomware, attacks by APT groups, hacking of the National Committee of the Republican Party and an attack on the social network of Donald Trump's supporters are only a small fraction of the security incidents of the outgoing week.

Read about these and other events for the period from 3 to 9 July 2021 in our review. About two hundred American companies were affected by a cyberattack on Florida-based IT company Kaseya, which provides IT infrastructure management services.

Experts believe that the organizer of the attack is the extortionist group REvil. According to experts, Kaseya fell victim to ransomware, which then spread across corporate networks of companies using Kaseya software, in particular the Virtual System Administrator (VSA) tool. Hackers demand from victims a ransom of $ 45 thousand in cryptocurrency.

According to experts from the Dutch non-profit organization DIVD (Dutch Institute for Vulnerability Disclosure), the attackers exploited a previously unknown vulnerability in the Kaseya VSA server. According to DIVD head Victor Gevers, Kaseya was in the process of patching a vulnerability (CVE-2021-30116) when it came under attack. As it turned out, this vulnerability was reported to the company back in April of this year, but the patch for it was not prepared in time.

Cybersecurity researchers at Huntress Labs have successfully replicated an exploit used in attacks against Kaseya and its customers. Researchers were able to reproduce the attack and demonstrate a chain of exploits allegedly used by cybercriminals. The exploit includes bypassing authentication, uploading arbitrary files, and command injection.

One of the victims of the attack on Kaseya was Coop, a large supermarket chain in Sweden, which had to close about 800 stores across the country due to one of the contractors affected by the REvil ransomware attack on Kaseya.

Cyber fraudsters are taking advantage of the critical situation that has developed around attacks on Kaseya and its clients. Attackers send spam emails to potential victims with a Cobalt Strike payload disguised as security updates for the Kaseya VSA. Criminals are sending emails to potential victims with a malicious attachment and an embedded link that looks like a patch from Microsoft for a zero-day vulnerability in Kaseya VSA, exploited by operators of the ransomware REvil. When a victim launches a malicious attachment or downloads and runs a fake Microsoft patch, attackers gain permanent remote access to their computer.

Another high-profile event of the week is the potential hack of the National Committee of the US Republican Party. The attack is behind the well-known cybercriminal group APT 29, also known as Cozy Bear, which is believed to be responsible for the 2016 Democratic National Committee breach and the SolarWinds attack.

Cybersecurity researchers have discovered a new phishing campaign targeting engineering candidates in the United States and Europe. According to the researchers, the malware campaign is organized by the Lazarus APT group and has been active over the past several months. The hackers distributed documents disguised as letters from defense contractors and engineering companies such as Airbus, General Motors (GM), and Rheinmetall. All emails contain malicious documents.

Another APT group, SideCopy, is targeting government officials in India. SideCopy has been in operation since at least 2018 and has developed new remote access Trojans, some of which use plugins to add additional functionality.

One of the largest cyberattacks in the past few years took place in Poland, as a result of which the e-mails of about a dozen members of the Polish parliament were hacked. The incident affected representatives of almost all opposition factions in parliament. All victims were notified of the incident and received training on cyber security.

Unknown attackers hacked the recently launched social network GETTR for Donald Trump supporters, stole personal information of about 90 thousand users and published it on a hacker forum. Hackers discovered an insecure application programming interface (API) that allowed them to steal data from 87,973 GETTR users, including email addresses, aliases, profile names, year of birth, profile descriptions, avatar URL, background images, location, personal website and other internal site data.

An error in the software of the Madrid medical regulator has led to the leakage of personal information of thousands of residents of the Spanish capital. Among those whose personal information was revealed are the king of Spain Philip VI living in the region, Prime Minister Pedro Sanchez and other politicians.

The victim of a cyberattack using ransomware was the Washington Suburban Sanitary Commission (WSSC Water). The attackers managed to gain access to the internal files of WSSC Water, but no manipulations with the tap water were recorded.

https://www.securitylab.ru/news/522083.php