It's Patch Tuesday again! This one's especially important because it fixes some of the Print Spooler issues over the past couple months, as well as the PetitPotam attacks that are gaining traction in the wild: Microsoft's August 2021 Patch Tuesday: 44 flaws fixed, seven critical including Print Spooler vulnerability | ZDNet I've written about this before, but a good reminder: CISA has a good collection of FREE cybersecurity training resources. Check it out: Cybersecurity Training & Exercises | CISA Speaking of training, here's a structured program to teach you cybersecurity basics: Welcome to pwn.college! | pwn.college When a company laptop gets stolen, that obviously puts company data at risk. Disk encryption such as BitLocker definitely helps, but a determined attacker can still get in. Here's how: From Stolen Laptop to Inside the Company Network — Dolos Group Another game development company was hit by ransomware - this time it's Crytek: Crytek confirms Egregor ransomware attack, customer data theft (bleepingcomputer.com) Not really security-related, but still cool: Some Facebook engineers built a new device for keeping time, as accurately as an atomic clock, as a PCIe card that can be installed into a server or desktop. It's a very cool look into what hardware design is really like: Open sourcing a more precise time appliance - Facebook Engineering (fb.com)

A new Windows 10 issue was discovered, which exposes local user account passwords to an attacker. So far, it appears to only affect Windows 10 1809 or later, and requires an attacker to already have a foothold on the PC. Microsoft will certainly patch this soon, but in the meantime, Microsoft has released workarounds that you can use: CVE-2021-36934 - Security Update Guide - Microsoft - Windows Elevation of Privilege Vulnerability The widespread Exchange attacks earlier this year have been formally attributed to China, according to the US government and many allies. This was widely anticipated and not really a surprise: Chinese Cyber Threat Overview and Actions for Leaders | CISA Fortinet disclosed a new vulnerability in FortiManager and FortiAnalyzer. If you’re using FortiManager, make sure you’re patched: FortiManager & FortiAnalyzer - Use after free vulnerability in fgfmsd daemon | FortiGuard The Olympics start this week! It's always exciting to see the Games, but it also brings a wave of cyberattacks. Remember that the 2018 Winter Olympics was very nearly disrupted by a major cyberattack during the Opening Ceremony, and this year, the FBI is warning that similar attacks are possible: http://www.ic3.gov/Media/News/2021/210719.pdf Apple released new security updates this week for iOS. For those of you with iPhones or iPads, make sure you update to version 14.7. Apple hasn't yet disclosed all of the bugs that were fixed, but given all of the recent attacks and iPhone exploit attacks over the past few weeks, it's safe to expect there are some important fixes included: Apple security updates - Apple Support And finally, a very interesting writeup of the full chain of a Revil ransomware attack - From infection to negotiation to payment to what happens to the cryptocurrency after payment is made: REvil Revealed - Tracking a Ransomware Negotiation and Payment (elliptic.co)

If you want to see how attackers are using phishing to get into victims' mailboxes, Microsoft has a good writeup: Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign | Microsoft Security Blog Or, if you want to see how ransomware gangs get into the network after the initial phish, here's a good article on the market for buying access: Researchers: Booming Cyber-Underground Market for Initial-Access Brokers | Threatpost Fujifilm was hit with ransomware earlier this month - And didn't pay the ransom!! Fujifilm resumes normal operations after ransomware attack (bleepingcomputer.com) A US nuclear weapons contractor was also hit - And also apparently didn't pay: REvil ransomware hits US nuclear weapons contractor (bleepingcomputer.com) For those of you who are interested in reverse-engineering malware, here's an analysis of DarkSide (the ransomware that hit Colonial Pipeline): A step-by-step analysis of a new version of Darkside Ransomware (v. 2.1.2.3) – CYBER GEEKS On another note... Ukraine arrested six people connected to the Cl0p ransomware gang, which was heavily targeting organizations using Accellion equipment: Krebs on Security – In-depth security news and investigation Carnival Cruise Lines recently disclosed a data breach affecting many of its customers: Carnival-March-bc-data-breach-notice - DocumentCloud

