The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- What’s happened to REvil? The ransomware group has gone offline.
- Kaseya update. Promised security patches for VSA vulnerabilities are now available.
- Vulnerabilities exposed. Vulnerabilities identified affecting SolarWinds and Sage products.
- Bullish on insider trading. Apostolos Trovias, “The Bull”, charged by US authorities after using Dark Web for insider trading.
- Return of the Joker. Joker malware found in Android apps after using new evasion methods.
- Get patchy with it. Microsoft and Adobe release info on new vulnerabilities you need to patch.
Another ransomware group has gone quiet
REvil, the ransomware group behind the recent attack leveraging Kaseya’s VSA platform, appears to have gone offline. The group’s online infrastructure is no longer accessible. It’s unclear if the development is related to recent discussions between the US and Russian governments or if the group is laying low to avoid further scrutiny by law enforcement following the recent high-profile attack.
SO WHAT? The group is unlikely to remain away for too long. Ransomware groups often go quiet for short periods, before returning and/or rebranding to continue their operations. Organisation’s should not let their guard down. The ransomware threat is not going away.
Kaseya patch progress
Kaseya has now released patches for both the on-premise and Software-as-a-Service (SaaS) versions of its VSA platform, addressing the vulnerabilities recently exploited by REvil. According to Kaseya, almost all of its SaaS customers are back online after it initially shut down its servers to contain the attack.
SO WHAT? If you use the platform, ensure you have applied the latest patches and have changed all passwords. Organisations are also advised to follow Kaseya’s guide to harden their on-premise and SaaS systems.
Vulnerabilities identified affecting SolarWinds and Sage
- SolarWinds have patched a zero-day vulnerability affecting its Serv-U products that was being actively exploited. The vulnerability, tracked as CVE-2021-35211, allows for a threat actor to execute remote code.
- Separately, researchers identified four vulnerabilities affecting the Sage X3 ERP platform, one of which is rated 10 out of 10 on the CVSS vulnerability-severity scale. Sage has addressed the vulnerabilities with recent software updates.
SO WHAT? Users should update their systems to the latest versions. Customers potentially impacted by the SolarWinds vulnerability can check the Serv-U DebugSocketLog.txt log file for Indicators of Compromise.
US charges Apostolos Trovias for insider trading on Dark Web
On 9 July, the US Department of Justice (DOJ) and Securities and Exchange Commission (SEC) charged Greek national Trovias for marketing insider trading information. Operating as “The Bull”, Trovias used dark web forums to sell stock tips and also tried to build his own dark web site for his dealings.
The DOJ charged Trovais with one count of securities fraud and one count of money laundering. These carry maximum penalties of 25 and 20 years in jail, respectively.
SO WHAT? Dark web monitoring can reveal evidence of a variety of criminal activity beyond cybercrime, including insider trading, fraud schemes targeting specific companies or sectors, and emerging threats facing organisations. Consider an intelligence program to identify potential threats facing your organisation on the dark web.
Return of the Joker
A new version of the billing-fraud malware, ‘Joker’, has been found in apps on the Google Play store. Apps infected with Joker stealthily subscribe users to paid services owned by attackers. Attackers are using legitimate developer and anti-detection techniques to evade the Google Play store vetting process.
SO WHAT? Review permission requests by apps carefully, even when downloading them from official app stores like Google Play.
Patch Tuesday!
- Microsoft released patches for 117 vulnerabilities, 13 of which are marked ‘critical’. The vulnerabilities that were addressed included four zero-days being actively exploited in the wild.
- Adobe also released fixes for 22 critical vulnerabilities across six programs, including the popular Adobe Acrobat and Reader, none of which are being actively exploited.
SO WHAT? Find further detail on the patches at these respective pages, Microsoft and Adobe.
Indicators of Compromise
The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with the most recent Joker malware campaign.
SHA-256 App Hashes
a18508d9047fe87da2bf14211c3f31c5ad48277348eb5011fdfe4dd7dac13d52
0840f6feef265393c929ac61e0b1b04faa3999e1ae5655fd332ec674be2661a0
f772532dc7b83242e54cfec2bf740f12c13b1f2fce9da188da19b6df55da4fab
3aac23064f58f32f8cd345b9455be3d638f5ae8658bbc6badcedcb111b002572
Interesting URLs
hxxp://onemoretime.oss-us-east-1.aliyuncs.com/notice.ai
hxxp://onemoretime.oss-us-east-1.aliyuncs.com/hd.ai
hxxp://onemoretime.oss-us-east-1.aliyuncs.com/huadi
hxxp://161.117.46.64/svhyqj/mjcxzy
hxxp://161.117.46.64/svhyqj/bwytmw
IP Addresses
161.117.46[.]64