Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Update your browser
It’s easy to check if you are running the latest version of a web browser on your computer. Most popular applications put the update and version information in the “About” section of the browser. For example, if you use Chrome, just click “More” (the three vertical dots at the top right of the screen), then select “Help”, then “About Google Chrome”. The browser will tell you if you’re up to date, or if you need to download the latest version.
REvil ransomware gang disappears from the dark web
The REvil ransomware gang, widely believed to be behind the recent cyber attacks on JBS meat processors and Kaseya software, appear to have shut down their dark web presences and social media activities.
REvil started operations in April 2019, and quickly became one of the most active ransomware-as-a-service syndicates in the world. REvil’s recent dark web infrastructure is believed to have consisted of 22 data hosting and processing sites. All of these web presences – including their data leak, extortion, and payment portals – are currently inaccessible, all displaying the error message “Onionsite not found”. REvil’s “Happy Blog” – which the group uses to publish the exfiltrated data from victims who refuse to pay ransoms – appears to have gone offline around early July 13. The breach affecting Kaseya customers and third parties started on July 2.
In a recent article, The Washington Post posits three theories on the reasons behind the disappearance of the gang:
1. Spurred by pressure from the United States, the Russian government intervened to shut REvil down. In a June summit with Russian President Vladimir Putin, U.S. President Joseph Biden identified information technology among 16 “critical infrastructure sectors” that should be off-limits for attack, cyber or otherwise.
2. The United States government launched its own cyber operation to disrupt REvil’s operations and take them offline. President Biden is under increasing pressure to back up his own words and take a hard line on cyber crime.
3. REvil simply decided to discontinue operations and regroup in another form after the Kaseya incident on July 2 created so much exposure. Ransomware group DarkSide followed this model; they shut down operations shortly after their attack on Colonial Pipeline in May 2021.
While many are celebrating the potential demise of REvil, the disappearance may have serious consequences for some of the estimated 1500 businesses affected by the Kaseya breach, who now have no point of contact if they elect to consider paying ransom to recover encrypted systems.
Google releases fixes for eighth zero-day Chrome vulnerability this year
Google has released a patch for its Chrome web browser, addressing a zero-day vulnerability discovered on July 12. Coded CVE-2021-30563, few details have yet been released about the bug; Google typically waits about 30 days before publishing technical details (which could be further exploited by cyber criminals) in order to give users adequate time to patch. This latest zero-day is a “type confusion” bug in the Chrome browser component responsible for running and interpreting JavaScript code. Exploitations of “type confusion” weaknesses typically lead to browser crashes, but they can also be exploited by threat actors to execute arbitrary code on devices running unpatched versions of the browser.
The vulnerability is just one of eight bugs fixed in the latest patch package, so Chrome users are encouraged to update their browsers as soon as possible. The Windows version of the patch – version 91.0.4472.164 – is now in general release; Linux and macOS fixes are expected shortly.
This also marks the eighth zero-day vulnerability reported in Chrome in just over six months. Generally considered to be the most popular browser in the world, it is understandable that Chrome would be the biggest target for threat actors. But even Google staff appear concerned with the number of issues in recent times.
“I’m happy we are getting better at detecting these exploits and the great partnerships we have to get the vulnerabilities patched, but I remain concerned about how many are being discovered on an ongoing basis,” tweeted Shane Huntley, a member of Google’s Threat Analysis Group back on June 8; since then, two more zero-day vulnerabilities have been reported.
Third Microsoft print spooler vulnerability reported
Microsoft has confirmed another vulnerability in the Windows print spooler, the third in just a matter of weeks. The announcement from Microsoft’s Security Response Centre describes how vulnerability CVE-2021-34481 allows a threat actor to gain local privilege escalation to the level of SYSTEM by exploiting a flaw in the print spooler service. While an attacker must have the ability to execute code on the target system to exploit this vulnerability, a successful breach could allow them to “install programs; view, change, or delete data; or create new accounts with full user rights,” according to the advisory.
This latest flaw is rated “high” across the board for CIA (confidentiality, integrity, availability) concerns by Microsoft, and is considered to be easier to exploit than either of the other two recent vulnerabilities.
A patch for the bug is expected shortly; until then, users are strongly encouraged to stop and disable the print spooler service unless it is needed, particularly on domain controllers where privilege escalation vulnerabilities can have particularly serious consequences.