Here are the top security stories from recent weeks:
- Microsoft Exchange Servers Getting Attacked by ProxyShell Exploits
- Ransomware Gangs Using Windows PrintNightmare Vulnerabilities in Attacks
- Accenture Hit by Ransomware Attack, Data Stolen
- Kaseya’s “Master Key” for REvil Ransomware Attack Leaked Online
- SynAck Ransomware Gang Rebrands as El_Cometa, Releases Decryption Keys
Attackers are actively targeting Microsoft Exchange servers using ProxyShell vulnerabilities to install backdoors for future access. Devcore Principal Security Researcher Orange Tsai first discovered the three vulnerabilities that are chained together to perform the ProxyShell attack. Microsoft has already patched all three vulnerabilities (tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). More than 400,000 Exchange servers on the internet could be exposed to the attack via port 443.
Ransomware groups are using Windows PrintNightmare vulnerabilities to infect victims with ransomware. PrintNightmare is a set of Windows remote code execution vulnerabilities that can allow an attacker to run code, install programs, modify data, create new accounts, and move laterally. Microsoft has released security updates and workarounds to address these vulnerabilities (CVE-2021-1675, CVE-2021-34527, CVE-2021-36958). Vice Society and Magniber are two ransomware gangs actively exploiting these vulnerabilities to compromise networks, encrypt files, and demand ransom payments.
Global IT consulting giant Accenture has been hit by a ransomware attack by the LockBit ransomware gang. Although they have not shown proof of having the stolen data, LockBit is threatening to publish 6 TB of stolen data and is demanding a $50 million ransom. LockBit claims they got access to the network via a corporate “insider.” Accenture says all affected systems have been recovered and restored from backup with no impact to operations or clients' systems.
The master decryption key Kaseya received a few weeks ago for the REvil ransomware attack in July has been leaked online. While the key appears to be genuine, the decryptor only works for locked Kaseya files; it cannot be used to unlock files from other REvil attacks in the same time period.
The SynAck Ransomware group is in the process of rebranding to El_Cometa and has released decryption keys. The SynAck group appeared in 2018 as ransomware-as-a-service increased. The group was unique in that they demanded Bitcoin ransom payments through email or BitMessage ID. They primarily targeted Microsoft Windows operating systems using the Doppelgänging technique, a process injection technique that replaces a legitimate executable with malicious code to bypass detection.
To learn about cloud access security brokers (CASBs) and how they can protect your enterprise from data leakage, malware, and more, download the Top CASB Use Cases below.