Bear Security – Security News for Week of June 19th, 2021
These are the stories that relate to our careers, clients, and businesses in the cybersecurity world for the Week of June 12th, 2021. Watch this in video form over on YouTube, or you can listen on the go with the Bear Security podcast.
7-Year-Old Privilege Escalation Bug in Linux Patched
The Register is reporting that a seven-year-old privilege escalation bug that has traveled amongst different Linux distributions over the years has been patched. The bug affects the service polkit, which evaluates whether specific Linux activities require increased privileges than the ones currently available. The security researcher Kevin Backhouse who identified the bug said the flaw is surprisingly easy to exploit, but timing is an important factor in successful exploitation. The vulnerability results from the way polkit handles errors when the UID of a connection no longer exists, which in some cases, ends up defaulting to UID 0, which leads polkit to process the request as if it came from a root process.
Linux Systems that have polkit version 0.113 or later installed are at risk of this bug, such as the unstable branch of Debian, RHEL 8, Fedora 21+ and Ubuntu 20.04. It is recommended to update as soon as you can.
Read the full story over at The Register, or the researcher’s blog post relating to the bug.
Security Firm COO Charged with Facilitating Cyberattack
SC Magazine is reporting the arrest of Vikas Singla, Co-Founder, and COO of Securolytics for aiding and abetting a 2018 cyberattack against the Gwinnett Medical Center in Georgia. The Department of Justice claims the attack against Gwinnett Medical Center involved disrupting phone service, disrupting network printing services, and obtaining information from a digitizing device and that it was done for “personal profit” and “commercial advantage”. In total, Singla faces more than 18 counts of violations to the Computer Fraud and Abuse Act, with 16 of those charges involving the same malicious act being carried out on 16 different printers. Singla is currently out on bail pending trial.
Read the full story over at SC Magazine.
SolarMarker Remote Access Trojan (RAT) Being Distributed by Malicious PDF’s Padded with SEO Keywords
ZDNet is reporting that attackers behind the malware known as SolarMarker, are using PDF documents padded with SEO keywords to boost their visibility on search engines in an attempt to lead victims to malware on a malicious site that poses as Google Drive. SolarMarker is a remote access trojan that steals data and credentials from browsers. The malicious PDF’s have so far been stored on AWS Web Services or Google Drive, where they are indexed by search engines that process the keyword-stuffed documents, ranking them high for a particular search term. An unsuspecting user may open this document believing it relates to their search, which leads them to fake login pages on .site, .tk, and .ga along with downloading malware.
Microsoft Security Intelligence noted in a tweet that these documents have a wide range of topics, including “insurance form”, “acceptance of contract”, “how to join in SQL”, and “math answers”. This tactic isn’t exactly new for the attackers, with security firm Crowdstrike alerting to similar activity back in February. Microsoft has also recently reported seeing random files being downloaded in an attempt to evade detection.
Read the full story over at ZDNet.
JBS Pressed on Why They Paid Ransom
The Hill is reporting that the chairwoman of the House Oversight and Reform Committee Representative Carolyn Maloney, is pressing JBS USA to explain its reasoning for paying an $11 million dollar ransom. Included in that was a request to turn over all documents related to the ransomware attack recently suffered by JBS, and records of its communications to the REvil group. Rep. Maloney wrote in the letter, “I am deeply troubled by this and similar ransomware attacks”. JBS claimed that the ransom payment was necessary to prevent critical data from being destroyed.
Though, this may just be the start of problems for JBS, whose parent company J&F investimentos in 2020 paid a $280 million dollar fine to settle allegations that they violated the Foreign Corrupt Practices Act for how they acquired Pilgrim’s Pride and Swift & Co here in the United States. This situation has further reignited concerns regarding the consolidation within the agriculture sector and how attacks such as these could trigger shortages and soaring prices.
If one thing is for sure, it seems companies who are impacted by ransomware are finding themselves in even deeper waters as they fall under the microscope for their practices. We can only hope this leads to better security practices.
Read the full story over at The Hill.
Altered Ledger Devices Sent to Customers to Steal Cryptocurrency
BleepingComputer is reporting that customers of Ledger have become the target of a new scam. Scammers are using data from a data breach at Ledger back in June 2020 which disclosed customer contact information, to send them replacement hardware wallets that look like a Ledger Nano X in the mail. The instructions that come with the device instruct a user to open a drive that appears after plugging the device into their computer and running the enclosed application. The application then asks for their Ledger recovery phrase to import the wallet to the new device. Meanwhile, it sends the recovery phrase to the scammers who then use it to import the victim’s wallet on their own devices to steal the cryptocurrency funds contained.
Ledger customers are advised to be suspicious of any unsolicited email, package, or text claiming to be related to their hardware devices.
Read the full story including more technical details and pictures over at BleepingComputer.
Things Not Included in This Week’s Episode
- Ransomware gang Avaddon shut down and released keys. Victims can get a free decryptor from Emsisoft.
- SpectreOps Research on Attack Potential against Active Directory Certificate Services.
- CodeCov is retiring bash uploader that was compromised in supply chain attack.
- Microsoft disrupted a large Business Email Compromise (BEC) campaign.
That’s all for this week’s security news. Come back every Saturday for the next rendition or check it out over on YouTube or on podcast. Stay safe out there friends.
This week’s featured image is from Sora Shimazaki at Pexels.