The DoJ announced that it recovered "most" of the $4.4 million ransom that Colonial Pipeline paid, by seizing the BitCoin wallet: US recovers most of Colonial Pipeline's $4.4M ransomware payment (bleepingcomputer.com) This news is potentially huge, or potentially a one-time event. Time will tell. Hopefully it sends a message to the ransomware threat actors that the United States is getting serious. Colonial Pipeline also announced the root cause of its attack - A single legacy account, which was enabled for VPN and did not have MFA. One password allowed hackers to disrupt Colonial Pipeline, CEO tells senators (yahoo.com) All it takes is one account, one vulnerable weak point, for an attacker to get in. Make sure you have MFA enabled on ALL remote access, not just most! If you have VMware vCenter, make sure it's patched. A recent critical-severity vulnerability is being actively exploited: This is not a drill: VMware vuln with 9.8 severity rating is under attack | Ars Technica It's Patch Tuesday! Six zero-days this time. You know what to do: Microsoft patches six Windows zero-days, including a commercial exploit | The Record by Recorded Future For those of you that have not gone through a ransomware incident (lucky you!), there's a fascinating live-blog of a company going through it right now: Driftinfo - AK Techotel Look at the time stamps on the posts. Even after the company agreed to pay the ransom, look at how long it took to get the decryption started, and how many problems they still had after that. Paying the ransom does not get you back up and running quickly! Deep dive: Logging on to Windows - Microsoft Tech Community On another note... For years, the FBI ran an encrypted communications app that was marketed at global organized criminals. The app, called Anom, allowed users to send encrypted messages between each other - and gave the FBI a master decryption key to be able to read every message: Trojan Shield: How the FBI Secretly Ran a Phone Network for Criminals (vice.com) Hundreds of arrests have already taken place: ANOM: Hundreds arrested in massive global crime sting using messaging app - BBC News Unknown attackers breached gaming company Electronic Arts and stole 780gb of data, including full source code for FIFA 21, and source code and tools for its Frostbite game engine: Hackers Steal Wealth of Data from Game Giant EA (vice.com) The criminals got in by social engineering the IT helpdesk to give them access: How Hackers Used Slack to Break into EA Games (vice.com)

The big ransomware victim of the week was JBS Meats. It's not known if JBS paid a ransom or not. The US government has pointed the finger at Revil / Sodinokibi: US: Russian threat actors likely behind JBS ransomware attack (bleepingcomputer.com) All ransomware articles tend to be pretty much alike. This one is different: How cybercriminals use sales best practices in ransomware attacks | 2021-02-21 | Security Magazine Part of the ransomware response process that most people don't see is the negotiator. Oftentimes there's a person whose specialty is communicating and negotiating with the attackers. Here's a very interesting long-form article about one of these people: How to Negotiate with Ransomware Hackers | The New Yorker A good reminder of the most common Microsoft 365 attacks: Microsoft 365: Most Common Threat Vectors & ... (darkreading.com) 10 steps to improve enterprise preparedness for an attack: The state of enterprise preparedness for ransomware attacks - Help Net Security On another note... Microsoft will be hosting a virtual event on June 24 to unveil the next version of Windows: Microsoft Windows Event - Watch the June 24 LIVE stream What Amazon Ring knows about you: What Amazon Ring Knows About You | Avast

In 2011, the IT world was shocked to learn that RSA was hacked, and the seed values for SecurID tokens were stolen. This left every SecurID token in the world vulnerable and exposed - if you were in the industry at the time, you surely remember this incident. Now, 10 years later, the NDAs have expired and the full story is out: The Full Story of the Stunning RSA Hack Can Finally Be Told | WIRED Spoiler alert: It began with a phishing email, containing a malicious Excel attachment titled "2011 Recruitment Plan." It's a trap! Want to play with Microsoft 365 E5 in a sandbox, and really get hands-on with all of the advanced tools and functions? Get a free, renewable E5 developer subscription here (really!): Developer Program - Microsoft 365 The DarkSide ransomware gang, which was responsible for Colonial Pipeline, is believed to have made over $90 million in just nine months, based on transfers into its Bitcoin wallet. The average payment was $1.9 million: Darkside gang estimated to have made over $90 million from ransomware attacks | The Record by Recorded Future In a ransomware incident, the attackers normally try to exfiltrate data out of the network, so they can threaten to leak that data if you don't pay the ransom. Two ways this is done are through Rclone and MegaSync. How to proactively detect and block these applications: Rclone Wars: Transferring leverage in a ransomware attack (redcanary.com) CISA has published detailed technical guidance for how to evict an attacker from your network, once that attacker has breached Active Directory and/or Azure Active Directory. It includes a lot of good advice in general: Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise | CISA On another note... It's possible to remove the "External Sender" warnings from emails, by simply using CSS: Phishing Scammers Remove ‘External Sender’ Email Warnings Impersonating Internal Users (knowbe4.com) A new malware tactic is to pretend that it encrypted your files, without actually encrypting them: http://twitter.com/MsftSecIntel/status/1395138347601854465?s=20 A week after insurance company AXA announced that it will stop providing insurance coverage for ransomware extortion payments, it itself was hit with the Avaddon ransomware: Insurer AXA hit by ransomware after dropping support for ransom payments (bleepingcomputer.com)

