These are the stories that relate to our business, clients, careers, and community in the cybersecurity world for the Week of July 26th, 2021. Watch this in video form over on YouTube, or you can listen on the go with the Bear Security podcast.

Kaseya Gets Decryptor, Requires NDA to Receive

ARS Technica reported on Thursday that IT software firm Kaseya, who was at the center of the largest coordinated ransomware attack to date, has obtained a universal decryptor to restore the data of companies affected. Kaseya claims the decryptor came from a trusted third party, but how they obtained this, and whether they paid for it, remains uncertain. This development comes as a relief for organizations who have been unable to resume operations or fully restore their data, especially after the ransomware group REvil, who is responsible for the attack, went offline.

To make these already turbulent matters worse, CNN is reporting that Kaseya is requiring that businesses sign a Non-Disclosure Agreement in order to obtain the decryptor, making it harder for researchers and even the Government, to piece together what happened. While NDA’s are not uncommon in certain situations, we have to wonder what exactly is Kaseya looking to hide at this point? Thus far, Kaseya has declined to comment on the agreements to CNN.

Read the full story from ARS Technica or the reporting by CNN about the NDAs.

Organizations Publish Forensic Evidence of Spyware Used By Governments Against Targets

Wired reported Thursday on research published by an international group of researchers and journalists from more than 14 different organizations, regarding the behavior of Israeli spyware vendor, NSO Group. They say that the NSO group’s spyware, Pegasus, was being used on activists, journalists, executives, and politicians by multiple governments including India, Mexico, and the United Arab Emirates, based on a leaked list of 50,000 phone numbers they obtained. In addition to the research, they published a tool called the Mobile Verification Toolkit, which can check your Android or iOS device for any indicators that it was bugged by the Pegasus spyware. Amazon recently shut down cloud infrastructure linked to the NSO group last Monday after reports began to surface about the use of the Pegasus spyware.

NSO Group has called the research “False allegations by a consortium of media outlets” and said it would no longer respond to media inquiries.

Read the full story including the checkered history of the NSO Group over on Wired. If you believe you may have been targeted, you can check out the Mobile Verification Toolkit over on GitHub.

SeriousSAM Vulnerability Allows Standard Users to Access Sensitive Information

ThreatPost is reporting that a privilege escalation vulnerability affecting versions of Windows 10 & the pre-build versions of Windows 11 has been given a workaround fix by Microsoft. The vulnerability, tracked as CVE-2021-36934 exists due to an unusual set of permissions on multiple system files, including the SAM database, which would allow an attacker access to hashed credentials. These hashes could then be decrypted offline and used to gain access using more permissive accounts overall.

Systems running Windows 10 as far back as build 1809 have been found to be vulnerable, but not every system is showing to be vulnerable unless shadow volumes are enabled or the Windows System Protection feature. To resolve the vulnerability, Microsoft is recommending administrators reset the permissions on the target folder, along with clearing all prior shadow copies.

Read the full story over on ThreatPost or Microsoft’s MSRC advisory that includes the workaround details.

Fortinet FortiManager and FortiAnalyzer Patched After Remote Code Execution Vulnerability Discovered

The Register is reporting that Fortinet has patched flaws in their FortiManager and FortiAnalyzer products to address a remote code execution vulnerability. The vulnerability affects the fgfmsd daemon and can be exploited by sending a specially crafted request to the target device’s FGFM port which provides a remote attacker the ability to execute unauthorized code as root. The FGFM service is disabled by default in FortiAnalyzer, and can only be enabled on certain models.

Fortinet recommends customers upgrade to the most recently released version, in the 5.x, 6.x, or 7.x branch, to close the hole. If that is not possible, the workaround is to disable the FortiManager features on the FortiAnalyzer units manually.

You can find the workaround code or more on this vulnerability over on The Register.

Pair of Linux Privilege Escalation Flaws Go Back to 2014

DarkReading is reporting that Qualys has identified two vulnerabilities in the Linux kernel. The vulnerabilities relate to how the Linux kernel handles the conversion of specific data types that can then be used to gain root-level access. This is triggered by either mounting a filesystem on a very long path which can crash a system, or creating, mounting, and deleting a deep directory structure whose total path length exceeds 1 GB. So far, RedHat, Ubuntu, Debian, and SUSE have confirmed the vulnerability and released patches. A PoC has also been published but an attacker must have an authenticated user account to be able to attempt the exploitation.

Read more about the vulnerability over at DarkReading, or the research details over at Qualys.

Stories Not Included in This Week’s Episode

• A deep dive workshop on the Velociraptor tool.
• The Cybersecurity and Infrastructure Security Agency (CISA) has released several analysis samples of malware that affected Pulse Secure.
• What someone learned after doing Cloud Forensics for a year in Azure AD.
• A PowerShell way to determine what accounts in Microsoft 365 have MFA Enforced or Not Enforced.
• Learn a method of Command-Line Obfuscation to help understand how it appears on your systems.

That’s all for this week’s security news. Come back every Monday morning for the next rendition or check it out over on YouTube or on podcast. Stay safe out there friends.

Feature photo by David McBee from Pexels.