In this week’s cybersecurity week in review, we explore continued problems with critical bugs and vulnerabilities. We also discuss the ongoing ransomware woes, including updates to the Colonial Pipeline saga. And we take a look at several fake apps targeting Android and iOS devices, as well as a new remote access trojan (RAT) targeting the aerospace industry. 

• Bugs, Bugs and More Bugs—This Week’s Vulnerabilities, Bugs and Flaws
• Ransomware Woes—This Week in Ransomware
• Additional Threat Updates
• Final Words

Bugs, Bugs and More Bugs: Acrobat Reader Zero-day, Microsoft Patch Tuesday and WiFi problems.

What You Need to Know

The problems with newly discovered bugs and vulnerabilities continued last week with announcements of a significant PDF reader zero-day, a new Microsoft HTTP protocol-stack issue and WiFi issues that make devices vulnerable to attack.

Summary

Last week Adobe issued a patch to users to correct a critical bug in the ubiquitous Portable Document Format (PDF) Acrobat Reader freeware tool, used around the globe to access and view files that have been saved in the PDF format. The bug (known as CVE-2021-28550) appears to only affect PDF Reader on Windows devices and, according to Adobe, was already being leveraged by threat actors in the wild. The flaw enables a remote code execution (RCE) vulnerability that allows the execution of almost any Windows command. In this update, in addition to a patch for CVE-2021-28550, Adobe released a total of 43 patches for known vulnerabilities in 12 products.

Researchers announced last week the discovery of significant implementation flaws affecting WiFi devices. Known as Fragmentation Attacks (FragAttacks), it appears that every WiFi device since 1997 is affected by at least one vulnerability, although researchers are quick to point out that the design flaws are difficult to abuse due to the requirements of user interaction or uncommon network settings. The vulnerabilities appear to stem from programming mistakes in the original programming standards and relate to the manner in which frames are fragmented and aggregated, enabling threat actors to inject arbitrary packets and potentially steal data or convince a target victim into using a malicious DNS server.

As part of its Patch Tuesday release, Microsoft released a fix for a critical bug known as CVE-2021-31166, which could enable an attacker to “…send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.” Because the bug is wormable, it could be used by the attacker to propagate throughout the network and affect systems and services that otherwise were not exposed to the threat. Three other ‘critical’ patches were issued by Microsoft, in addition to CVE-2021-31166.

Next Steps

Adobe—Adobe has released updates and patches for a series of vulnerabilities, including the one affecting Acrobat Reader that is currently active in the wild. Additional information can be found here. 

WiFi FragAttacks—Details and mitigations for the WiFi FragAttack vulnerabilities are available on the website for the Industry Consortium for Advancement of Security on the Internet (ICASI).

Microsoft—Microsoft’s security details for May 2021 “Patch Tuesday” are available on the Microsoft website. Researchers are warning businesses to make the patching of these critical bugs a high priority since wormable exploits are a prime target for ransomware operators.

Ransomware Woes: More Attacks on Municipalities, Avaddon Threats and Colonial Pipeline Drama.

What You Need to Know

Ransomware woes continued last week with the announcement of an attack on the City of Tulsa and warnings from security officials in the United States and Australia of increasing attack by the Avaddon ransomware gang. The fallout from the Colonial Pipeline attack also continued with long lines at the gas pumps as well as significant announcements by both the Biden Administration and the threat actors themselves. 

Summary

A ransomware attack on the City of Tulsa caused the city to shut down systems and websites, triggering a disruption to city services. While city officials stated that no emergency operations were affected, Tulsa Fire was required to use an alternative phone number for non-emergency obligations. Systems related to the city’s utilities and animal welfare were also reportedly unavailable. 

In other ransomware news, last week the FBI issued a Flash Alert warning private sector companies, manufacturing organizations and healthcare agencies of an increase in the Avaddon ransomware. According to the alert, the ransomware is being advertised on Russian-language cybercrime forums as a ransomware as a service (RaaS). Officials state that the tactics, techniques and procedures (TTPs) used by the Avaddon gang involve compromise through remote desktop protocol logins or virtual private networks that are misconfigured or use single-factor authentication. The Avaddon ransomware is designed to verify that the target victim is not located in the Commonwealth of Independent States (CIS) (former Soviet countries, including Russia). It also contains anti-analysis protection code and is also designed to escalate privileges and enable persistence on the attacked system.

As the lines at gas pumps along the east coast of the United States grew last week, so did the drama related to the attack on Colonial Pipeline. The company reportedly paid $5 million to the DarkSide criminal gang to obtain the decryptor codes, but apparently they still had to rely on its own backups since the decryptor proved too slow. As of Sunday, 5/16, the company had resumed normal operations. Due to the nature of the target and the extreme effect it had on transportation operations, the Biden Administration stated that the United States intended to pursue the criminals that hacked into the Colonial Pipeline’s IT systems. The administration also stated it had been in contact with the Russian government, taking great pains to point out that while it believed the Russian government was not responsible for the attack, the attack originated in Russia. The President further added that he believed Russia bore some responsibility for the attack since it knowingly allows criminals to operate within the Commonwealth of Independent States (CIS). (Criminals are known to operate out of the CIS without repercussion from local or national law enforcement, as long as they do not attack organizations and citizens within those countries.) On Wednesday of last week, President Biden also signed an executive order to improve the nation’s cybersecurity. The order requires:

• Removing barriers to the sharing of threat information
• The modernizing of federal government cybersecurity
• Enhancing the security of the software supply chain
• Establishing a Cyber Safety Review Board
• Standardizing the government’s playbook for response to cybersecurity vulnerabilities and incidents
• Improving detection of vulnerabilities and incidents on federal networks
• Improving the government’s investigative and remediation capabilities
• Adoption of National Security System requirements

And in a final twist in the Colonial Pipeline saga, the criminal gang known as DarkSide announced that it had quit operations due to the fact that its Bitcoin stash had been seized and its servers shut down—specifically those servers associated with its blog, payment processing and denial-of-service (DOS) operations. It is not known who shut down the servers and moved the Bitcoin funds, and since cybersecurity researchers cannot independently validate these claims, security professionals are warning that this could be part of a broader ‘exit scam’ on the part of DarkSide to avoid further repercussions.

(You can read more about the operations of the DarkSide gang in this in-depth analysis by GuidePoint Security’s Principal Threat Intelligence Analyst, Drew Schmitt.)

Next Steps

The most effective method to avoid ransomware is prevention, including regular updates to systems, immediate patching and the use of appropriate security architectures, tools, and procedures. You can read more on the cybersecurity best practices here. Organizations should also consider data security, security operations and incident response and ransomware investigation and response services.

Additional Threat Updates: Android/iOS Fake Apps and Malware Campaign Targeting Aerospace.

What You Need to Know

Several new Android and iOS apps are disguising themselves as trading and cryptocurrency tools. A new fake Chrome app is enabling malware propagation. And, Microsoft has warned that threat actors are targeting aerospace and travel organizations with new malware.

Summary

Last week security researchers announced the discovery of 167 fake apps on both Android and iOS devices disguised as cryptocurrency, stock trading and banking applications. The fake apps were distributed through social engineering schemes on dating websites as well as spoofed websites for real companies. The threat actors were able to bypass the iOS app store through the use of third-party services to deploy the Super Signature process—a service designed to support small application developers in performing test deployments by allowing the developers to use Apple’s ad-hoc application distribution method to deliver apps to an iOS device directly.

A new Android self-propagating malware is also making the rounds, disguised as the Chrome application. Researchers say the malware has spread to hundreds of thousands of victims in just the last few weeks. The attacks involve smishing (SMS phishing), with a text message that asks the target to pay a fee to release a package. If the victim clicks the link, a new message comes up asking them to update their Chrome application. The victim is then taken to a malicious website hosting the fake app. When the fake ‘update’ is complete, the victim is then directed to a phishing page that asks them to pay a nominal fee ($1 to 2 dollars) to collect credit card information. The malware then propagates by sending messages from the infected device. Recipient phone numbers appear to be random and are not taken from the contacts on the infected device.

Microsoft announced last week that it has been tracking a malware campaign targeted at the aerospace and travel industries. Attackers are using remote access trojans (RATs) for “data theft, follow-on activity and additional payloads, including Agent Tesla, which they use for data exfiltration.” The threat actors first use spear-phishing emails targeting individuals that work in the aerospace and travel sectors. The emails spoof legitimate organizations and include malicious attachments with images that look like PDF documents containing information on the aviation, cargo and travel industry. Once installed, the malware harvests screenshots, keystrokes, credentials, webcam feeds, browser and clipboard data and other sensitive information.

Next Steps

Android users are advised to avoid downloading fake apps by not clicking on links from unsolicited SMS messages. Users are also encouraged to read reviews and the app description and closely check the search results and the application and developer name to make sure the app is legitimate. (For example, while the fake application name may be the same as the legitimate app, the developer’s name can sometimes be a dead giveaway that the app is fake.) Android users are also encouraged to look at download counts. For example, the real Facebook app has billions of downloads on the GooglePlay store, while a fake app might only have a few thousand. 

While applications found on the iOS App Store tend to be legitimate, Apple device users are still warned to not download applications based on links from unsolicited text messages or emails. 

Phishing attacks continue to be a tried-and-true method for threat actors to infiltrate an organization. While most phishing attacks aim to capture information or money, some targeted spear-phishing attacks will attempt to encourage the victim to install malware. Phishing is best prevented through proper identity and access management, email security and other anti-phishing techniques and tools. 

Final Words

The importance of updating and patching vulnerabilities can’t be stressed often enough. The Microsoft patch for CVE-2021-31166 (a wormable type of exploit that is often a favorite target for ransomware operators) is a perfect example.

But security isn’t wholly the responsibility of the end user. Bugs, flaws and vulnerabilities begin in application development and often account for a significant portion of the most common attack vectors. And vulnerabilities have a long self-life, as evidenced by the WiFi FragAttack–highlighted above–involving WiFi devices from as far back as 1997 and the Dell Computer bugs, present in systems since 2009 but only recently discovered.

To improve security and protect businesses, organizations doing application development need to think about how they can prioritize and improve the AppSec process. The use of AppSec Maturity Models, implementing best practices in the software development lifecycle (SDLC) and engaging application security as a service expertise can go a long way to minimizing the number of flaws that creep into a new application or software.

As industry and government entities finally begin to recognize the serious threat that ransomware poses, security stakes are going to get higher than ever. End-user security and user awareness is only a partial fix.  Application security needs to be another critical step to help win the battle against ransomware, threats and breaches.