The big ransomware news from last weekend was Colonial Pipeline, the largest fuel pipeline operator on the East Coast, which was forced to shut down its entire network and all operations after being hit with ransomware from DarkSide. There are reports that the company paid $5 million in ransom: Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom - Bloomberg A detailed writeup on DarkSide can be found here: Shining a Light on DARKSIDE Ransomware Operations | FireEye Inc Update: There are reports today that DarkSide’s infrastructure has been taken down, and that the gang is shutting down. Do not overreact to this news. There’s a decent chance that the criminals did it themselves, claiming “We were taken down!” as an excuse to lay low until the spotlight fades, then pop back up with a new name. This has happened before. In more under the radar news, the City of Tulsa OK was hit with ransomware last weekend, which disrupted citizen-facing services: City of Tulsa hit by ransomware over the weekend | The Record by Recorded Future The Biden administration issued an executive order on cybersecurity this week, which requires federal IT contractors to disclose breaches, requires MFA and encryption for government systems, and establishes a "Cyber Safety Review Board," among other things. This is a good thing for all businesses, not just federal contractors: Executive Order on Improving the Nation's Cybersecurity | The White House Windows 10 version 1909 has reached end of service, and will no longer receive security updates: Windows message center | Microsoft Docs I know I send a lot of uber-nerdy info, but this might be the deepest one yet. How MFA works in Windows: MFA is Hard to do Right (syfuhs.net) On another note... November 2020, the US Air Force discovered a cryptominer inside its internal law enforcement agency. Agents raided a home in Olathe KS last week: Agents raid home of Kansas man seeking info on botnet that infected DOD network | The Record by Recorded Future

Data exfiltration by attackers is on the rise. By some statistics, up to 80% of all ransomware attacks now include the threat of leaking data publicly. It's the future of ransomware: Ransomware: The Data Exfiltration and Double Extortion Trends (cisecurity.org) Google is starting to push aggressively toward two-factor authentication, with almost all users getting automated prompts to enable 2FA on their Google accounts . This is great news for cybersecurity: Google Wants to Make Everyone Use Two Factor Authentication (vice.com) Microsoft continues to try to rid the world of Adobe Flash. In January, Microsoft disabled Flash from running, and in July 2021, will remove it from Windows systems through a cumulative update: Update on Adobe Flash Player End of Support - Microsoft Edge Blog (windows.com) A vulnerability has existed in Dell's firmware updating system for 12 years. Update your Dell systems to protect yourself: DSA-2021-088: Dell Client Platform Security Update for an Insufficient Access Control Vulnerability in the Dell dbutil Driver | Dell US Network Solutions and register.com both were hit with a DNS outage this week. Both companies are owned by the same parent company, raising the question of whether the two incidents are linked: Network Solutions and Register.com hit by ongoing DNS outage (bleepingcomputer.com) If you want a visual reminder of the kind of ad targeting that Facebook does: Signal >> Blog >> The Instagram ads Facebook won't show you Don't use cracked software - it might lead to ransomware: Ryuk ransomware finds foothold in bio research institute through student who wouldn’t pay for software | ZDNet

This Tuesday , 5/4, I'm doing a webinar with Miller Group. Sign up , tell your friends! The Ransomware Task Force, a group of more than 50 cybersecurity experts, has published a detailed framework for how public and private entities can work together to help stem the rising tide of ransomware. It calls for a "whole of government" response, treating ransomware as the national security threat that it has become: Institute for Security and Technology (IST) » RTF Report: Combatting Ransomware One of the priority recommendations calls for better regulation and oversight over cryptocurrency, to try to restrict the money flow. Ransomware is really just a money grab, after all. Coveware has released its Q1 2021 ransomware report. The average ransom payment is over $200,000, and 77% of all ransomware attacks featured data exfiltration. "[D]espite the increase in demands, and higher prevalence of data theft, we are encouraged that a growing number of victims are not paying. Over hundreds of cases, we have yet to encounter an example where paying a cyber criminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage. On the contrary, paying creates a false sense of security, unintended consequences and future liabilities." The latest group to fall victim to a ransomware attack is the Washington DC Police Department. The Babuk gang is threatening to release the identities of police informants if the ransom is not paid: D.C. Police Department Data Is Leaked in a Cyberattack - The New York Times (nytimes.com) If you qualify for a .gov domain, but didn't get one because it's more expensive, now you can. Starting now, .gov domains are available for free: A new day for .gov | DotGov Government entities should get a .gov domain if they can; it immediately marks the domain as being "official" and not an impersonator. Back in January, international law enforcement seized much of the Emotet control infrastructure, and used it to deploy a new configuration that would cause infected machines to uninstall Emotet on April 25, 2021. The mass uninstall has begun: Emotet malware nukes itself today from all infected computers worldwide (bleepingcomputer.com) Microsoft is replacing Calibri as the default font for Microsoft Office. Which font should they choose next? Beyond Calibri: Finding Microsoft's next default font - Microsoft 365 Blog This week we learned… The moon is getting 4G coverage, courtesy of Nokia. If it's anything like the old Nokia candybar phones, it should be nearly indestructible: The Moon is going to get its own 4G network, thanks to this rugged lunar rover | ZDNet